Introduction
As a vCloud Air Network service provider running your cloud with VMware software, you’re probably familiar with technologies such as VMware NSX and how they can be used to accomplish huge paradigm shifts within the enterprise datacenter. Micro-segmentation is one of the phenomena brought about by NSX that facilitates one of these paradigm shifts, software defined networking and security. Owning and operating a VMware powered datacenter means you are also likely seeking to leverage differentiators in the VMware platform in order to offer new, value-add services to your customers. What may not be clear however, is how to take a killer feature like micro-segmentation and build differentiating use cases into the platform that help customers and other partners to solve many challenges. Many of these challenges are relative to operationalizing cyber security in a hybrid cloud model, a unique challenge given the nature shared responsibility that is required. Managing the relationship with your customers becomes an integral part of how future services will be offered and what expectations should be on all sides, including strictly defined, measurable parameters for all services to be delivered.
This blog is the first in a series of publications on items such as Cloud Migration and DevOps that will build on the concepts presented within the context of Micro-Segmentation. It serves an introduction and overview to a vCloud Architecture Toolkit document on the subject of Micro-Segmentation that is currently being developed and will soon follow. The purpose of this information seeks to clearly articulate the differentiation these features are capable of bringing to our vCloud Air Network service provider partners. There will be future blogs providing vignettes of how several identified use cases change operational models into a streamlined, trusted and consistent way of doing things within a service provider who is offering, or planning to offer, hybrid cloud. The first of these use cases is in a short video at the end of this blog. We believe capabilities built on the principles of Micro-Segmentation to be a huge potential differentiation, perhaps a necessity, in order to reap the true potential value of hybrid cloud. NSX micro-segmentation use cases provide powerful, predictable, measureable features and capabilities to narrow customer time to value on their way to successfully executing on their hybrid cloud security operations plan.
The Industry Challenge
There are any number of bad actors, on the internet and elsewhere, seeking to gain unauthorized access for a variety of motivations. Cyber criminals seeking profit look for data/identity theft or blackmail opportunities, State actors seeking power look for intellectual property or state secrets while those motivated by prestige may seek to deface, bring down or otherwise exploit a resource
such as this one. As attacks become more sophisticated they can emanate from many sources, including inside the hybrid-connected enterprise. This makes the potential for insider threat taking on new meaning. If we can't expect these boundaries to be mutually assured to be securely operated, how we could we trust anything connected to you? This manifests the nature of the shared and privileged connectivity required to execute on hybrid cloud architecture. Compelling features are being integrated into the core of the VMware vCloud platform such as long distance vMotion, NSX Universal objects such as the Distributed Firewall rules. These types of objects can be defined once and shared across up to 8 vCenter instances, wherever they may be located. We need to master the deployment and management of federated layer of trust that unlocks all of these features to their truest potential. As you'll see in this blog it is a responsibility you will own and define for your customers as opposed to perpetual reactionary mode we find ourselves in dealing with these sorts of issues today.
vCAN service providers, much like enterprises, employ any number of controls such as firewalls, logging, ulnerability scanning or AV/Malware in order to identify threats and may likely sell the use of these tools to their customers as an additional service. Like most approaches and solutions in the market today, many of these controls are operating on the network layer and tend to exist near the physical or logical edge of the datacenter or in agents on managed virtual machines. This creates blind spots due to lhe positioning of controls and from the need to inspect multiple OSI layers simultaneously for creating context. This approach also fails from a datacenter scale perspective as it is done in ASIC based appliances which have an upper limit per device with chaining them often proving ineffective. It also follows with complicated federation schemes and tremendous costs for managing new/existing appliances, their connectivity and operations support. While these appliances have been ported to software appliances making them easier to federate, they are slow relative to the required speed of NSX and its underlying transport capabilities.
