Bringing Agility to Network Security (devsecops) with VMware NSX

Drew Kimmelman

by Drew Kimmelman

Software-defined is everywhere.  There is no lack of information available detailing every feature, all the amazing benefits, and why organizations should adopt software-defined solutions.

For most of my career, I have been focused on some form of technology infrastructure across servers, storage, network, or security. Then, in 2014, something clicked.

Starting in late 2014, I really began to shift my focus to software’s application in the infrastructure world, and so far, it has been an exciting journey. I don’t want to focus on the features and functionality of software-defined because there is plenty of that available in a simple Web search. I would like to talk about how evolving to a software-defined approach changed the way organizations were able to function with evolving approaches to security.

To tell my story, I want to look at how application developers have benefited from the implementation of server virtualization. It is pretty easy to set up a virtual machine per development environment. If my software lifecycle looks like unit, integration, acceptance, and production, then I can spin up a virtual machine per environment, write code and implement changes that are limited in risk because they are not applying changes to a virtual machine serviced in production. By the time the code makes it to production, the code has typically been tested, and the risk in the deployment of code to production is reduced. Now, I know it doesn’t always work this way, but this has at least been achievable for quite some time.

As we have looked at infrastructure for the last several years, the approach described above has not really been achievable. Infrastructure changes have typically occurred against physical devices that will - or have always - serviced production workloads, so the risk associated with applying any change has always been large. Because of this, any change, production or non-production have always had long lead times. This isn’t because infrastructure teams have wanted to be the constraint in an organization’s ability to apply a feature or function in a business application, but because until recently, the technology has not been an enabler to help mitigate risk, and help ease the complexities in making modifications at any layer of infrastructure.

I want to talk about how VMware’s NSX technology helps security teams evolve the way in which they can apply security. For over two years, I have been fortunate to see massive amounts of positive change in the ability for security teams to keep up with organizational demand. First, let me baseline by describing that VMware NSX is a software solution that allows security teams to abstract the implementation of security from a hardware device. Security teams now have the ability to create logical constructs that align to the requirements of application developers. Remembering our application developer example from above, security teams can now create security groups / zones around the lifecycle of an organizations application. For instance, the lifecycle of “app A” might be “app A Unit”, “app A Integration”, “app A Acceptance”, or “app A Production.”  With VMware NSX, I have worked with security teams to model logical “security groups” around the lifecycle of applications. This helped them achieve a few things:

  1. Security changes at each stage of the lifecycle were made against a subset of any workload associated with an application. Any change made to “app A Unit” only applied to workloads contained within that part of the applications lifecycle. Remember, we are now implementing security policies or remediation against a logical construct, not a physical device, so the long lead times to identify risk against any changes is greatly reduced. Because of this, security teams have had the opportunity to work in parallel with application teams to get their code not only deployed, but in a state where any new features and functions could be readily tested for speedier, more stable deployments into production. This is a huge win because the business can reach the market faster, with more stable feature releases, and witness higher customer adoption of a particular service. We have enabled this by the reduction of risk in the application of security against an environment.
  2. The removal of the requirement for security policy to be made against a physical device now gives us the flexibility to evaluate security architectures, outside of network topologies. In the technology environment we live in today, users want workloads to have an almost borderless characteristic. Security without hardened borders has been difficult due to the reliance upon the application of security against the network topology. The IP Address has had a huge impact on how security has been able to enforce policy. Using VMware’s NSX technology, I have witnessed organizations develop a security architecture that allowed users to deploy workloads against multiple sites, all while maintaining a set of pre-approved, consistent security policies. I have seen organizations move workloads from one site to the next, without the intervention of a long lead time from the security team. Moving beyond the IP Address as an enforcement point for organizational applications is a huge technical win for security teams, and their ability to help drive rapid deployment practices.
  3. Security teams have had the opportunity to drive security policy standardization in the environment. One of the biggest challenges security teams have faced is the unique security requirement that each application or application team needs to make their “thing” work. With this approach, security teams are forced to evaluate the unique requirement, what the risk is, and any potential problems it may cause for the organization, and this can take a lot of time to succeed at this task. Showing various teams how using VMware NSX allows for security teams to model what they can achieve against the application team requirements has had the positive momentum in security teams’ ability to identify a set of security policy standards, which is a requirement to any organization’s ability to rapidly deploy a workload that provides any value to teams. Standards help lead to repeatable processes and reduce risk.

Having been fortunate to work with VMware NSX for quite some time now, the most amazing part of what it does involves security transformation.  Security teams must manage multiple layers of security, protect company assets, customers, etc., all while having to worry about being a constraint it the organization’s ability to deploy a new feature to market first. VMware NSX is a technology that helps transform security teams and their abilities, reduce risk, and the ability to be an enabler to business function deployments.