VMware Plots a Course for the Future of Security

At the RSA Conference, VMware Senior VP Tom Corn offered his take on the future of security in an evolving world and the role virtualization will play.

VMware security

VMware is positioning itself at the center of enterprise security controls as the modern security landscape continues to evolve and the benefits of virtualization continue to extend far beyond basic server consolidation.

Tom Corn, senior vice president of security products at VMware, discussed his views of security's future in a session at the RSA Conference in San Francisco.

In an interview with eWEEK, Corn offered his take on how the history of warfare and defensive alignment maps to the evolution of IT security.

Modern cyber-security is often talked about as a cyber-arms race, with a pattern where attackers invest in new techniques and then defenders invest in new techniques and tools to prevent attacks, Corn said. In addition to the arms race, there is also what he refers to as the alignment cycle.

"With the alignment cycle, organizations go through a period where it is extremely difficult to align defenses properly against the assets that need to be protected," Corn said. "When that happens, security costs go up and effectiveness goes down."

In the history of warfare, when communities began to form and were being attacked, those communities learned to build walls to defend themselves, Corn noted. With the wall defense, a community could align all its defenses around that point of reference. During the escalation phase, attackers figured out how to build and deploy catapults that could hurl projectiles over a community's walls. The environment evolved, and simply aligning defenses around a wall wasn't enough, Corn said.

In modern warfare, the challenge that has evolved is the issue of insurgencies where it's not always possible to know who the attacker is. Recent examples are the Vietnam War and the conflicts in Afghanistan and Iraq, Corn said.

"You have a symmetric defender going against a totally asymmetric attacker, where you have to figure out how to align against them," Corn said.

Corn emphasized that the whole premise of his talk at RSA is that modern cyber-security looks much like the conflict in Afghanistan, where attackers aren't always known and aligning defenses is not as easy as simply putting up a wall.

"Over the last several years, the security spend has become a growing part of IT spending," Corn said. "Losses have been growing at a fast rate, as well."

Many organizations are getting diminishing returns from their IT security spending, and there is a clear misalignment for a number of reasons, Corn said. For one, he noted that in the beginning of the modern computing era, applications were typically delivered in a single stack, with application, database and storage components all located in a single place. As such, defenders were able to put all their defenses in a single place to align against attacks.

"We have moved into a world of multi-tiered and composed services that are comingled on infrastructure," Corn said. "The infrastructure has also become abstracted."

Attackers are taking advantage of the situation, with the ability to laterally move within an environment. For example, if an application server is exploited, the attacker could gain access to other application servers since they're all comingled on the same segment, Corn said.

The challenge extends to modern firewalls, which have become increasingly complex and distributed as traffic of many different types of applications needs to be inspected. Many organizations have a distributed policy problem for firewall controls, Corn explained. "If traffic is hitting multiple firewalls in a data center, then the only way to figure out the actual security policy is to combine all the policies from all the firewalls," Corn said.

Virtualization can be a real benefit to help an organization align security controls, Corn said, adding that one approach in which virtualization can be a benefit is the emerging trend of micro-segmentation.

"Micro-segmentation is about using virtualization as a means to create a virtual data center where all the machines that enable a multi-tiered service can be connected together within a virtual network," Corn said. "Now you have a construct that allows you to align your controls with what you want to protect."

The idea of using virtualization as a control point for security is one that VMware Fellow Martin Casado described in 2014 as the "Goldilocks Zone."

The Goldilocks Zone was about having the right place in an environment to place security controls, Corn said.

"Virtualization may be the Goldilocks Zone—that is, the best place to put security controls," Corn said. "Virtualization helps to align security controls and infrastructure to protect data and applications."

While Corn works for VMware, which is a virtualization vendor, he noted that it's also possible to make use of virtualization to help secure non-virtualized, non-VMware infrastructure, as well. With network virtualization, an organization doesn't actually have to replace its existing physical network, and for organizations that have non-virtualized applications, it's possible to include multiple non-virtualized assets inside a virtualization micro-segment for security policy control, Corn said.

The promise of virtualization for micro-segmentation is to align an organization's technology assets to provide greater security and also reduce the risk when a security breach does occur.

"With micro-segmentation, it makes it very difficult for an attacker to go from the initial point of entry to the high-value assets," Corn said. "What we can't have is that if someone breaks in and has one key, that one key should not be the key to the kingdom; we need to compartmentalize the network such that a breach of one system is not a breach of everything you have."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.