VMware AppDefense Introduces Least Privilege Security for Containerized Applications

This article is a cross-post from the VMware Network Virtualization blog, view the article here.

 

Summary: VMware AppDefense continues to advance with new capabilities, new partnerships, international expansion, and increasing customer adoption

As worldwide spending on IT security continues to climb, the odds of falling victim to a data breach have risen to 1 in 4. Despite a multitude of security products on the market and large budgets to purchase them, businesses are not significantly safer. The commoditization of cybercrime has made it possible for virtually anyone with a computer to launch a sophisticated attack against a company and new attacks are being developed every day. This means the continued focus on chasing threats remains relatively ineffective to stamping out the broader challenges facing IT security.

This is a scary prospect for CISOs who are faced with securing the applications and data living in increasingly dynamic, distributed IT environments. And as more businesses embrace modern, agile application development processes, the problem of implementing security at the speed of the business is exacerbated – security is often seen as an obstacle to progress.

We created VMware AppDefense to address these very issues, with a unique approach that leverages the virtualization layer to protect applications by “ensuring good” rather than “chasing bad”. AppDefense leverages VMware’s unique position in the virtualization layer to understand what applications were provisioned or intended to do, and then monitors against that state.  If applications are manipulated, AppDefense can use the virtualization layer to automate response.  This new model is both simple and powerful, dramatically shrinking the attack surface, and providing richer context and controls for an organizations security controls.

And if you thought we’d stop just at the hypervisor, you were dead wrong.

Today we are excited to announce another major step forward for AppDefense, which is the ability to secure containerized workloads, demonstrating our continued commitment to securing applications running on any infrastructure. The AppDefense value proposition of providing foundational security for data center applications has resonated with customers. They want to apply AppDefense across the enterprise – which includes workloads running on VMware vSphere as well as container runtime platforms.  AppDefense is now the only solution that can now span both virtualized workloads and containerized workloads with a consistent approach to discovering context, setting rules, and managing alerts and remediation. By integrating container support into AppDefense customers can start to standardize least privilege enforcement across all of their applications. Let’s dig into this news a little more.

DevSecOps Changes the Rules of Engagement for IT Security

Due to advancements in the modern data center, applications and infrastructure evolve more quickly today than ever before. This creates a unique challenge for security teams.  The manual methods that security teams use to review and manage change can no longer keep pace when entire applications are being rebuilt and redeployed regularly. That means that if a security team was fortunate enough to understand what the application originally did (and could align security policy accordingly), they certainly don’t know what they application does today.

With AppDefense, we leverage these automation tools to our advantage. By integrating into the CI/CD pipeline with provisioning tools and automation frameworks, and aligning the expected state with runtime monitoring, AppDefense can maintain an authoritative map of intended state that stays in sync with agile application teams. This enables a DevSecOps approach.

This approach easily extends to containers which were born on automation and very declarative mechanisms for intended state; container manifests.  So by integrating into container security solutions we can extend our model into the cloud native world.

AppDefense has moved beyond just supporting VMware vCenter inventory to now include container workloads, running across all platforms (virtual servers, bare metal servers, and cloud platforms). AppDefense exposes an API to accept workload context from container orchestration systems, and also configure rules that are enforced by container security vendors running within the runtime environment. We are proud to announce that Aqua Security is the first partner with whom we are working in this area (read their news release here). Aqua provides runtime assurance for containers by evaluating and enforcing behavior when the container executes. They will send container context (“runtime profiles”) to AppDefense so that VMware will be able to manage/maintain security scopes across the data center. Aqua will also feed enforcement alerts into the AppDefense console for management and remediation. The Aqua Security integration will be generally available to AppDefense customers in VMware’s Q2 FY 2019.

Bringing the Unique AppDefense Value Proposition to Customers in Europe

The power of cloud-delivered security with AppDefense has shown a clear benefit to customers – but as with most cloud services its critical to maintain local data centers for performance and data sovereignty. European customers especially are facing increasing regulatory pressure related to data sovereignty. So we’re also excited to announce that AppDefense will be available to customers in Europe via support from European-based data centers beginning in VMware’s Fiscal Q2 (May 5 – July 3, 2018). The in-region datacenters for AppDefense will allow us to bring this critical cloud security service to more customers around the globe.

Progressive School District Delivers Next-Generation Security with AppDefense

Located near the city of Austin, Texas, Hutto Independent School District (ISD) is growing fast. Over the past 10 years, the school said the number of its students has increased from just over 1,000 at one K-12 campus to more than 7,000 students at 10 campuses. To meet new requirements for digital classrooms, the Hutto ISD Instructional Technology department said they must consistently improve opportunities for connected learning while keeping the district’s network and data secure. Hutto ISD said it needed to modernize its data center infrastructure and address critical security gaps without increasing its small IT team of nine employees. The district now leverages AppDefense with VMware NSX to improve network security with micro-segmentation and to protect servers from unknown threats. Watch this video to learn more about the Hutto ISD / VMware AppDefense story.

