The New Security Sale: Network Virtualization for Micro-Segmentation

These days, there is a good chance security is top of mind for your customers. From the Target breach to the Snowden/NSA revelations to, most recently, the Heartbleed bug, vulnerability issues and other threats have elevated IT security to the highest levels of public and private sector organizations.

Our industry is beginning to come to grips with the fact that the only thing outpacing security spending is the increasing losses due to security threats. However, with advances in network virtualization technology such as VMware NSX, you now have an opportunity to fundamentally change how your customers approach security in their data centers through network micro-segmentation.

At a high level, micro-segmentation is the provisioning of finely granular network security policies—all the way down to the virtual machine, and even to the virtual network interface. Micro-segmentation and data center security are such top-of-mind topics today that security has been a real driver for NSX sales.

Customers’ data centers, almost universally, have strong protection at the edge. Advanced perimeter firewalls control the flow of traffic into application servers. Yet, despite the investment in perimeter protection including firewalls, intrusion prevention systems and network-based malware protection, new forms of advanced persistent threats are driving more breaches. But why? Because modern attacks exploit the perimeter-centric defense strategies employed in most data centers, hitching a ride with authorized users, then moving laterally within the data center between workloads with few to no controls to block propagation.

To address these increasing east-west traffic patterns, and to contain threats that do make it past perimeter defenses, a new model of data center security is needed—one that acknowledges the fact that those threats could be anywhere and are often everywhere. Forrester Research calls this a “Zero Trust” approach to security.

Micro-segmentation is the key to a Zero Trust model. Micro-segmentation limits unauthorized lateral movement, but it hasn’t been feasible for IT to implement. Using traditional firewalls to achieve micro-segmentation negatively impacts throughput capacity and creates operational and change management burdens. The capacity issue can be overcome at a significant financial cost in physical or virtual firewalls. However, the operational burden increases as the number of workloads grows, and the placement of workloads changes dynamically.

VMware NSX For Micro-Segmentation

With VMware NSX, your customers now have an economically and operationally feasible way to deploy micro-segmentation to transform their data center security architecture. NSX provides the networking and security foundation for a software-defined data center, and running NSX allows IT administrators to create multiple, parallel virtual networks that are fully isolated from one another. This virtual air-gap prevents security threats from spreading in a data center.

VMware NSX offers several advantages over traditional network security approaches, including automated provisioning, automated move/add/change for workloads, distributed policy enforcement at every virtual interface, and in-kernel, scale-out firewalling distributed to every hypervisor and baked into the platform. Micro-segmentation provides the ability to secure traffic flows within a data center with micro-granularity, even down to the level of the virtual network interface. This makes it possible to have firewall controls for each virtual machine, everywhere in the data center. And when a virtual machine moves, its security moves with it.

With NSX network virtualization, administrators can segment their systems to control the flow of traffic, based on security policies. Since modern data centers require agility (spinning up, moving, retiring workloads), NSX firewall policies are fully distributed and enforced at the virtualization infrastructure throughout the data center, with fully centralized automation and control. When a virtual machine (VM) is created, NSX automatically creates security policies tailored for this VM. When the VM moves, the security policies move with it. And when the VM retires, the security policies also retire, putting an end to a centralized chokepoint with scores of stale firewall policies.

Selling Network Virtualization for Security

IT leaders will first look to you, their expert resellers, to lead them on the path toward adopting a software-defined data center (SDDC). The first step on this path is network virtualization, which makes the SDDC possible. The issue of security and data centers is not one that is taken lightly. The urgency of better data center security with micro-segmentation is a nice lead-in to a conversation around SDDC.

With NSX’s ability to bring together the best security solutions in the industry, there is also an opportunity to help your customers integrate their existing infrastructure to provide the best security architecture to protect their data center assets and application infrastructure.

Here are some additional resources you might find interesting:

• Technical overview about micro-segmentation.
• Next-generation security with VMware NSX and Palo Alto Networks.
• Watch this video about how WestJet is transforming their security architecture.
• Drop by VMworld for more opportunities to learn hands-on about micro-segmentation.

We look forward to partnering with you.

Geoffrey Huang is director of product marketing at VMware, Inc. Monthly guest blogs such as this one are part of The VAR Guy’s annual platinum sponsorship. Read all of VMware’s guest blogs here.