Fortify your defenses with VMware Cloud on AWS Outposts
Introduction
VMware Cloud on AWS Outposts (VMC-O), delivered to your on-premises datacenter, offers several benefits to fortify and increase your defences. We will look at multiple SDDC functionalities, which will help protect your workloads and provide insights into the benefits of a managed VMware Cloud Service delivered to your datacenter. VMware Cloud on AWS Outposts is a hybrid cloud solution that combines the capabilities of VMware's software-defined datacenter (SDDC) with the AWS Outposts infrastructure.
Data Locality matters
The saying "data is the new gold" is a popular metaphor that underscores data's increasing significance in the contemporary world. It implies that, much like gold in bygone eras, data has evolved into a valuable resource. In today's digital age, data has garnered immense value, with businesses, governments, and individuals all recognizing its potential to drive insights, innovation, and economic growth. Consequently, data ownership and privacy concerns loom large in this digital era, reminiscent of historical debates on land ownership and resource rights. These discussions encompass issues of ownership, control of data and locality of where it resides. In response to these concerns, governments and international organizations have initiated regulatory measures to oversee the collection, storage, and utilization of data, a reflection of its escalating importance and associated risks. VMware Cloud on AWS Outposts grants you complete data control, ensuring that workloads running on VMC-O are processed exclusively within the rack environment without the risk of data egress or lack of visibility as to where the data resides. Furthermore, it provides you with multiple security mechanisms to protect and, simultaneously, gives you the flexibility to leverage modern services.
Basic features of VMC and the Managed Service
Managed Service
VMware Cloud on AWS Outposts is part of the portfolio of VMware Cloud Services, including technologies to assist with cloud-scale migration, disaster avoidance and recovery, and if necessary, ransomware recovery, provided by VMware HCX, VMware Site Recovery & VMware Cloud Disaster Recovery, although the later does require the data to leave the premises, and therefore conflicts with the desire to maintain complete control over data locality.
The security of VMware Cloud Services is of utmost importance. Ensuring the security of the VMware cloud offerings and customer data held within requires a wide array of tools, processes, and capabilities, all expertly designed to balance the desires of the business with a focus on customer satisfaction, product efficiency, product deadlines, revenue, shareholder expectations, and the need for security. VMware balances these needs with a set of controls and management processes designed to both mitigate risk and enhance its product offerings.
The controls and processes were created using a set of driving principles, which provide the underlying general rules and guidelines for security within VMware Cloud Services.
- Risk – Manage risk by understanding the threat landscape, building a solid platform, and leveraging all decision-makers when calculating risk.
- Controls – Establish a balance of effectiveness and efficiency by implementing the appropriate controls for the associated risk.
- Security – Provide preventative and protective capabilities to ensure a secure service.
VMware Cloud Services implements a shared Responsibility Model, where software and hardware vendors and customers all share the responsibility of platform availability and security. In this article I will primarily focus on security-related topics. For a more in-depth review of the shared responsibility model, please follow this link: Shared Responsibility Model.
Below is a summary of the model
VMware
SDDC Lifecyle
- ESXi patch and upgrade
- vCenter Server patch and upgrade
- NSX patch and upgrade
- vSAN patch and upgrade SDDC Backup/Restore
- Backup and Restore vCenter Server
- Backup and Restore NSX Manager
SDDC Health
- Replace failed hosts
- Add hosts
Managing Vulnerabilities
- Scanning and applying security patches to the standard VMware SDDC infrastructure components within the SDDC (e.g., NSX, vSAN, ESX, vCenter)
Security and Encryption
- Deduplication, compression, and data-at-rest encryption
- Encryption Key Management
Amazon Web Service
Physical Infrastructure
- AWS Regions
- AWS Availability Zones
Compute / Network / Storage
- Rack and Bare Metal Hosts (i3en.metal)
- Rack and Power Network Equipment
- Customer data security including locality, transport, disposal while consuming native services
Customer
Management Network Range Configuring SDDC Network and Security (NSX)
- Management Gateway Firewall
- Compute Gateway Firewall, IPsec VPN, NAT
- Network Segments
- Distributed Firewall
Managing Virtual Machines
- Installing software
- Implementing backup solution
- Implementing in-guest encryption
- Implementing antivirus solution
Managing Vulnerabilities
- Scanning and applying security patches to deployed virtual machines and applications
System Updates and Patch Management
VMware Cloud on AWS Outposts receives regular maintenance to ensure optimal performance and security. We follow a structured approach to system updates and patch management:
1. Major Updates:
- Major updates are scheduled to occur once every quarter.
