vArmour, a leading data center
and cloud security company, recently announced 12 additions to its growing
patent portfolio issued by the U.S. Patent and Trademark Office, almost
doubling its patent portfolio within a year. Newly awarded patents
focus on policy and automation as services to secure the data center.
To learn more, I spoke with Matt Ebben, VP of WW Systems Engineering and Services for vArmour.
VMblog: Can you describe what vArmour announced in the recent press release about its patent portfolio?
Matt Ebben: vArmour has spent the last few years advocating the need for, and producing the world's most scalable, agentless, Application-Aware visibility and microsegmentation solution for cloud datacenters. This has taught us an absolutely incredible amount about customer applications and how one goes about securing them when workloads can be anywhere and the perimeter is a dead concept. In short, pervasive application-centric segmentation policy is a destination, but the journey to get there is long and extremely challenging. We've taken this learning and applied it to creating and patenting new features that let our customers quickly and easily visualize their applications at a level typical network-based solutions can't see, the dependencies around these applications, and how they communicate. This application telemetry is then processed through declarative policy intention algorithms for the creation of security policy as defined by business intent. That's a wordy way of saying, "Here are your critical applications. Tell us in whatever terms make sense to you how you want to protect them."
VMblog: How are you using these innovations to benefit customers on their journey to protecting their applications?
Ebben: We're giving our customers interactive guidance and a means to reach their destination. An analogy might be something like this: Bali is your dream destination and you're in California. All you have today to get you there is a rowboat and a general idea that you need to go west. We're building jets to enormously speed up the journey, while keeping it simple, efficient and powerful. We're doing this without needing to install intrusive software agents on every server in the environment or without needing to truck in expensive, custom hardware larger than the average refrigerator. The joke around vArmour when someone says they have an application discovery and policy platform is to ask how much it weighs!
vArmour customers simply download and deploy a single VM from which they can specify how broadly they wish to deploy the sensor network. In a matter of minutes, the system is actively auto-discovering and modeling layer 7 application interactions and mapping out application behavior. Bidirectional tie-ins to industry-leading CMDB and IT workflow solutions enhance context and efficacy around application understanding. With this wealth of data, all broken down into simple graphical views, customers can see what DID happen and what IS happening with their applications. The next stage is to apply business level logic to this dataset. This is the intent-based declaration of what SHOULD happen. For many customers, this is where the journey actually ends. Maybe they aren't quite ready for deployment of segmentation policy. Maybe the CISO just wants to understand the difference between the DID and SHOULD and go twist an app developer's ear. For those who wish to deploy the policy to an enforcement solution, we do that too. This is the "what CAN happen" part of the equation. The beauty here is in the policy validation capabilities of the solution. At any point in time, customers can model different applications or policy attributes and perform a retrospective impact assessment against actual traffic; in other words, a report showing "what would have been blocked in the past X days had this policy been in place?" When I worked for a large life insurer as a voting member of the infrastructure change control board, I would have killed for this capability! The IT governance workflow impacts to this are massive.
VMblog: So the ability to do segmentation, and specifically microsegmentation, are mainstream subjects in the modern security landscape. It seems like there are tons of options out there these days for policy enforcement, often times, natively built into the cloud stack. Is this good or bad for vArmour?
Ebben: It's a good thing, and here's why. Our entire solution is software-based and does not need to be the system that's actually doing the policy enforcement. This might come as a bit of a surprise, but we want to empower customers to use whichever enforcement planes work best for them. Obviously we have ours and love when customers go that route, but if they don't, that's fine. Instead of Bali, they're headed to Boracay - It's still hard to get there in a rowboat! For these customers, we offer our patented auto discovery and declarative policy modeling solution just the same as if we were programming our own enforcement. Everyone attempting to do policy deep inside the datacenter or cloud has this same problem, regardless of which enforcement plane is selected. All the microsegmentation and enforcement in the world isn't worth squat without understanding the applications and applying intelligent policies. Again, the application-focused business logic-informed enforcement is the destination. But you don't get there without a solution like ours. The more prevalent native enforcement capability becomes, the more obvious this problem becomes.
VMblog: So it sounds as though the solution you're discussing is designed to program more than just vArmour. Can you expand on that?
Ebben: Sure. So say you've got a large, heterogeneous compute footprint and a PCI Application that runs in this environment. Some of the assets are physical, some run in vSphere, and some run in Azure. You can obviously cover physical and vSphere by using the vArmour DSS for enforcement, but in Azure, you want to use Network Security Groups (NSGs) since they're built-in. By using our declarative policy modeling capability, you have "one policy to rule them all" that is dynamically applied to whichever enforcement plane is in use. Again, the way the policy gets implemented is the destination, and to be honest, not all that important. Enforcement is all pretty much the same. The journey to get there and the ability to visualize, model, test, and validate your policy and its efficacy on an ongoing basis is where our customers are finding the greatest value. We're rapidly working on expanding the number of control planes the solution supports. More to come on this in the near future!
VMblog: What's been the customer reaction to this enhanced focus on declarative policy and policy modeling?
Ebben: It's been overwhelmingly positive. Compliance needs, pervasive breaches, datacenter re-architectures, and cloudification of IT are all driving customers towards segmentation strategies at an increased pace. This is forcing organizations to think about how they'd actually go about implementing good policy for controlling applications when the knowledge of how these applications work is usually locked in a developer's head somewhere. On the scale of complete ignorance to total enlightenment, the vast majority of organizations are somewhere in between the "we don't know what we don't know" and the "we know what we don't know" stages. For these organizations, our solution is proving to be incredibly powerful and helping IT security teams truly understand just what their applications are up to.
VMblog: Where do the patents or technology take vArmour in the future?
Ebben: At vArmour, it is our belief that Security should be regarded primarily as a business driver and not just as a business enabler. vArmour's policy innovations are intent-based and serve the security goals of the business while being driven by the intent of the application owners. They place the ownership and governance of policy into the hands of the application owner or IT risk owner. vArmour's policy automation enables administrators and application owners to dynamically enforce security policies in step with changes in the infrastructure and beyond. When executed accurately, an application's security needs and the organization's business outcomes will constantly be in sync to create an ideal environment for current and future infrastructure.
##