Next week at RSA Conference, VMware will showcase how VMware NSX, when deployed with AirWatch EMM or VMware Horizon, addresses the enterprise security challenge of over-provisioned data center access through the use of network micro-segmentation. This unique combination creates an individualized virtual network that allows users or groups to access only the specific applications within the data center to which they are authorized. This model can prevent users from accessing or even seeing resources that exist within the data center to which they are not entitled. Through this unique combined solution, IT can help minimize security threats resulting from over-provisioned access that is common with traditional gateway VPNs.
"VMware is a driving force in helping to evolve security inside the data center through micro-segmentation with VMware NSX, and on the device level through capabilities such as per-application VPN," said Noah Wasmer, vice president of product management and CTO, End-User Computing, VMware. "Today we are bringing the power of these two solutions together to deliver the ability to implement a fully-segmented virtualized data center network that meets the unique challenges presented by today's mobile end users."
Micro-segmentation: Better Security with a Software-Defined Data Center Approach
Organizations typically provide user access through a secure VPN gateway connection into the cloud data center where applications and data reside. Once inside the data center, however, users can gain nearly unlimited access to all of the resources inside of the data center. Modern attacks exploit this perimeter-centric defense strategy by 'hitching a ride' from authorized users using completely secure connections, then moving laterally within the data center between workloads with little or no controls to block propagation. As more and different types of devices are coming into businesses, IT requires a solution that solves this over-provisioned access challenge to provide secure, restricted access to only the resources to which users are entitled.
VMware NSX helps solve this challenge through network micro-segmentation inside the data center. The VMware NSX approach to securing user access offers several advantages over traditional security approaches -- automated provisioning, automated move/add/change for workloads, distributed policy enforcement at every virtual interface and in-kernel, scale-out firewalling distributed to every hypervisor or virtual desktop and baked into the platform.
-- Deploying VMware NSX with AirWatch Enterprise Mobility Management - combining AirWatch identity management and per-app VPN controls with VMware NSX network virtualization completes the security bridge from the device to the data center. This solution enables IT to assign exact data center resources to specific applications based on the organizational groups already set up through AirWatch EMM. The permissions set by IT can prevent the enterprise from overexposing data center information to applications on any device while still empowering the mobile user with the corporate resources they need to do work efficiently and effectively. The combined solution also gives admins greater visibility into what mobile users can access and eases change management as new applications come online.
-- Deploying VMware NSX with Horizon - this solution enables effective firewalling for each virtual desktop at a VM level, preventing the spread of threats from desktop to server as well as desktop to desktop.
Security policies can be created based on individual users or logical groupings, rather than being tied to rigid network topologies, and VMware NSX streamlines and simplifies configuration of security policies
based on types of users (e.g., engineering, HR, finance) and types of data being accessed (e.g., credit card, payroll). Because mobile and virtual desktop sessions are more dynamic than server workloads, static
security policies are far less effective. VMware NSX simplifies and automates application of network and security policies to users or virtual desktop pools.