Security and vulnerability are becoming a growing concern for the enterprises. The more and more the organizations are adapting to virtual and cloud world, the higher the chances become for them to be victim of the attacks. Therefore, the need of looking at the modern datacenter and network infrastructure from the security point of view becomes essential.
These days, there is a good chance security is top of mind for your customers. From the Target breach, to the Snowden/NSA revelations, to the Heartbleed bug and other more recent events, vulnerability issues and other threats have elevated IT security to the highest levels of public and private sector organizations. Our industry is beginning to come to grips with the fact that the only thing outpacing security spending are the increasing losses due to security threats. However, with advances in network virtualization technology such as VMware NSX, resellers now have an opportunity to fundamentally change how your customers approach security in their data centers through network micro-segmentation. At a high level, micro-segmentation is the provisioning of finely granular network security policies – all the way down to the virtual machine, and even to the virtual network interface. Micro-segmentation and data center security are such top-of-mind topics today that security has been a real driver for NSX sales.
Customers’ data centers, almost universally, have strong protection at the edge. Advanced perimeter firewalls control the flow of traffic into application servers. Yet, despite the investment in perimeter protection including firewalls, intrusion prevention systems, and network-based malware protection, new forms of advanced persistent threats are driving more breaches. But why? Because modern attacks exploit the perimeter-centric defense strategies employed in most data centers, hitching a ride with authorized users, then moving laterally within the data center between workloads with little or no controls to block propagation. To address these increasing east-west traffic patterns, and to contain threats that do make it past perimeter defenses, a new model of data center security is needed– one that acknowledges the fact those threats could be anywhere and are often everywhere. Forrester Research calls this a “Zero Trust” approach to security.
Micro-segmentation is the key to a Zero Trust model. Micro-segmentation limits unauthorized lateral movement, but hasn’t been feasible for IT to implement. Using traditional firewalls to achieve micro-segmentation negatively impacts throughput capacity and creates operational and change management burdens. The capacity issue can be overcome at a significant financial cost in physical or virtual firewalls. However, the operational burden increases as the number of workloads grows, and the placement of workloads changes dynamically.
VMware NSX For Micro-Segmentation
With VMware NSX, your customers now have an economically and operationally feasible way to deploy micro-segmentation to transform their data center security architecture. NSX provides the networking and security foundation for a software-defined data center, and running NSX allows IT administrators to create multiple, parallel virtual networks that are fully isolated from one another. This virtual air-gap prevents security threats from spreading in a data center.
VMware NSX offers several advantages over traditional network security approaches, including automated provisioning, automated move/add/change for workloads, distributed policy enforcement at every virtual interface and in-kernel, scale-out firewalling distributed to every hypervisor and baked into the platform. Micro-segmentation provides the ability to secure traffic flows within a data center with micro-granularity, even down to the level of the virtual network interface. This makes it possible to have firewall controls for each virtual machine, everywhere in the data center, and when a virtual machine moves, its security moves with it.
With NSX network virtualization, administrators can segment their systems to control the flow of traffic, based on security policies. Since modern data centers require agility (spinning up, moving, retiring workloads), NSX firewall policies are fully distributed and enforced at the virtualization infrastructure throughout the data center, with fully centralized automation and control. When a Virtual Machine (VM) is created, NSX automatically creates security policies tailored for this VM. When the VM moves, the security policies move with it, and when the VM retires, the security policies also retire, putting an end to a centralized chokepoint with scores of stale firewall policies.
Selling Network Virtualization for Security
IT leaders will first look to you, their expert resellers, to lead them on the path towards adopting a software-defined data center (SDDC). The first step on this path is network virtualization, which makes the SDDC possible. The issue of security and data centers is not one that is taken lightly. The urgency of better data center security with micro-segmentation is a nice lead in to a conversation around SDDC.
With NSX’s ability to bring together the best security solutions in the industry, there is also an opportunity to help your customers integrate their existing infrastructure to provide the best security architecture to protect their data center assets and application infrastructure.