Guest blog post from Tom Vallons, Partner Development Specialist Business Mobility, VMware Benelux
In 2018 the General Data Protection Regulation (GDPR) will come into effect in Europe, making data protection much more of a business consideration than a risk management issue. Actually, for some organizations, ensuring customers’ data privacy will become a unique selling proposition. For CIOs, the challenge will be to match the obligations enforced by the GDPR with trends such as mobility, increasing the risk of data proliferation and loss.
So, the question that arises is: are business mobility and data security doomed to be opposites that can’t be aligned without costly trade-offs? Does the act of accessing applications and data across devices and locations automatically put confidential data at risk? No, it doesn’t. However, according to recent research by Vanson Bourne for VMWare, 47% of IT leaders are under so much pressure to deliver on business mobility that they are willing to take calculated risks on the security of organizational data. As many as 66% say that employees push them to offer mobility, and 22% of all employees admit frequently overriding corporate mobile policies to be more productive at work.
The key to tackling this challenge lies in micro-segmentation.
To better grasp the opportunities it offers, let’s first take a look at the desktop side of the story. Virtualizing desktops enables operating systems, applications and data to be run centrally in the data center, already creating security benefits such as secure access, centralized patching against vulnerabilities and reduced risk of data loss on devices, as the data is located in the datacenter. But there is a downside too: the more desktops that are virtualized, the more traffic that is generated – both north-south and east-west within the data center – leading to an ever-larger attack surface for malicious persons. Furthermore, 80% of investment in security is spent on protecting the data center perimeter (north-south traffic), yet at least 80% of traffic is east-west, i.e. lateral traffic between virtual machines and servers. Hence, in many companies, while it is hard to break into the data center, once inside there is little to no defense.
Securing through software
So what are the options? One might consider building a firewall around every single component in the data center, but that is an expensive and operationally very infeasible solution. Enter network virtualization technology! Moving network and security intelligence into software (a network hypervisor, if you will) suddenly opens up all benefits associated with software. Security can now be inherently tied into every individual workload, it can be automated and it will therefore follow the workload even if it moves outside of the datacenter it was born in.
Because we are now able to tie a relevant security policy to every single component in the data center, even if malware were to find its way into the data center, it would only affect one virtual machine and couldn’t expand laterally to other components. You can also create multiple security zones in the data center, grouping for example all sales or finance-related servers and data together. Only authorized users – based on their credentials – can access these pre-defined security zones. Aside from internal users, this micro-segmentation approach also allows third parties, such as contractors, to access specific data needed to run their projects in a secure way, without them having access to unauthorized company data.
But what happens if disaster strikes and, despite all your investment in malware detection tools, your company is hit by a cyberattack? Let me illustrate this with an example. Imagine a doctor’s desktop is hacked and malware starts to penetrate the data center, looking for confidential patient data. The benefit of combining desktop virtualization with both network virtualization and third-party intrusion detection and prevention tools is that an affected virtual machine – the doctor’s desktop – can immediately (and automatically) be put in quarantine and then remediated by an antivirus tool. So there’s no need for the user to log a ticket with IT reporting a possible threat and then wait for IT to pick it up and handle it…by which time the damage will be done.
The mobile connection
Obviously, there are other scenarios too. What if the doctor had accessed the data center via his iPad or smartphone and the hospital had fully embraced the concept of a digital workspace ? In that case, the doctor would have enrolled his iPad with a mobile device management tool to gain remote access – again based on his credentials – to a limited set of data and applications. To do so, he would probably have had to establish a VPN connection first in order to safely approach the data center. On the security side, an enterprise mobility management tool will cover the creation of per-application VPN tunnels, without user intervention, instead of connecting the entire device. By adding network virtualization to that, the benefits of an application-specific VPN tunnel – from an authenticated user’s enrolled device – are extended by those of micro-segmentation, providing a comprehensive solution that perfectly aligns business mobility and security!
So, in summary, end user computing technologies enable your users to access all their applications and confidential data from the devices of their choice, in a secure way. The combination with network virtualization and micro-segmentation allows you to bring security to a next level, by setting security policies just once, to secure individual workloads – independent of how they move around – and to protect the data center from attacks, including from within: a guaranteed zero-trust approach.