At VMWorld VMware SVP of Security Tom Korn described the hypervisor and virtual network environment of a virtual infrastructure platform as the “Goldilocks Zone” for application security in the software defined data center. He was right. And with an innocuous and kid-friendly soundbite – “the Goldilocks Zone” – VMware served notice on the data center security industry that it fully intends to be the vendor of choice for ensuring the security of (private) cloud hosted applications.
This move ought not to surprise us. Back in 2007 VMware opened up APIs for 3rd party security vendors, inviting security vendors to take advantage of the hypervisor to secure workloads. But an ecosystem failed to emerge – in my view because neither VMware nor the vendors really knew how to take advantage of hypervisor based introspection, and because virtual switching was still very immature.
Fast forward 7 years to an enterprise virtual infrastructure that is dominated by VMware, and an urgent need for cloud security solutions. VMware is firmly in control of the “Three Theres” that are required for precise control of workload security:
- Execution context: The typical VM contains a single application, and relatively straightforward understanding of the application behavior, coupled with an ability to introspect the VM during execution offers an opportunity to better secure its execution.
- Storage context: The hypervisor owns the storage of each VM. Historically this has been block storage a VMDK – but increasingly (for example with their CloudVolumes acquisition) layered storage for a guest comprising multiple VMDKs (and their file systems) mounted dynamically gives the hypervisor an ability to differentiate and control storage access (for example: writes to a CloudVolumes app VMDK could be prevented or made Copy on Write). As it moves up-stack, the hypervisor has an opportunity to introspect and understand file/volume semantics – for example think about the ability to separate the user data and settings in a VDI VM.
- Network context: The vSwitch has an ability to control and inspect traffic into a VM in a granular fashion. VMware calls these application-centric network controls “micro-services”. Each application can have unique network security controls applied to it, enhancing the security not only of that workload, but of the private cloud in aggregate. Moreover, because of its proximity to the locus of execution the vSwitch can inspect traffic in ways that are inaccessible to other vendors in the data center ecosystem.
There would be no “Goldilocks” story without the 3 Bears and the concept of “just right”. Similarly, there can be no cloud security story without the Goldilocks Zone – a place where execution can be inspected and controlled from each of the 3 “theres”: execution, storage and networking. Being in full control of all of them is “just right” for delivery of a new generation of cloud security services. It is interesting to note that the addition (via nesting – see part 2) of micro-virtualization on a traditional hypervisor like ESX provides even more granular isolation and control – for each VM, and therefore even more granular control of security.
The “Goldilocks Zone” of security is a unique opportunity for VMware to be the vendor of choice to secure virtualized workloads in the increasingly software defined data center. None of the other hypervisor vendors is even close in terms of articulating as bold a vision in micro-services, granular storage control and execution control – and hence security. This differentiation is a key strength of VMware’s, and at the same time it points to the end of the road for every traditional datacenter security vendor. We all know that AV is dead. We know that a hypervisor is a better place to ensure execution white-lists are enforced, rather than in-kernel. We now also need to realize that network security appliances will be on the block, together with traditional switching/routing gear.
Part 2 of this post will describe micro-virtualization, micro-services for micro-VMs and micro-VM introspection in more detail. The similarities are startling. The conclusion even more so: Virtualization alone (SDDC and PC) has a unique and profound ability to deliver a paradigm shift in enterprise security, securing the enterprise by design.