As we’ve seen, the vast majority of security problems today cannot be solved with a single product or technology, because they are more foundational and architectural in nature. With our continued advancements and growing momentum behind AppDefense, VMware is playing an even greater role in helping to make security an intrinsic part of the network and application fabric on which businesses are built.

 

Spokesperson FAQ

Q: What are we announcing?

A: VMware is announcing the next major milestone for the company’s flagship data center endpoint security solution AppDefense. The announcement includes new platform enhancements that enable security for containerized workloads, global expansion of the service, and customer momentum.

Q: Why is the announcement of security for containerized workloads important for customers? The industry?

A: The AppDefense value proposition of providing foundational security for data center applications has resonated with customers. They want to apply AppDefense across the enterprise – which includes workloads running on vSphere as well as container runtime platforms. By integrating container support into AppDefense customers can start to standardize security enforcement across all of their applications.

Q: How is VMware AppDefense providing security for containerized workloads?

A: AppDefense exposes an API that allows for container security partners to integrate into the platform. AppDefense can accept workload context from container orchestration systems, and also configure rules that are enforced by container security vendors running within the runtime environment.

Q: Who is the first partner VMware is working with to support security for containers with AppDefense?

A: Aqua Security is the first vendor we are announcing as a member of the AppDefense container ecosystem. We expect to work with a number of other vendors in the near future.

Q: Who is Aqua Security and what solution are they providing that works with AppDefense?

A: Aqua Security provides runtime assurance for containers by evaluating and enforcing behavior when the container executes. They will send container context (“runtime profiles”) to AppDefense so that VMware can manage/maintain security scopes across the data center, and Aqua will also feed enforcement alerts into the AppDefense console for management and remediation.

Q: How is VMware’s approach to securing containerized workloads unique/different from other container security solutions?

A: AppDefense is the only solution that can now span across both virtualized workloads and containerized workloads with a consistent approach to discovering context, setting rules, and managing alerts and remediation.

Q: What non-U.S. regions will now offer AppDefense? When will AppDefense be available in these regions?

A: AppDefense will be available to customers in Europe via support from European-based data centers beginning in VMware’s Fiscal Q2 2019.

Q: What is the importance of offering regional/local support for AppDefense?

A: The in-region datacenters for AppDefense will allow us to bring this critical cloud security service to more customers around the globe. The power of cloud-delivered security with AppDefense has shown a clear benefit to customers. However European customers are facing increasing regulatory pressure around data sovereignty and other regulations. The in-region datacenters for AppDefense will allow customers to manage where their data resides more effectively.

Q: Does AppDefense gather and use any end user or business data that would require compliance with various international data sovereignty laws/regulations? Please explain

A: AppDefense does collect customer email addresses for authentication into the service. This is considered PII by most data regulations. AppDefense also collects hostnames, IP addresses, and process information from customers protected workloads. This also can be considered sensitive information subject to compliance.

Q: When will AppDefense support workloads running in the cloud on VMware Cloud on AWS or IBM Cloud for VMware Solutions or Rackspace Private Cloud for VMware?

A: This support is on the roadmap but we have nothing to announce at this time.

 

General AppDefense FAQ

Q: What is VMware AppDefense?

A: VMware AppDefense is a data center endpoint security product that embeds threat detection and response into the virtualization layer on which applications and data live. By architecting AppDefense into the vSphere hypervisor, security is made an intrinsic part of the data center endpoints that comprise applications, rather than a bolted-on afterthought.

Q: Why is VMware AppDefense significant for VMware in security?

A: With AppDefense, VMware is moving the industry towards a new security model that’s intrinsic, intent-based and application-focused. We believe AppDefense will do for compute, what VMware NSX and micro-segmentation did for the network; enable least privilege environments for critical applications. This new security solution leverages the virtual infrastructure to monitor running applications against their intended state, and can detect and automate response to attacks that attempt to manipulate those applications.

Q: What makes AppDefense unique?

A: AppDefense leverages its position in the hypervisor to understand the intended state and behavior of a data center endpoint. It then monitors the endpoint in real-time for unauthorized deviations from that “known good” state, which indicate a threat. When a threat is detected, AppDefense uses vSphere, as well as VMware NSX, to automatically respond with precision minimizing impact to end users of the application.

Q: What problem does AppDefense solve?

A: The growing frequency and cost of security incidents points to a fundamental flaw in security models that focus solely on chasing threats. AppDefense delivers an intent-based security model that focuses on what the applications should do – the known good –  rather than what the attackers will do – the known bad.

