​Security: Architecture vs Sprawl

VMWare CEO Pat Gelsinger says we live in a “state of compromise” where what the business sees as critical is different to what CISOs see as important. When CEOs were asked what most needed to be protected from attacks, they answered reputation. CIOs and CISOs, on the other hand, pointed to regulated data as the most important thing to protect.

Similarly, when the two groups were asked what the business priorities were, the CEO focussed on growth whereas the CISO had their eyes on protection – something that barely made the CEO’s list of priorities.

Because of these differences security is often an afterthought in many organisations even though budgets for cyber protection continue to grow. There has been investment in many different tools in an attempt to secure the ever-burgeoning proliferation of platforms and devices modern enterprises have acquired.

As a result, Gelsinger says we lack a true architecture for security. While everyone has policies, there’s an inability to align those polices with all of the different tools and options that are available to manage security.

Not surprisingly, as the head of VMware, he says we should be using “a ubiquitous layer of virtualisation” to secure rather than asking how to secure virtualisation. He sees virtualisation as a way of providing the glue between applications and security tools.

By using virtualisation to segment applications, it’s possible to create an architecture that supports better security.

It would support least privilege, detection through the virtualisation layer being able to “understand” the context of an applications activity and through automation of how a virtual machine is created deployed and closed.

Distributed Network Encryption (DNE) is a new VMware technology, announced at RSA Conference 2016 by Gelsinger during a keynote address. This new system allows operators to choose a network segment through a GUI and then encrypt all traffic between all devices on that segment. This includes hashing data at both ends of a transaction.

In addition, DNE takes advantage of newly introduced on-chip encryption added in new Intel processors called AES-NI – a technology Gelsinger was involved in developing when he worked at Intel. This way, the encryption doesn’t significantly impact the performance of any one system as it’s offloaded to the on-chip encryption capacity CPU of multiple hosts

During a scripted live demonstration, Gelsinger and his team showed how this works with a “before and after” scenario. This started with a “hacker” intercepting banking credentials and altering data within a banking database so that the perpetrator’s mortgage was magically cleared.

Then, a network administrator used DNE to encrypt the vulnerable network segment with just a few mouse clicks.

The same process was then repeated but the hacker’s access to the systems was blocked at the connections they were using previously were now encrypted.

Granted, this was a scripted demonstration but the functionality looked very powerful.

As well as working within a network, attendees of the keynote saw the same encryption applied to machines hosted on Amazon Web Services connected to the encrypted network segment. And it wasn’t only traffic that was protected – storage could be added to a network segment that was protected by DNE.

It seems logical that virtualisation will be deployed extensively in order to manage the proliferation of devices and platforms that is plaguing the security industry. Certainly, during RSA Conference 2016, this has been a recurring theme as many speakers have noted the need to simplify the technology stack.

Too many security solutions have been deployed, each addressing a specific point of vulnerability. What Gelsinger and his team showed was the potential to simplify the deployment of an enterprise-wide encryption system with a virtualisation layer that forms a connective fabric between infrastructure and security tools.