VMware CEO Pat Gelsinger declares security broken, and says the company's new approach is to reduce the threat surface by intelligently locking down the behaviour of the virtual and cloud infrastructure it manages.
LAS VEGAS — Pat Gelsinger does not have a lot nice to say about the state of security. In his VMworld 2018 keynote here, VMware’s CEO called the state of security “broken today” because “the industry got it wrong” in trying to bolt on security, and, as he puts it, “chasing bad.”
“We’re spending more, and we’re losing more. Every day, we invest more in security, and we’re falling more and more behind,” he told attendees at his company’s trademark event of the year. “We believe we have to have fewer security products, and more security.”
His solution is to flip the equation on its head, and focus on making sure things are doing what they’re supposed to be doing, instead of looking for things doing what they’re not supposed to be doing. It’s not a new idea in the security sphere, but it’s one that will shape the direction of the company’s products.
The executive argued that tools like sensors, agents and network security boxes will become less relevant if VMware’s own management tools simply lock down virtual machines to only do what they’re supposed to do, in effect reducing the threat surface rather than expanding the search for bad actors.
Gelsinger acknowledges the idea itself isn’t new, but stresses that “it wasn’t practical before NSX,” the company’s network virtualization software. Core to the strategy is what VMware calls adaptive micro-segmentation, which brings together NSX, vSphere, and the company’s AppDefense security software. The idea is to lock down the networking and compute stacks, and micro-segment applications, tightly controlling what they can and can/t do — but also learning from past experience to allow new behavior that is wanted, hopefully reducing the security admin scourge of false positives. This cycle of learn, then lock, then adapt is ongoing, and in concept gets smarter as the system gains “experience” through use.
But perhaps the big change in terms of security at VMware is the company’s new vSphere Platinum offering, which for the first time offers the flagship virtualization engine with AppDefense built in. Mike Adams, senior direct of cloud platform product marketing, said the approach “creates the world’s most secure environment,” bringing together on-premise security and SaaS-based services to lock down vSphere by default.
Gelsinger said Platinum will “enable virtualization teams to provide an enormous contribution to enterprise security,” seeing what every VM in the organization is doing and controlling that behaviour without taking a performance hit from third-party sensors and monitors. The CEO called it the obvious fries to virtualization’s burger, calling on the classic upsale example.
“Who would run a VM in the future without turning security on?” Gelsinger sarcastically asked.
Platinum will also include a call to VMware’s crucial partnership with Amazon Web Service. Adams said that with the purchase of five CPUs or more of vSphere Platinum, customers will get credits for cloud consumption of the VMware stack on AWS, a way to “kick the tires” on the cloud extension to the traditional approach to data centre virtualization.