How VMware’s change in direction has put ARM on a new approach to security
- Summary:
-
Chip technology developer ARM is getting to grips with the benefits coming from VMware's decision to use AppDefense and NSX together.
ARM has a track record running VMware’s vSphere managed server virtualisation tools and its NSX network virtualisation tools. Colimina had been using them together to help make the IT service more responsive to business needs, improving it speed of delivery while still keeping security in mind. Colomina said:
We try to provide new services to the business. And being IT, we need to find ways to automatically provide safe services.
Most of the current work has been targeted at getting the basics of delivering good IT services right. The goal is to get the IT operations more agile and increase their speed of delivery to the end users. He is also aware that some of those end users – the technologists and designers that have so far already created the technology at the heart of most of the best-selling smart phones and tablets now available around the world – have a big vested interest in ensuring both the availability of compute resources when they need them, and the security of data they are working with.
He acknowledged that he is not at some aspects of that application yet, though he certainly sees the business case for its use in that role. But his initial target is improving business management in that he can free up his team from the need to manage much of what he refers to as `the boring stuff’ and look at the engine behind it, which is vRealise, and how it can be used to help automate services for the users within ARM. The key targets have been the pain-points that have existed both for the end users and the IT team itself.
One of the classic pain-points, particularly for end users, is the time it has taken for IT to set up a new virtual machine. According to Colomina, the SLA for this was five days, which in a fast-moving business like ARM can be a significant restraint on its ability to react problems or new development requirements:
VMs needed to be created manually, but now we can do the job in five seconds, and the end user can do it for themselves without involving any IT guys.
And now for something completely different
The next goals for NSX exploitation included greater use of micro-segmentation and the reduction of the company’s attack surface so that the company has better protection against malicious attack. Then came the announcement that NSX would work with the new AppDefence tool, and a selection of anti-virus and malware defence tools to focus on building security environments based on the application of security best practices. Colomina explained:
That is what I like about the way NSX is changing. VMware is changing the way that we can protect our environment, in that we don’t have to spend time chasing the bad, instead we identify what the good is and we keep it safe. And as soon as something occurs that is different from that we can make a response.
He feels this is the way to go in building better security, particularly when using cloud services, as the nature of cloud means a security breach is almost inevitable, regardless of the number of different security tools that are being used as a defence. The key process therefore is to ensure that best practices in both operations and security management are not only core policy for the business but also rigourously applied:
Traditionally the firewall is the first line of defence against an attack, and then the anti-virus running on the server is the last line of defence, but what I like about NSX is that you have more security around your LAN and everything that is behind the firewall, not because your firewall may be breached, but because it is another job for the hacker to break into NSX. I like how it rethinks the way that security is done, and the way that VMware has taken what it has done with NSX on the network side and has brought it to the application side.
Colomina admitted that he wasn’t aware that this development was going to be available from VMware until the company made the announcement at the recent VMworld conference in Barcelona, and indicated he is looking forward to finding just how AppDefence and NSX work together to reduce the company’s surface of attack. As he put it, this not a matter of `if’, it is a matter of `when’, for companies like ARM are now being hit by attempted attacks every 40 seconds.
Surprise surprise
The announcement by VMware came as something of a surprise Colomina, to the point that he is having to rethink some of his security planning. For example, he now sees a new job appearing on his work schedule, which is defining what testing the company needs to undertake to see how best to exploit the AppDefence/NSX combination.
His first step will be to see how AppDefence works, in a sandbox environment, under attack conditions. In particular he is keen to see how it deals with the new and unknown threats that are always appearing, for he sees testing it against known threats as simply lagging behind the threat curve.
Is ARM subject to a particular type of threat? – not just the attempts at getting at the money, or gaining access to personal details of staff, but attempts to access its industrial and technological secrets. There, of course, lie the crown jewels for a company like ARM as Colomina noted:
Yes, we have to secure our intellectual property. This is already done in the hardware layer, but then there is the network layer and the operations layer, and you can see how things can work together there. It is about putting the dots together. We do chip security, but VMware does network and applications security, so it is one thing on top of the other.
The VMware change of direction is also likely to bring benefits for ARM’s IT operations, not least because it is running applications and services both on premise and in the cloud, though the former was offering greater functional richness than available with cloud services. The announcement that NSX will now be available to run on AWS has Colomina hopeful that at last the same on-prem functionality will be available in the cloud, and something that he definitely has plans to test out.
He also sees the growing spread of cloud hosting options for VMware giving ARM more flexibility in the choice of service provider, even opening up the possibility of using different service providers for different types of application or service. In practice however, the two main cloud service providers he sees the company using are AWS and Microsoft Azure. For now at least, only some elements of the VMware product suite are available for use with Azure, so he will be looking to VMware to improve this aspect.
My take
An interesting tale of how a major shift in direction by a vendor can impact the plans and policies of a current user, and how that user is setting about accepting the challenge and grasping the nettle as ideas form about where benefits may lie.