Home Interviews “Security has to be intrinsic and baked in at the time the...

“Security has to be intrinsic and baked in at the time the application is born”

Chris Wolf, Vice President, and CTO, Global Field & Industry, VMware

Chris Wolf serves as CTO, Global Field, and Industry at VMware. In that role, he is responsible for shaping VMware’s long-term technology vision while ensuring that Research and Development priorities align with customer and industry needs. Wolf’s team drives thought leadership and industry alignment in a number of emerging areas, including cloud, Edge, IoT, server platforms, HPC, and NFV. Chris also leads VMware’s 140+ member CTO Ambassador program, which further scales VMware R&D to customers and the technology community at large.

Prior to joining VMware, Chris was a Research Vice President for Gartner’s Technical Professionals service where he managed the data center and private cloud research agenda. Before that, Chris was a founding member of the Data Center Strategies team at Burton Group, an independent virtualization consultant. Wolf holds a Master of Science degree in Information Technology from the Rochester Institute of Technology and has authored several technology books.

Brian Pereira, Principal Editor, CISO MAG met Wolf to discuss how the Carbon Black acquisition will strengthen the security of VMware’s offerings. Carbon Black is a leading cloud-native endpoint protection vendor and was on Gartner’s magic quadrant 2019 as a Visionary company for endpoint protection. Post the acquisition, we will see Carbon Black’s security technology integrated into VMware’s security products and platforms.

Wolf told us that on average, every week, the VMware R&D team is provisioning 500,000 containers and more than one million VMs. With that level of agility, security has to be part of the CI/CD (Continuous Integration Continuous Delivery) pipeline, he says.

Wolf talked about the emergence of intrinsic security models. Security has to be built into the application at the very beginning, he insists–and not done as an afterthought.

Excerpts from the interview follow: 

How is the approach to security changing today? Why is the old approach inadequate to counter the volume and sophistication of today’s threats? 

There’s recognition from our CISOs and security leaders that the security fabric needs to be more dynamic than the threats we face. Our threats are highly sophisticated and continually evolving every second. There’s a recognition that we have to invest in new ways of doing things.

Enterprises need to invest in transformational architectures–they can start with a greenfield project, build new skills internally, and train their staff on new ways to operate security, which is purely software-defined.

At VMware, we believe that security has to be intrinsic and baked in at the time the application is born. On average every week, our R&D team is provisioning 500,000 containers and more than one million VMs. With that level of agility, security has to be a part of the CI/CD (Continuous Integration Continuous Delivery) pipeline. It can’t be something that is done as a manual process. It has to be ingrained in the DevOps processes.

The current approaches to security are unsustainable, costly, impractical, and not as efficient as they should be.

What can we expect in 2020? How will the cyberthreat landscape evolve? What are the new attacks that we should expect? How should we be preparing?

The problem is going to get worse. The proliferation of ransomware is becoming an increasing problem as well. I think 2020 becomes a transitional year for security. We’ll see organizations start to move towards far more scalable and dynamic architectures and new ways to solve problems.

If you start with network security–today for securing a packet, that packet is passing through a firewall, it is getting inspected, and there are multiple layers; there’s multiple places where that packet is being routed to be inspected, and there could be a policy applied.

We flip that model–now the actual server that’s running the application is scaling out and doing all of that work. So it looks at the packet one time and it can apply network policy, security policy, firewall policy–all with a single pass of that packet. That’s a far more scalable architecture. The notion of having these physical taps on the network goes away.

Today, if you write the firewall rules, it is independent of the application. In many cases, the application might retire, and the firewall rules might persist–depending how strong the process and automation might be.

So, security becomes an attribute of the application. That’s far more intrinsic than what you had today.

It means that 2020 is the time when enterprise customers start to invest in architectures that support these intrinsic security models.

We don’t assume that enterprises are going to replace their existing fabric. But they can take a few greenfield applications and start to apply these models and train their teams to operate them. We expect to see significant investments in that space in 2020.

We have apps everywhere today and on different clouds. How does one reduce the attack surface, understanding application behavior? The whole security paradigm changes when you move from client-server to the cloud. 

We provide a significant amount of context around the application with our AppDefense technology. We can understand how the application accesses the processor and what processes the application spins up or how it is accessed in physical memory. What is the app writing to the file system? What is the app trying to do over the network?

By creating all this context around the application, we can understand how the application is supposed to behave. And in doing so, we can then create a security policy and firewall rule that distinguishes a known state of the application. When I see anomalies or deviations to that known state, I am going to act. This is how you counter a zero-day attack.

By having that end-to-end context of the application, we can start to do far more interesting things from a security perspective.  

What trends are you seeing in the adoption of endpoint security solutions?

We’re seeing significant traction in terms of organizations looking for holistic solutions rather than pieces and parts. A good example of that is Workspace ONE. If we went back a few years ago, we saw many of our customers trying to piece these parts together themselves, and we’ve seen a significant trend heading in the other direction over the last 18 months. Organizations can now have access management across all the different services and can connect their end-users from a single console.

How will the acquisition of Carbon Black help VMware become a security leader? And how will you integrate Carbon Black technology into VMware products and platforms?

With Carbon Black coming into the fold, we have formed a new security business unit. We see forces come together–Workspace ONE, Trust Network API sets. We have a number of leading security vendors that have already committed to providing feeds into that platform. We are trying to enforce conditional access policy, and we need to understand all the context right from all of the different security feeds, inclusive of the ones that aren’t related to VMware or Carbon Black.

So that’s really the key in terms of getting all of these data sources into the platform and then being able to do actionable automation based on the feeds from those sources.

The second part of the strategy, which is really important, is baking this technology into our vSphere hypervisor (ESXi). So now our security stack is going to be a part of VMware tools that gets installed with every virtual machine. This gives us a way to do true agentless security across our entire portfolio.

From a customer perspective, you are going to have an end-to-end view of security policy. And we have an end-to-end way to enforce the policy–from the application running on the server all the way up to the endpoint.