We are now left with a myriad of questionably scalable, increasingly more difficult to manage security control set, where leaving open any vulnerability can allow an attacker to own the environment through privileged operation by executing the ‘kill chain’ as shown in Figure 1 below. It is important to understand that disruption to this kill chain path be maintained as a defender of cyber attacks. For more information on the Kill Chain and NSX I encourage you to watch Tom Corn’s session at RSA Conference in 2015 here. Hat tip to Firehost, seen @ about 40 minutes in (Firehost is now known as Armor), who are in this fight as a vCloud Air Network service provider protecting customers from an ever increasing, diverse set of threat profiles by using NSX.
Figure 1. Gartner’s Cyber Attack Chain Model
VMware NSX and Micro-Segmentation
VMware NSX, with its stateful Distributed Firewall, gives us the foundational system capabilities to use for Micro-Segmentation use cases. The Distributed Firewall runs in a 64 bit ESXi memory space called dvFilter, which has direct access to generate logical data streams of network traffic for binding of various network enabled solutions such as load balancing, firewall or IPS among others. It shares the NSX inventory of network objects used to manage how virtual network traffic gets on and off of the physical network and into the NSX overlay context prior to traific being fed into a vNIC on a virtual machine. This allows us to interact with the network flows entirely in a software object model prior to serialization on the physical network. By creating context and control at the tenant level including what objects should talk to one another, not just based on IP addresses or TCP ports but with rich, dynamic, object oriented relationships. Furthermore, all hosts cache NSX policy combinations of which virtual machines should have which controls applied to them in order to help activate those policies into operation.
NSX addresses the legacy nature of many security controls which were not designed to operated on this type of network now prevalent in modern cloud services provider leaf/spine designs. By design legacy controls were mostly employed to solve the challenge of multi-tenancy, as an example, but without the virtualization paradigm with pervasive resource sharing. Without the layers of virtualization and hybrid cloud computing factored in, their effectiveness in supporting modern attack/respond scenarios is diminished. There are, however, a number of technology partners (F5, Palo Alto, Checkpoint, Rapid7, Intel Security, Trend, Symantec, HyTrust and Riverbed amongst others) who have authored solutions that live in memory slots next to the one supplied by NSX for Distributed Firewall through dvFilter or within other layers of the virtual stack as we will see later in this blog.
In this space, virtual traffic flows combine with network/security processing chains where they are serialized, parallelized, and pipelined to a now truly distributed, performant set of software defined security functions used to defend against cyber attack by enabling agile response to adverse operating conditions. Due to the performant location on a per ESXi host/instance basis and their ability focus on dealing with only the virtual machines present on said host, rules and operations are carried out in the most distributed, scalable way possible, utilizing only fractions of the total ESXi memory overhead.
The green boxes below in Figure 2 are a list of cyber security technology partner solution categories that have these integration patterns with NSX. As we will touch on later in the paper these solutions can be orchestrated via NSX Service Composer and are triggered by continuously queried security event tags allowing context to be shared across software defined security functions. A particular combination of NSX technology partners is described in the Project Wonderland video emceed by my VMware Alliances colleague, Jeremiah Cornelius along with Symantec and Rapid7.
Figure 2. NSX and Third Party Service Categories
The Goldilocks Zone and Macro-Segmentation
Changing back to the bigger picture, securing hybrid cloud datacenters. In order to execute on a successful cyber security operation, we must have a repeatable, measurable, trusted provider infrastructure layer. Rather than constantly thinking about how to identify and to respond to attacks, NSX seeks to change the game by positioning the solutions previously discussed in the exact context required to protect against specific threat profiles. This context is removed from where many of the threats from the outside will originate, the tenant VMs, and was deemed the ‘Goldilocks Zone’ by the leader of our Network and Security business unit, makers of NSX, Martin Casado. In another sense the context has also helped to define clearly the answer to the question of exactly what a service provider must do to enable the solution(s) to help manage the secure state of tenant virtual machines. Making sure they are installed, operating and executing their work, providing evidence that they have done so and forwarding exceptions to a shared queue.
