VMware is expanding its security range with a new version of its virtualization software that has security integrated into the hypervisor.
“Our flagship VMware vSphere product now has AppDefense built right in,” VMware CEO Pat Gelsinger told the audience at VMworld 2018, which kicked off this week in Las Vegas. “Platinum will enable virtualization teams – you – to give an enormous contribution to the security profile of your enterprise.”
Announced one year ago, AppDefense is VMware’s data-center endpoint-security product, designed to protect applications running in virtualized environments. AppDefense uses machine learning and behavioral analytics to understand how an application is supposed to behave, and it detects threats by monitoring for changes to the application’s intended state.
The new Platinum edition combines vSphere’s native security capabilities with AppDefense. It’s designed to help vSphere administrators deliver more secure applications and infrastructure by enabling VMs to run in a “known good” state. With visibility into VM intent and application behavior, an enterprise can bolster its threat detection and response capabilities.
With AppDefense, “you can see whatever a VM is for – it’s purpose, it’s behavior – and tell the system that’s what it’s allowed to do, dramatically reducing the attack surface without impacting operations or performance. The capability is so powerful, so profound, we want you to be able to leverage it everywhere, and that’s why we’re building it directly into vSphere,” Gelsinger said.
“I call it the burger and fries. Nobody leaves the restaurant without fries. Who would possibly run a VM in the future without turning security on? That’s how we want this to work going forward.”
VMware vSphere Platinum Edition is expected to become available by early November.
In the big picture, VMware sees enterprises making a shift from point security tools to security that’s embedded in infrastructure. VMware is aiming its message of intrinsic security at enterprises that are grappling with increasing security threats and greater regulatory pressure to control risks.
VMware offers ‘adaptive micro-segmentation’
Along with unveiling vSphere Platinum, VMware also bolstered its micro-segmentation offering.
Micro-segmentation is a method of creating secure zones in data centers and cloud deployments that allows companies to isolate workloads from one another and secure them individually. The goal is to decrease the network attack surface: Enterprises can create policies that limit network and application flows between workloads to those that are explicitly permitted, reducing the risk of an attacker moving from one compromised workload or application to another.
VMware has been talking about micro-segmentation at the network level for about five years, and it’s a core element of VMware’s NSX networking and security platform. At VMworld, it took micro-segmentation a step further, announcing what it terms “adaptive micro-segmentation.”
Adaptive micro-segmentation brings segmentation up the stack from the network level to include the application layer, tying VMware’s network products – NSX and vRealize Network Insight for operations management – more closely together with AppDefense. Working together, the products can identify the composition and intended behavior of an application, align policy to the application, and lock down the workload and network elements of the application. As an application changes throughout its lifecycle, the combined technologies can automatically rework compute and network security policy to address application component changes.
“As powerful as micro-segmentation has been as an idea, we’re taking the next step with what we call adaptive micro-segmentation,” Gelsinger said. “We are fusing together AppDefense and vSphere with NSX to allow us to align the policies of the application through vSphere and the network. We can then lock down the network and compute, and enable this automation of the microsegment formation. Taken together: adaptive micro-segmentation.”
READ MORE HERE