The cloud journey and it’s profound impact on the future of networking and security

Date: Wed, 07/03/2019 - 18:20

VMware is famous for innovation and regularly gets voted amongst the top four or five most innovative companies in the world. VMware has a global CTO and three regional CTOs. Joe Baguley, CTO and Vice President, EMEA, VMware is one of the three regional CTOs. He spoke at NetEvents EMEA in Barcelona

The cloud journey and it’s profound impact on the future of networking and security

Joe Baguley, CTO and Vice President, EMEA, VMware, at NetEvents EMEA IT Spotlight 2019, Sitges, Barcelona

Image credited to NetEvents

Baguley said: “So what I want to share with you today are some insights into what we're seeing going on in the marketplace with regards to application architectures and infrastructure. 
“The ‘any cloud’ story has been developing quite strongly.  Some of you may have noticed recently that we announced with Microsoft VMware and Azure.  So now there's pretty much every cloud in the world you can now run a VMware workload on and essentially achieve what we've been aiming at, which is a globally consistent operating system and operating model for our customers.  Enabling them to have a choice between different clouds, and the ability to deliver different applications.
“So if I give you an idea of a normal application that we're working on and deploying with our customers right now, with a large German car manufacturer.  What they're doing is they areusing Functions as a Service on premises with some specific OEM gateways, essentially ZP to IP gateways, that sit there and read stock levels, where a particular car is in the building process, how many tyres they have in stock, et cetera, at a periodic basis.”
“You don't need to monitor how many tyres you've got in the factory 30 times a second, every half an hour's fine, even every hour.  But other bits, where is the car in the process, they need to monitor that three times a second because it's moving.  So they use Functions as a Service there to periodically run different bits of code to then write some data down to an on premises SQL Server. 
“What's great is because they've got a subset of data of what's going on in their factory in their production process in S3 now, sat publicly, they can sub-permission that.  So their suppliers can now see parts of that so they can do a bit more predictive in time analysis of how they're going to ship stuff into the factory.  So that's six and a half boxes.  That's a normal app for our customers.
“Now what I want you to understand and think about is does a large perimeter firewall for their data centre make any sense at all in this model?  No.So when we look at where we're going with applications, what used to be a big lump on a server in a data centre behind a firewall is now being smeared vertically in the stack, bits of it go to the best place for execution, FaaS, CaaS, PaaS or IaaS, et cetera.  Then it's being smeared horizontally in the infrastructure, all the way out to end points, to mobile phones, to the hands of the users.”
“Then worse than that we now have the wonderful phenomenon of citizen developers, which is the new shadow IT, by the way.  A citizen developer is someone in your management team or sales team or whoever who is now getting the data and then has realised there's some other cool thing they can get with some app on their phone that integrates them with some other piece of data somewhere else on the internet that you have no idea what it is.  They then somehow link it together with an API and now they're pulling your data into someone else's cloud and giving them some really cool funky dashboard and suddenly stuff's way beyond anything you've got control over.  That used to be done on spreadsheets.
“Talking about security there is the famous saying from the Sun days: ‘the network is the computer’. Well now the application is a network.  It is now a challenge for our customers to understand that pretty much everything they do is not about that server in a data centre. 
The importance of Edge technologies
So that is why for the last four, five years VMware has been working on edge technologies distributed, integrated software defined networks, software defined storage.  Essentially building a distributable platform that will run anywhere.
Baguley said: “So now for our customers I can provide them with a software defined data centre.  We have been building an operating system for data centres, which is now an operating system for clouds, that gives you globally consistent operations at every point in this chain.  So whether you're doing it in a public cloud such as AWS or IBM or VMware or VMware Cloud on AWS or Azure it's exactly the same operations model, the same security model, the same network with NSX that you're doing at the edge and in your core data centres.
“So whether you're building new style applications, old style applications, cloud-native applications, twelve-factor applications, microservices, it doesn't really matter.  The platform that it sits on is a consistent infrastructure.
“There are two main industries which have been the early drivers of edge technology - military and retail.  The military wants to push more and more technology to the edge, retail have realised that they need to do more and more in their stores.You can add on to that telcos pushing technology out through the network.
If you go to an average retailer and look at the store infrastructure – it will almost certainly have a rack stuffed under some manager's desk in the back.  The rack will house a massive old Cisco router that someone's paying thousands of pounds a month to maintain. 
Baguley said: “When you go to the team that manages that infrastructure, as one of our retailers did, they said: ‘Yeah, what we're doing is we're rolling out a new application and we want to put three containers in every store.’  No word of a lie the guy from the store team said, what size are the boxes?  Thinking they meant plastic containers.  Because that's how detached they were from how things were being built.”
“What I'm providing, what we're looking at now, is they will drop into that store instead a hyper-converged piece of infrastructure which will be tiny.  There will be the ability to run VMs, to run desktops for the management and to run containers.  Also there'll be a virtualised SD1 Endpoint, so we don't worry about that either, it's one self-contained box.  These things already exist, we're delivering them for a lot of people.”
“But what that means is actually it's not about infrastructure, it's about applications.  So as an application developer you can now sit at the top and go right, I'd like to develop my application.  I'm going to have some VMs in this blueprint that are deployed over here in this cloud, I'm going to have some access to some data services over there in that cloud, I'm going to put two VMs in every single one of our data centres and we're going to have five containers spun up in every store.  API, click, next, next, go, done.  That's the point – it’s not that complex,”
So when we look at consistent infrastructure and ultimately consistent operations what you're aiming for is a consistent developer experience.  So if you get the bottom line of where we're at at VMware right now it is providing that globally consistent infrastructure that then provides a globally consistent operations model that then provides a consistent developer experience.  But at the same time if we're developing applications differently, then security becomes very different very fast too.  As I alluded to before the way we think about security has to change, and it has to change dramatically.
So what's wrong with security?  Well, the first thing that's wrong with security is this hyper-focus on security threats.  We seem to be absolutely focused on chasing down threats.  We organise everything we do as an industry into two major buckets, right?  So either reactive, this is all about firefighting, anti-malware, host intrusion prevention, endpoint detection and response, et cetera.  Then there's proactive, which is fire prevention, hardening, patching, segmentation, app control, encryption, two-factor, all those kind of things that we should be doing.
As far as security goes we are hyper-focused on threats. We are underinvested in preventative measures according to Baguley, this is for most organisations and as an industry, and even from an innovation standpoint it's as if we have all been standing still for the last decade.  Patching's patching, process whitelisting, encryption, this hasn't experienced a wave of innovation in the last 10 years, it's just sort of best practice and people and process, it's not actually moved on.
Almost 80% of enterprise IT's investment in security goes into reactive technology, 72% of current venture capital investment in security start-ups is in the reactive security model stuff.  However, what has the biggest impact on reducing risk is to flip it, as I think you all probably realise and I don't need to tell you as we go through this model.  Dollar for dollar we have a far greater impact when reducing risk with preventative measures than we do with reactive ones. I think everyone knows that, whether it's medicine, whether it's anything.
“In fact we're not the only ones saying so.  It's not often I stand up and quote Gartner but today I'm going to.  When you look at essentially the Gartner framework for protecting workloads they stack ranked all the controls you could apply to a protected workload in order of how much risk it addresses.  The items that address the most risk?  All preventative.  As we know, an ounce of prevention is worth a pound of cure.  This is exactly where we're underinvested.”
“In reality the greatest security opportunity before us is to leverage cloud and virtual infrastructure as an industry rather than simply securing cloud and virtual infrastructure.The cloud, both private and public, has given us unique properties like elasticity, automobilityand simplicity.  We've used these properties to change how we build, deliver and manage our applications as you saw me talk about earlier.  But it's time to start looking at the capabilities of the platform for security as well. What we can do here iswe can give visibility and control without more agents.  No more appliances and without bolt on controls.  So our focus at VMware has been on leveraging the virtual infrastructure to dramatically reduce the attack surface, and by doing so use our position to provide you with a clear understanding of the applications running on top of us.  It's all about its intent, and to lock it down to ensure good rather than chase bad to make security intrinsic rather than bolt on.  That's more than embedding just our old controls into a switch - that would be simply integrated security.”
Baguley is saying that what VMware is doing is integrating security as a distributed service within the platform, and rethinking the model of leveraging the power of the cloud to secure the cloud.  If the law of gravity no longer applies don't define yourself by it.  The rules of the cloud have changed with virtualised infrastructure, virtualised networking and virtualised storage.  We need to change the rules about how we do security.  So what does this shift in thinking look like?
He says: “Well let's consider how this would change something as basic as a firewall, right?  We all understand enterprise firewalls hopefully.  But using the principles I laid out and the unique properties of virtualisation you end up with something that you don't add to your environment, you already have it, it is your environment.  You now use this new distributed service provided by your environment to see your infrastructure through the lens of the applications running on top of it.