Looking at Figure 3 below we can see the virtual machine resource provide opportunities to leverage platform functions. Today this is often done with agent based solution INSIDE the virtual machine, commingled WITH the threat it is responsible for eradicating. Risky business indeed so this becomes another potential point of weakness to be managed.
Figure 3. Virtual Machine Resources
As we see in Figure 4 below the power of the combined solution used to protect virtual machines can be provisioned from a VDC.
Figure 4. Provider Virtual Data Center
By moving the execution of functions into vSphere, such as encryption (on the wire and ‘at rest’ in the upcoming vSphere beta), firewall, and NSX partners producing solutions for IPS, AV/Malware, Vulnerability, patching,role based access control etc., into the Goldilocks Zone, we have established a foundation for the trusted provider layer. By effectively leveraging combinations of these solutions we can protect the plane in cyberspace where the attacker will now have to execute leaps from context to context. Our controls are operating in a context in between points they need to travel. When that context is hardened and trusted we can, at a minimum, attest that our security is operational. Too many times the machine left unpatched or default password left unchanged leaves attackers all of the foothold they may require. Even worse any link in the chain that is subverted in this privileged realm may have tremendous context for broad sweeping activities in hybrid cloud networks.
Taking these malleable building blocks, we are able to construct administrative boundaries in the provider layer that are dynamically grouped by applying policy tags impacting what types of resources can be combined to execute tenant operations for security. The chain of control for the trusted provider layer also extends downward into the hardware where we can pair ESXi auto-deploy and the measurement of trusted boot state. Physical control of this nature can lead to an out of the box enhancement to your service offerings simply from its ability to guarantee physical locality attestation of each host and thereby each virtual machine. This is an immediate value-add for data sovereignty issues in order to meet various regulations throughout the globe. Please see information from HyTrust here and here for more on trusted boot, geolocation and advanced management solutions for VMware.
To illustrate the patterns used to construct these boundaries, made of NSX networks and other segmented resources or what I call Macro-segmentation, I made them into this video:
Deploy the Optimal Control with Flexible Security Functions
Having created the consistent, trusted foundation layer we can provision tenant topologies scoped with preferred security controls in place. This also abstracts day to day operations and allows us to devise service offerings that present opportunties for vCAN partners to create value add for vCAN service providers. The infrastructure qualities alone are an asset that is easily assigned a price, for instance, when targeting a regulated environment. Because most customers are doing, or outsourcing, many of these operations today, most are likely already using some security solution from the NSX technology partners listed in this blog. They are also experiencing potentially very little return on that investment, with a lack of operational agility, uncertainty that they can respond meaningfully to an attack or know that they are even under attack. With a hodgepodge of security solutions scatted about the hybrid cloud network it will certainly not be enough to create adequate policy boundaries due to the increasing threat centric operating environment where being proactive seems rarely to be an option. Spending time responding after the damage is done is no way for a business to run and tends to limit the ways in which the line of business relies on IT.
With software defined networking and security Micro-Segmentation we are able to create control vectors relative to the threat vectors at which the bad actors must navigate in order to execute their kill chain. We are now able to define the landscape of the virtual topology, limiting hiding places while forcing tenant operations, including security, into a centralized layer consisting of administrative consoles and APIs. The amount of real estate left for attackers to operate within this security defined cyber space dwindles as does the time with which they have to ‘dwell’ or seeking to penetrate the environment more deeply from one or more of the threat vectors in any given context. To further shorten this dwell time, it is important to align solutions that can respond to events from external sources. Events may come from the management plane ‘administrator account just had failed login attempts from a suspicious IP’, from the internet as in a DDoS attack, from an external source such as new critical vulnerability identified by the industry. Threats can also come from other cloud contexts (east/west) as more ‘as a service’ types are supported (think desktops) within the service provider infrastructure on a per customer basis. Service providers and customers can now use this dynamic environment to interact with ITSM solutions such as serviceNOW!, traditional Business Process Management systems through APIs and logging/reporting solutions such as vRealize Log Insight. But mostly these events will come from the NSX and technology partner solutions where they can be advertised for other solutions in the chain to respond.
