VMware CTO: Why virtualizing the enterprise network makes it more secure

Ray O'Farrell
Image courtesy of VMware.

The cloud has rendered traditional enterprise network security paradigms obsolete, but many enterprises haven’t upgraded their security postures to keep up. Ray O’Farrell, EVP and CTO at VMware, explains why the solution is leveraging network virtualization to design security into the infrastructure itself.

Lately, VMWare has been talking up the need for ‘intrinsic’ data security – how is that different from the mature enterprise security paradigms already in place?

Most of our customers are enterprises, and over the last few years we found that their security paradigm was built on a now out-of-date reality in many ways. That security paradigm was built on the fact that I have a database with some critical information in it; I have a bunch of servers talking to that database; they are serving a bunch of clients; and those clients are sitting in offices on laptops or computers somewhere in my infrastructure. So, much of my security is making sure that nobody should be getting at that data unless they have permission to do that through that stack.

But when you look at that stack, it’s a pretty simple stack. I know the storage area, I know the servers, I know the building, and I use firewall rules and various other things to protect that.

The reality doesn’t look like that anymore. That database is now infrastructure distributed across the public cloud and a private cloud, maybe multiple clouds. You’re pulling in data from all these different places. Those servers, rather than just handling this particular serving of data, they’re also doing AI, they’re doing hardcore inference on that, which itself is now becoming something to be secured. So they’re generating a lot of data, as well as just being the server hosting data.

And the client at the other end is not 100 people in your high rise – it’s a million people on mobile devices.

And maybe even more concerning from a security point of view is 10 million IoT devices of some sort, which are distributed all over the place, moving around all the time. So you’ve got this challenge of scale, you’ve got this challenge of a dynamic landscape – stuff that’s physically moving, and you’ve got somebody like VMware moving the workload itself for power reasons or disaster recovery or something.

We believe that the cybersecurity needs to be built into the infrastructure itself. Instead of looking at a product to protect my network or my client or my mobile device – yes, you are going to need those, but they need to be able to interact and play with the infrastructure itself, because in some ways, it is only the infrastructure that has the overall view of what is going on.

And to make a biased VMware comment on that, we believe that virtualization is very key to strengthening that, because if you look at compute virtualization, it’s a sweet spot – it’s able to look down at what’s going on in the physical infrastructure because we just virtualized it, and it’s able to look up what’s going on in the operations from the application point of view.

That said, some people worry that virtualization itself introduces new security vectors that you didn’t have to worry about when it was all primarily on-prem hardware and a simple stack. Is that a valid concern?

Virtualization and cloud infrastructure have proven to be extremely secure. I’m not gonna say nobody ever compromised something somewhere, but the reason why it has proven to be so secure is because isolation has been one of the most critical things that was focused on. So if you’re going to a cloud provider leveraging virtualization, at the top of your mind you want to make sure that your app is isolated from everything else from a performance point of view. So that provider is putting enormous focus on that one problem.

The other aspect of that is that everything in this chain is software. On the one hand, you might say, oh, well, software can be compromised. But on the other hand, software is very quick to react.

If you look at some of the compromises that were made in IoT devices, going back to WannaCry, a significant component of those compromises was that you had a bunch of out-of-date-hardware.

If all of that infrastructure was software driven, you would have a much quicker ability to be able to keep stuff up to date and react to that.

And to your point about designing security into the infrastructure, a lot of those devices really weren’t designed for security in the first place, right?

Correct. They were designed to solve a particular IoT problem. And that’s why I think the infrastructure itself needs to be able to say, ‘I have something connected to me that which was not designed with security in mind – now how am I going to deal with this?’

We’re strong advocates of software defined networking, and probably one of the earliest things we’ve done in this SDN space is micro segmentation – the ability to segment my network in ways which are independent of the physical infrastructure. And that segmentation means I am now able to isolate components and understand that App A talks to App B, and then I’m able to understand why it suddenly started talking to something else. And that gives me security strength.

Going back to my earlier comment about how everything is highly dynamic, I need a security system which is able to take a dynamic stance and react dynamically to what’s going on in that system. So for instance, because of a security compromise or a security concern of mine, I might choose dynamically to switch into a mode that says, I’m only going to allow the most critical applications to communicate with my IoT device, as opposed to the people who are using it for gaming or something. And it’s dynamic, so I’m able to make those decisions – I’ve got that flexibility.

That’s an example based on micro segmentation. But we think the whole thing has to fit to much more of the infrastructure, this sense of being intrinsic to the infrastructure itself.

What about cases where the enterprise structure has been around for a long time and has a lot of legacy gear – how do you retrofit that infrastructure to have more intrinsic security?

That’s something that actually we’re fairly used to – we know how to migrate traditional applications into virtualized infrastructure. That’s what we’ve been doing for 20 years. I’m not saying rewrite the application, and I’m not saying you should change your operating system. What I’m saying is, apply a virtualization layer beneath this or in some cases above this. Also, if you look at a country like Australia, they’ve already taken a vast majority of those traditional applications and virtualized them in some ways.

So the fact that the infrastructure is now virtualized enables you to implement that intrinsic security design?

Exactly. And I don’t want to oversimplify that statement, because more and more, that same infrastructure might be a blend of on-prem infrastructure and public cloud infrastructure. So in some cases, you need to bridge that software defined networking into the public cloud.