LAS VEGAS — With security spending continuing to rise, and the number and cost impact of breaches rising even faster, VMware CEO Pat Gelsinger offers a succinct summary of the performance of the IT industry when it comes to security.
“Fundamentally, we, the technology industry, have failed you, the customer,” Gelsinger told 20,000-odd customers and partners assembled here for the company’s VMworld conference. “It’s too hard, it’s too complex, and the threats are growing too quickly.”
Like many in the industry, he bemoaned the huge number of vendors delivering point products in the space, and suggested the industry needs “a new approach.” And like many in the industry, he said VMware has developed that new approach, one that plays to its expertise and heritage in the data centre.
In launching the company’s long-awaited AppDefense offering here, Gelsinger outlined VMware’s role in the security game as a builder of a more secure infrastructure. Under the company’s vision, rather than bolting on a lot of security capability through a number of products, the company advocated offering an architecture that supports security by default.
“We’ve never really used the compute layer as a security layer before. Today, that changes,” Gelsinger said.
Tom Corn, senior vice president of security products, stressed that the company does not see itself as a security company, but rather as an architecture company that offers a more secure architecture.
”But the most significant challenges and innovations in security may not come from security companies, but people on the infrastructure side, because the challenges customers are facing are foundational, architectural challenges,” Corn said.
In essence, AppDefense seeks to define “good” — what a given virtual machine is supposed to do, to what it’s supposed to connect, etc. By understanding what every VM is supposed to do, and collecting a manifest of the services it contains or consumes, the company says it’s able to switch from looking for things that have gone bad in the infrastructure, to ensuring instead that applications are behaving as expected.
“Rather than chasing that needle in a haystack, you get rid of much of the hay and look through the few straws that remain” for would-be attackers, Gelsinger explained.
AppDefense also offers the opportunity to orchestrate responses when VMs aren’t doing what’s expected, ranging from isolating the potentially-infected application to simply diving deeper on what exactly is going wrong to see if it’s just unusual behaviour or actually an indicator of a malicious approach.
The company stresses it’s not a security player per se, but rather the provider of an architecture that’s more secure. As such, it’s working with a number of security players — from Symantec and Carbon Black to IBM Security — to ensure their services can all connect to the data AppDefense collects to co-ordinate defenses.
For the company’s partners, AppDefense and the broader “secure architecture” strategy represent a new point of conversation with customers, said Brandon Sweeney, senior vice president of worldwide partners and alliances at the company.
“It certainly makes partners more relevant in the conversations that matter most to customers,” Sweeney said.
Ross Brown, former channel chief and now heading of global partnerships around its emerging products, added that partners don’t need to have a security background to succeed with AppDefense, but tat those who do “will be really able to take it and run with it.”
While not every security hole can be plugged by hardening architecture, Gelsinger said that by getting “back to basics,” “every major breach over the last five years would have been dramatically reduced or even eliminated” if companies simply followed the basics of “good cyber-hygiene.”
- Such an approach includes:
- Running applications in “least privileged” mode so they don’t have access to things they don’t need;
- Micro-segmentation of infrastructure so that if a breach of “outer defenses” occurs, there are still a number of layers before the attacker gets access to the most important things;
- Encrypt everything to that even if they get through, attackers don’t get usable data;
- Multi-factor authentication on everything to render phishing attacks much less effective; and
- Patch everything, and quickly, to further reduce the number of attacks surfaces.
The company’s offerings support much of that — offering “least privileged” access to apps through AppDefense as outlined already, addressing micro-segmentation through NSX, supporting encryption of everything from VSAN, and addressing multi-factor authentication and path management through its AirWatch and other management offerings.
On the home front, VMware Canada country manager Sean Forkan said he believes the company has the right relationships with security-focused partners outside of perhaps “one or two very big security-only partners” who previously wouldn’t have been a good fit for VMware.
“Now that there’s a set of capabilities that are out there, it may be time to have those conversations,” he added.
In Canada, he said the company is building up its own security awareness and operations, particularly around the upcoming Digital Privacy Act, which comes into effect this fall. Forkan said he’s turning to the company’s resources working on compliance with the upcoming and sweeping EU-based GDPR legislation, with which the Canadian legislation has significant similarities.
The goal, he said, is to help customers large and small with their own compliance efforts through resources and services — in the company’s new channel-first mindset, that should mean leaning on partners for a lot of help.