Providers can continue to add value simply by hosting the right solutions for performing the hands-on security management aspects of the tenant environment. With every condition that arises the trusted platform ensures tools are available to properly execute on security operations with the extensibility to reach out to specialized operators, in context, relative to new or ongoing threats. This streamlines any security operation by simply fully embracing the concepts laid out herein.
Responding to Conditions
Our goal is to help create situations favorable to our service providers and customers for succeeding in the delivery of services based on best practices for cyber-security. It’s also a goal that templates and patterns from these references be easily shared on top of architectures built with NSX Distributed Firewall micro-segmentation concepts. While using these reference implementations can get you started we hope the approaches are dynamic enough to be adopted into best practices for delivering managed hybrid cloud service in any organization. This feature is important in the sense that everyone involved in the hybrid cloud contract would be able access common networks while maintaining the level of governance described, all embedded in the system design. With customers that lack the maturity to deliver this kind of control, it is a great option to purchase this kind of managed service from a vCAN partner rather than deliver it entirely in house. In this unique approach to security, there is a massive opportunity for risk management along the vectors discussed in this blog. Because it is all software-defined, the combinations and timing by which you activate these solutions to identify and fend off cyber attacks, becomes highly composable, allowing a highly functional underpinning to serve cyber security professionals. And many organizations today are opting for a zero-trust model where everything, everywhere must meet certain levels of security. To win this security minded customer the vCloud Air Network, partners need a solution that can deliver that as well as consistent operational model where maturity affords to offer increasingly higher value services with a higher ASP.
In cyber security operations, changes in states or conditions, require actions. Packaging those actions to prepare for or to fight off, a cyber attack should be ultimate goal. For security operators, esponding in an isolated, well parameterized environment with advanced software defined security functions operating against the known threat vectors, operations greatly simplifies especially under threat/response conditions. This is due to the attacker’s inability to use typical methods since every security control is positioned at every vertex of network communication. Ultimately you need to catch them before they establish any command and control inside of your environment since what you really want to prevent to prevent at the end of the day is exfiltration! Eventually the effort the attackers must exhibit to outmaneuver this operational agility and line of sight will become too much of a challenge to bear in a micro-segmented environment. Like the most secured home on the block, the bad actor’s effort/risk/reward model soon wears thin.
As a service provider how high you want to go in the composition of services above delivering the trusted foundations, is completely up to you. Forming the tenant Operations layer and simply providing a service to support the uptime and execution of NSX and the chosen partner technology solutions becomes viable, as does implementation of templated patterns that can be used to build the secured digital property prior to migrating or on-boarding new customers. The following subject areas that will appear in the vCAT blog at a later date, such as Migration, DevOps, DaaS as well as Continuent will utilize these trusted foundations with micro-segmentation to enable more value-add potential for hosting mission critical applications that may require higher levels of security assurance.
Streamlining which security services to combine into which contexts to respond to threat conditions and with which functional use cases, remains the work to be done to devise an effective service that can be monetized. By focusing on NSX and Micro=Segmentation driving adoption for the trusted platform utilizing micro-segmentation training specialized security architects, operators and event response teams to use the platform becomes a reality. It is important that parties engaged in security operations on the system understand their boundaries with regards to what functions and/or evidence of execution is expected to be shared when it comes to security events. As the operational context for security becomes richer with NSX, it exhibits a number of features. For one, less noise to information ratio due to context of logging produced by the solution. This also enables driving operational dashboards in near real time, further de-risking the proposition that you would fail to respond to any cyber attack in timely fashion. To exhibit these features bonded together in the VMware stack let's look at Micro-Segmentation Use Case 1 next.
