It’s the end of the summer of 2015—the nights are getting cooler, the leaves are starting to change colors, and flocks of students are abandoning the beaches of Cape Cod bound for college campuses. The seasonal change also signals another annual ritual: VMworld in San Francisco.
VMworld used to be focused on virtual server technology and then it expanded to VDI. Now the show represents all things cloud computing. Of course, I’ll be looking at a specific sub-segment: The intersection of cloud computing and cybersecurity. As such, I’m anticipating discussions around:
- Micro-segmentation. A few years ago, virtual networking really meant virtual switching at Layer 2. While virtual switches offered a lot of functionality, most organizations used them as a bridge to forward traffic to the “real” physical network. This is no longer the case however, and many enterprises are embracing virtual networking in data centers across layers 2-4. As part of this transition, I’m starting to see a lot more interest in micro-segmentation for network isolation, east-west traffic segmentation between data center servers, and even the creation of network tunnels from endpoints to data center applications. From a cybersecurity perspective, micro-segmentation offers great potential as it can be used to limit the attack surface. I’m curious to find out about micro-segmentation adoption. Is it still a cutting-edge technology or has it crossed the proverbial chasm? My hope (and gut feel) is that we are making progress—more soon.
- Network security services. As virtual networks gain traction, they will pull virtual network security services along for the ride. VMware is pushing this model with NSX partners like Check Point, F5, Palo Alto, Rapid 7, Symantec, and Trend Micro who can supplement server and network virtualization with enterprise-class, proven security services. Cisco offers a similar architecture and partner program with ACI and its security services architecture. Others like Illumio and vArmour are intent on virtualizing network security services on their own—sort of like what Novell NetWare did for file and print services 25 years ago. If you are serious about cloud computing, you have to go down the network security services route, but this is a big leap of faith for many seasoned cybersecurity veterans who grew up as CCNEs and Cisco Pix firewall administrators. I’ll be monitoring VMworld to see how this transition is progressing as changes here could have big implications on the security market.
- Identity and access management (IAM) in the cloud. According to ESG research, 68% of enterprise cybersecurity professionals’ claim that the combination of cloud and mobile computing have made IAM security a lot more difficult. Why? Cloud computing extends IAM to new infrastructure and applications, some with their own authentication, entitlements, and management tools. This in turn creates IAM blind spots, policy contention, and loads of opportunity for human error. There are several ways to bridge these worlds, including homegrown integration using federated identity standards (i.e., SAML), single-vendor product solutions (i.e., CA, Centrify, IBM, Microsoft, Oracle, RSA, etc.), and gateway solutions (OneLogic, Okta, Ping Identity, etc.). There’s also a slight chance that social networking vendors like Facebook, Google, and LinkedIn will fill this void and there are promising authentication technologies (i.e., Apple, FIDO alliance) that could greatly impact IAM at large. Lots of balls in the IAM air, so I’m interested to see how this will play out.
- Cloud security organizational dynamics. Many industry events resemble a techno pep rally focused on silicon and code rather than carbon-based life forms. I hope this isn’t the case at VMworld as I’d like to explore cloud security as it relates to IT and cybersecurity organizations. My current observation is that cloud security responsibilities often migrate toward different groups like application developers, DevOps, and data center infrastructure groups. Okay, but where do network security engineers fit into this mix? And since cloud security is a relatively new pursuit, how are cybersecurity professionals (and others) gaining the necessary skills around secure design, physical/virtual security integration, cloud security operations, best practices, etc.? In my humble opinion, skills development is a critical and often neglected aspect of cloud security. With the right training, CISOs can use things like micro-segmentation and virtual network security services to improve security protection and mitigate risk. In lieu of this however, other IT groups with minimal cybersecurity knowledge will be in charge of “winging it”—putting everyone at risk.
A few years ago, cloud computing seemed to be hamstrung by security concerns, but this is no longer the case. Many organizations, led by the public sector, are moving full-speed ahead into the cloud, so it is incumbent upon the cybersecurity community to keep up. When I leave VMworld next week, I should have a good indication of whether cloud security is a ray of sunshine on Amazon, OpenStack, and vCloud Air, or whether stormy cybersecurity weather is in the forecast.