General enquiries :
+44 (0)20 7602 6000


Thursday 14 February 2019 Virtualisation


Yordan Yanev's picture
By Yordan Yanev

In part 1 & part 2 of this blog series, I highlighted the increasing threats to IT departments, how they should start to work more like cloud service providers and why they should look to improve network security by virtualisation.      

Now it’s time to talk about how we can reduce the ‘surface’ of our networks to make them easier to protect and our recommended solution to gaining both additional security and agility out of your network.


Security solutions devoted to chasing and detecting threats are only marginally effective when the attack surface is large - there are simply too many ways for a threat to compromise an application for point solutions to cover them all. For this reason, the primary focus for your IT and InfoSec teams should be shrinking the attack surface of applications.

To do this effectively, there are a few things they’ll need:

• insight and context into how the applications are comprised - how should they interact with the infrastructure? How do they really interact with the infrastructure? Instead of focusing on covering all possible threads, use the well-known good state of your environment as a baseline.

• to know the network enforcement points that can micro-segment the machines that make up an application.

• to compute enforcement points so that only the right processes run and the right connections are made within those machines.

Delivering on all three of these necessities is difficult. Either a product is bound to the endpoint or the network and has granular control but lacks application context and visibility. Or the product has context about the application but lacks the ability to meaningfully enforce security policies.

The problem with a legacy approach is that assumes that very little, if any, change is going to take place in the data centre.

Under a legacy approach, a security policy is applied to static and rigid groups that are defined by the network topology.  We see these expressed as security zones, IP subnets, etc. The problem with this approach is that assumes that very little if any change is going to take place in the data centre - whether through provisioning new applications, moving workloads or changing IP addresses.

Because workloads in the data centre do, in fact, change frequently, this legacy approach is slow to adapt and often leads to security vulnerabilities and missed business opportunities. That’s why you need to consider a software solution such as VMware NSX.

Because VMware NSX is embedded in the hypervisor, it has a rich knowledge of what is taking place in both the physical and virtual environments. This deep understanding of the attributes of the workload enables you to start thinking about how you apply security differently. 

Now instead of grouping based on where something is in the network, we can group based on how it’s used. Alternatively, we can group based on specific characteristics of that workload, thinking about things like what Operation System the workload is running, or whether a workload is within a certain compliance scope such as PCI, etc.

This enables us to define security policy independent of static attributes like IP addresses. When IP addresses change, or new IP addresses come online (like when a new workload is provisioned), the correct security policy will be automatically applied.



Every industry today is being transformed by technology. Traditional data centres are reshaped as apps and data migrate across clouds, to the edges of the network and back. This digital transformation can lower IT costs and improve efficiency, visibility and performance while driving business innovation.

This new reality is exciting but has major implications for the traditional networking and security services. As IT teams attempt to manage, secure, connect and maintain compliance wherever applications live, they can’t do it without a fully virtualised infrastructure.
Legacy networks, or a mix of different systems that must be managed and run independently, can cause major delays and create security gaps that businesses simply can’t afford.

Your IT team needs a modern networking and security solution that brings consistency and security across private and public clouds. They also need a level of automation that streamlines multi-cloud operations and frees up the business to focus on innovation.
This can be achieved with a completely new and innovative approach for protecting our digital assets – the application-centric approach - enabling a way to create a more granular form of security known as micro-segmentation.


VMware NSX is unique in its ability to reduce the application attack surface through intrinsic security—security built directly into the hypervisor and other native control points on top of which applications are live.

The VMware micro-segmentation and security solutions provide a foundational architectural shift to enable topology-agnostic, distributed security services that can be programmatically applied to protect applications in the evolving data centre.

Micro-segmentation and security use the NSX in-kernel distributed firewall, edge firewall components and built-in security services to efficiently provide the desired network segmentation. It also provides isolation to protect the application traffic, regardless of physical location and underlying network topology.

With insight into how applications are comprised, from the processes running on individual workloads to the network traffic they generate, NSX solutions automatically recommend intent-based security policies to your teams.

Whether applications live on-premises, in the cloud, on VMs, containers or bare-metal servers, NSX solutions deliver ubiquitous control. Write one policy, enforce it everywhere and orchestrate automated threat responses.

Security in software enables the deployment and management of security policies to be as agile as applications themselves. When a new machine is created, it’s secured by default.


Not every security solution is created equal. In today’s fast-moving business landscape, you can’t afford to take risks.
VMware and CACI – Network Services can help you keep up with the increasingly dynamic, distributed nature of modern applications by making security an intrinsic component of your infrastructure.

Start small with an NSX network and security virtualisation platform delivered by CACI and tap into a portfolio of products that enable application-centric security, network visibility and embedded threat detection.

Talk to us about how we can help by calling +44 (0)20 762 6000 or clicking on the banner below.

In part 1 & part 2 of this blog series, I highlighted the increasing threats to IT departments. Now it’s time to talk about how we can reduce the ‘surface’ of our networks to make them easier to protect and our recommended solution to gaining both additional security and agility out of your network.



Add new comment