Micro-Segmentation Use Case 1 - Privileged Administrator Access
In any cloud environment there are a number of Administrative personas performing activities; cloud operators, database administrators, web application and network engineers, who can all be given explicit access to sessions for conducting operations By adding enhancements to the use case from CA Xceedium you can get features such as root password vaulting and session recording without a session broker like xCeedium, the base of the use case could be a client executable on a Windows client or a web application with Java on a Linux virtual machine. That process is governed by the integration of NSX Distributed Firewall with an Active Directory SID added to the tuple. Once again I’ll ask you to watch a short video of how these solutions aggregate to form an enriched context boundary for a database administrator scenario in the tenant application administrator realm but leveraging the underpinning of micro-segmentation.
You can see that a similar combination could be used to provision jump boxes or bastion hosts for most any type of cloud administrative activity. Because many of those calls from client to server are done with REST XML they become even more transparent to manage. No more worries about browser or software stack compatibility because the session is initiated entirely on your terms. With solutions from VMware Horizon such as App Volumes and View, you could provide a highly manageable, fully automated regime of desktops for all of these personas and activities. These could be worth leveraging in order to develop new services for your customers. Think about a secure "bring your own device plan", managed by AirWatch running in your cloud. You will need the trusted foundation to deliver on this vision as well with more security enhancements coming in the future from VMware End User Computing and NSX, extending that trust boundary from the cloud to the device.
Conclusion
Given the potential power of the first true hybrid cloud with shared resources running across all NSX enabled vSphere environments, on-premise to the cloud, we wouldn’t want cybersecurity to become any more of a barrier to adoption. Our customers are listening to the message from VMware that micro-segmentation capabilities should be thought of as an opportunity to change the game in security. But it is our service provider partners that can create a consistent value add to that software platform in ways that make the most sense for solving what has become a potentially difficult to solve problem. We want our vCAN partners to enter the problem-solving phase around securing the hybrid cloud with a clear description of how the technology is expected to work in practice, for what purpose and at what value. Value expressed in terms of predictable cost savings, streamlined operations and a path, through security use cases, to better support enterprise hybrid cloud customers.
By utilizing the Micro-Segmentation Use Cases we can offer controls for each resource type, at each threat vector and understand how the trusted provider layer will act and react in each situation. By binding other security controls and services within the management boundary down to the physical hardware, we are able to distribute portions of security operations across all sides of the hybrid cloud. Carrying out the security operations can occur from either or both sides given adequate coordination. By leveraging the trusted platform in the Micro-Segmentation Reference Architecture and Use Cases yet to come in the vCloud Architecture Toolkit for Service Providers, vCAN Service Providers can offer can be ready to implement the kinds of services that could be used to run services of varying levels of complexity:
- Trusted compute foundation for geolocation attestation and management boundary enforcement
- NSX VXLAN and DFW designed into service provider tenant networks
- 3rd Party NSX integrated solutions to help build out use cases
- Managed readiness, uptime, execution of functional security components
- Policy based orchestration of security solutions at varying levels of maturity and abstraction to help manage cyber security operations
- Possibility to partner with resellers of higher order services who do not want to own the infrastructure and security solutions
- Deliver those to any environment built on same trusted foundation creating a single security context ACROSS all visualization and cloud resources
- Expand portfolio to meet regulatory controls
For more information on running a VMware cloud relative to supported regulations please start with this blog.
Executives must be informed enough to not just get a compliance report, but measure risk. This process is not done in absolutes but in finding tolerance for certain outcomes, therefore it is a consultative sale. The vCloud Air Network service providers should build a cybersecurity toolkit from the trusted provider layer to and arm the operators of these systems who must be diligent in the execution chain of the prescribed functions. Attestation about what we can trust to a tolerable degree of certainty is peace of mind where customers and cloud security is concerned. As you can see, VMware NSX Distributed Firewall and its security focused technology partners riding sidecar in dvFilter, can rule the Goldilocks Zone by executing a chain of orchestrated responses in context and based on measurable conditions. This problem of cyber security must be actively managed and choosing the right set of technology to defend against adverse events requires a common layer that controls the context. That layer is NSX , a security focused PaaS, and the pattern is micro-segmentation, truly a new weapon in the cyber warfare front.
We can only be as strong as our weakest link, are you up for the challenge?