The app is where it’s at
What you do is through the application you understand what known good is.  I know all the components of my application.  Through machine learning I can understand what those components do, how they talk to each other.  By collecting similar components and information on similar components from all of our customers and 50 million VMs worldwide I have an unbelievable understanding of how things behave.  Then what I can do is I can start to say things such as, ‘Hang on a second’, that thing there is talking to a box it never talked to before. ‘That thing there is encrypting its file system, it's never encrypted its file system before.’”
“I can spot, from understanding how and what normally communicates with each other, I get to a world of known good. A known good is the difference between golf and tennis.If you're playing golf it's very different to playing tennis, right?  Hopefully you've worked that one out by this age, okay?  Now tennis, what you're doing is you're playing against different opponents on a weekly basis and those opponents can hit the ball at you in millions of different ways.So you can spend your life perfecting the ability to deal with and respond to a rapidly changing threat.
“Known good is the opposite, that's like playing golf.  Where I stand in relation to the ball never changes.  I can tune that to my own liking and I'm continually practising how I perfectly hit that ball every single time.  Because I know the parameters of the world I live in.  I might move to a different golf course and learn different golf courses, but ultimately I'm working off a base of known good.  It's a very, very different way of thinking.  So it's because we understand this, both at the host and the network level that we can do this.”
So in this model because what we're doing is we're putting security into the hypervisor, security monitoring and management into the hypervisor, then connecting those hypervisors to all the other hypervisors.  Then understanding the network, the security, the compute.  Because what we're in is a unique position.  As a hypervisor I see everything, okay?  Because I am the virtual world that everything lives in, so I see every piece of network traffic but also I see every piece of storage traffic.  I see every piece of memory traffic, I see every CPU traffic, I see everything.  So I am in what we call that Goldilocks Zone for security to understand what's going on and that’s where I want to stay.”

 

valorar este articulo:
Your rating: None

Post new comment

Datos Comentario
The content of this field is kept private and will not be shown publicly.
Datos Comentario
Datos Comentario
Submit