Q: What does AppDefense Protect?

A: AppDefense protects applications deployed in vSphere-based virtualized and cloud environments.

Q: Do I need NSX to run AppDefense?

A: No. AppDefense does not require NSX. However, the number of automated response mechanisms increases when AppDefense is integrated with NSX. For example, AppDefense can leverage NSX to automatically quarantine a compromised data center endpoint.

Q: Is AppDefense delivered on-premises, or is it a cloud service?

A: AppDefense is delivered as a SaaS service, however it requires some on-premises components to be installed.

Q: Who are the target buyers for AppDefense?

A: AppDefense is a pure-play security product targeted to CISOs and their organizations. This includes the security operations center (SOC) and security architects.

Q: What are the use cases for AppDefense?

A: There are two primary use cases for the product. A Security Operations Center (SOC) can use the product to authoritatively detect and automatically respond to threats against applications. Security Architects can use the product to streamline the security review process, especially for organizations with rapid application development and deployment processes (for example, those that embrace DevOps).

Q: What products does AppDefense compete with?

A: While we believe AppDefense is complementary to the broad ecosystem of security vendors, it will be perceived that AppDefense competes with two main Endpoint Security categories – Legacy Signature Based Products (AV, Anti-malware, IPS, etc.), and next-generation endpoint security (Endpoint Detection and Response, Machine Learning, behavioral Analytics, etc.) AppDefense is differentiated from these solutions by focusing on identifying deviations from application intended state, rather than chasing potential threats. In addition, AppDefense offers a wide range of automated response capabilities that leverage the customer’s existing virtual infrastructure. That said at launch we have partners from the end point security market supporting our announcement.

 

Spokesperson FAQs on GDPR

Q: What is the GDPR?

A: The General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679) is a regulation which will strengthen and unify data privacy rights for persons within the European Union (EU).
The GDPR also addresses the export of personal data outside EU borders. Its primary objectives are to give control over personal data – any identifiable information such as name, address, and national identity numbers – back to the individual as a basic right and to simplify the regulatory environment for international business by harmonizing data protection legislation within all EU countries. The GDPR extends the scope of current EU data protection law to non-EU organizations who are processing EU personal data: The harmonization of data protection legislation should make it easier for non-EU organizations to comply, but this comes at the potential cost of a strict data protection compliance regime, with severe penalties for non-compliance.

Q: What is VMware’s position on the EU’s General Data Protection Regulation?

A: VMware will comply with the European Union’s new General Data Protection Regulation when it goes into effect on 25 May 2018.

Q: How does VMware handle the export of personal data from the EU?

A: For the export of personal data from the European Economic Area, VMware has structured its compliance framework around the “Standard Contractual Clauses”. We therefore ensure an “adequate level of protection” for our customers’ personal data as required under existing EU laws. Specifically, VMware has in place Standard Contractual Clauses as intra-group agreements for the international transfer of personal data between VMware, Inc. and its subsidiaries worldwide.

To the extent VMware’s customers previously relied on VMware’s certification under the Safe Harbor program in connection with VMware’s processing of customer personal data, VMware’s intra-group Standard Contractual Clauses now govern, and they can be leveraged directly by any of VMware’s customers.

VMware has a pending application with the Irish Data Protection Authority for Binding Corporate Rules (“BCRs”) to cover our processing of personal data as a Processor, which, once approved, will provide a new commitment from VMware with respect to the international transfer of our customers’ personal data:

Q: How can VMware help customers comply with the GDPR?

A: VMware is in a position to help IT with data security; however, customers will need to confer with privacy experts to help interpret the regulation and enforce business processes that support the intention of the law.

Q: In what ways can VMware help customers prepare for the GDPR?

A: VMware recommends that customers confer with privacy experts to help interpret the regulation and enforce business processes that support the intention of the law. However, VMware can help IT to focus on data security by addressing some of the data protection gaps.

VMware’s portfolio has security and data protection capabilities built in from the data center to the end user:

  • VMware supplies software and services which automate and provide data protection
  • VMware helps customers protect data from the data center to the end-user
  • VMware has capabilities in data protection to make it easier to secure customers’ environments 
end-to-end Examples of how specific capabilities of the VMware portfolio may help to address potential data protection gaps:
    • Data Access and Data Transfer (using VMware NSX) – Allowing for the creation of security policies restricting data transfer across unauthorized networks
    • Data Access (using Horizon and Workspace ONE) – Providing policy creation and enforcement of role-based access to data and also provides Identity verification and management
    • Data storage (using VMware vSphere and vSAN) – Allows for data encryption
    • Data Deletion (using VMware vSphere and AirWatch) – providing for data virtual machine deletion 
and end user deletion

Comments

Leave a Reply

Your email address will not be published.