VMworld 2018 started off with a lot of fanfare. VMware CEO Pat Gelsinger kicked the conference off with some mind-boggling statistics: With more than 7,500 customers, VMware NSX has achieved a substantial market leadership position in the software-defined network category – ten times larger than its closest customer.
Additionally, VMware’s vSAN software, which is a licensable option to the vSphere Hypervisor, has been deployed more than 1,700 times and is currently adding more than 100 new customers per quarter. vSAN is dominating the Global Hyper-Converged Infrastructure (HCI) market due to its ease of deployment.
This level of market dominance results in higher customer expectations, especially in their perception that vendors have more responsibility when it comes to security. To meet these expectations, it is critical that customers have the ability to easily and properly secure the data handled by these types of solutions. Fortunately, VMware allows partners to develop products that can be integrated and provide the required capabilities, including security. Given the flexible nature of these software-defined solutions, there are higher cyber-security risks, which means there is much to do to help secure the data handled by Software-Defined Networks and Hyper Converged Infrastructure.
Security-in-Depth Model
Security-in-Depth is a concept that requires multiple levels of security to be applied, depending on the need to secure applications and data. These are embraced as best practices.
Implementing Security-in-Depth techniques is the proper and best approach when it comes to complete security since it can provide the ability to protect one form of application or data differently from another. For example, Security-in-Depth would manage access to applications that create marketing content much differently than the way it would with applications that facilitate financial transactions. It also would allow the data these applications access to be separately encrypted, often at multiple levels. If done properly, the server holding human resources records may have one level of access and encryption – and add additional access and encryption protection to each employee’s PII and PHI data files.
As discussed above, Security-in-Depth requires adding different levels of secure access to certain applications or VMs, as well as protecting the data with different forms of encryption. This means that we need to apply a unique encryption key to protect one form of data and a second to protect another, and so on. Depending upon the organizational environment, there are likely many servers and storage devices housing a great number of applications and data in many locations. Thus, performing Security-in-Depth can require the generation of thousands of keys in a very short period of time – possibly seconds.
Storage drives are particularly vulnerable
To an end user, the notion of Security-in-Depth is not only a logical approach but an expected one considering the criticality of their PII/PHI data. So what's the concern? Walking around the exhibit floor of VMworld, we noticed that the vast majority of storage vendors, as well as vendors performing backup data protection, had no such concepts built into their products or offerings.
In fact, they were (alarmingly) confusing physical security with cyber-security. How so? Their definition of security was to encrypt all drives, system-wide, with one key. This approach would protect against the scenario where disks are stolen and installed into a similar machine. However, this does nothing to stop a cyber-criminal or insider from gaining access to running systems within an organization. Once inside the network, the bad actor would have access to all drives.
The massive data breaches we keep experiencing can be stopped by proper Security-in-Depth. And now we can see why this is not typically happening. We in the industry are quick to point out that the organizations that lose our data should do a better job of protecting our information. Sounds reasonable, but if the products used don’t provide the ability to do this, it is as much the vendor’s fault as the companies that buy these products.
Fortunately, the VMware product teams understand this issue and are willing to work with companies like CSPi and other vendors who offer simple to deploy Security-in-Depth solutions to protect their customers’ applications and critical data.
For more information about CSPi and our security solutions, please visit our security solutions web page now or contact us below.
