Last week I blogged about understanding the security implications when migrating Greenfield and Brownfield applications to VMware NSX.
Today, we’re examining the next steps after you’ve successfully deployed your virtualized datacenter – how you should approach managing, reporting on and auditing its security. Using NSX’s micro-segmentation capabilities, you’ve effectively placed a virtual firewall around every server inside the datacenter, giving you control of East-West traffic. And you’ve configured those virtual firewalls, shifting them away from their default ‘allow all’ settings (a topic we covered in detail here) so that they deliver exactly the right secure connectivity for your critical applications.
So far, so good: NSX is protecting your micro-segmented environment. However, the policies implemented by the NSX firewalls will need to change dynamically, when new applications are deployed or changed. And this typically means that NSX should be part of the organization’s network security policy change process, and subject to the organization’s governance, audit, and regulatory compliance requirements.
But here’s the problem: security teams do not always have the day-to-day visibility they need into what’s happening in the VMware environment. This is because the team that ‘owns’ the VMware environment is often separate from the security team – it may be the virtualization team, the cloud team or the server team. In practice this can lead to a lack of communication between the groups, which in turn, causes problems for the security team who are responsible for auditing and ensuring compliance – as well as the overall security – of the entire enterprise network. And of course, any change in NSX is almost certain to have an impact on security and compliance outside the virtualized environment.
I have heard statements by CSOs to the effect that: “The NSX environment is being managed by those other people and, from a security viewpoint, I don’t know what they are doing. I have no visibility into NSX, yet I’m being pressured into reporting on and taking ownership of its security. I’m pushing back because I have no controls, and as far as I am concerned, whatever is happening inside the VMware estate does not exist.”
These organizational silos are blurring the lines of responsibility. If IT security teams cannot get a complete, unobstructed view of their organization’s overall security posture, they cannot adequately identify potential security vulnerabilities and assess the business’ overall exposure to risk, and ensure compliance.
Visibility breaks down silos
Security policy management solutions must play a key role in providing the necessary visibility of security across the organization’s entire environment – whether on premise, in NSX, or in public clouds.
Using solutions such as AlgoSec, network security teams can, for example, be notified when NSX rules or policies change and then assess how these changes will impact the rest of the enterprise network. What’s more, when changes are being planned, the virtualization team can use the solution to assess the effect of their changes in the NSX environment, and on the wider enterprise estate.
Furthermore, auditing and compliance is not a stand-alone process – if the NSX environment is not compliant, the entire enterprise is not compliant. And security is responsible for it all – whether or not it ‘owns’ the virtualized environment. With AlgoSec IT security teams can generate a complete range of risk and compliance reports that cover the entire organization.
In a majority of organizations, the discussions over who owns security in cloud and software-defined environments have yet to be fully resolved. However, the first easy step to an effective working strategy is for the organization’s teams to collaborate when making security changes. With full visibility across the entire environment everyone can work more efficiently and more securely– bringing clarity to the lines of responsibility.
Today @11am EDT, I’ll be presenting a webinar on how to migrate and manage security policies in a segmented data center. If you have the time, please join me – you can register here.
And if you’re going to VMworld, make sure to stop by AlgoSec’s booth (#658) where we can demonstrate how we help companies discover, migrate and manage their business application connectivity to VMware NSX.
Receive notifications of new posts by email.