- These updates bring significant changes, including the introduction of new features and functionalities.
- Major updates also address and fix known bugs and issues.
- Operational enhancements are incorporated to improve the overall efficiency and reliability of the system.
- We schedule major updates to occur outside of regular business hours and are not workload impacting.
2. Patch Bundles:
- In between major updates, we release patch bundles as needed.
- Patch bundles primarily focus on addressing specific bug fixes and security vulnerabilities.
- These patches are designed to maintain the stability and security of our system.
- Similar to major updates, we carefully plan the installation of patch bundles, the installation of patch bundles does not disrupt workloads running on VMC-O.
3. Security Patches:
- Security is our top priority.
- Whenever a security threat or vulnerability is detected, we take immediate action.
- Security patches are developed and deployed as soon as a threat is identified.
- This proactive approach ensures that your system remains protected against emerging security risks.
4. Minimal Workload Impact:
- We understand the importance of your workloads and strive to minimize any impact on them during updates and patch installations.
- Our updates are carefully scheduled to occur during non-business hours to avoid disruption.
- We take precautions to ensure that your operations continue smoothly during maintenance activities.
In summary, our update and patch management processes are designed to provide you with a secure and reliable system. Major updates introduce new features and improvements, while patch bundles and security patches are deployed to address issues promptly. We prioritize your workload and aim to keep any disruptions to a minimum. Your system's security is of utmost importance to us, and we respond swiftly to emerging threats.
advanced Network Security with NSX-T
VMware Cloud on AWS Outposts leverages NSX-T, its Network Virtualization and Security platform. NSX-T brings a host of sophisticated features and benefits to the table, making network security more robust and accessible, even for organizations without deep networking expertise. By automating security policies, embracing a zero-trust model, and offering application-centric security, NSX-T empowers organizations to strengthen their security posture in a hybrid cloud environment without the need for in-depth networking knowledge. NSX-T simplifies security policy creation and enforcement through automation. It allows administrators to define policies based on high-level constructs such as applications, users, or virtual machines, rather than dealing with complex networking rules. This abstraction makes it easier for organizations to implement security without extensive networking knowledge.
Micro-Segmentation and Layer 7 Distributed Firewall
NSX-T enables micro-segmentation, which means dividing the network into small, isolated segments. Each segment can have its own security policies and can isolate workloads and applications. This segmentation minimizes the lateral movement of threats within the network.
Layer 7 Distributed firewalling, also known as an Application Layer or Next-Generation Firewall, operates at the highest layer of the OSI model, which is the Application Layer. Unlike traditional firewalls that operate at lower layers and focus on port and protocol filtering, Layer 7 firewalls are application-aware, meaning they can inspect and control traffic based on specific applications and services. Furthermore, NSX-T can block or allow traffic from the virtual network card from each single VM, this enables administrators to create automated rulesets that permit only the necessary traffic, thereby minimizing lateral movement within the network.
IDS/IPS (Intrusion Detection System/Intrusion Prevention System)
IDS and IPS are security systems designed to protect computer networks and systems from unauthorized access, attacks, and potential threats. They operate by monitoring network traffic and identifying suspicious or malicious activity.
Intrusion Detection System (IDS): IDS is primarily a passive system that detects and alerts administrators to potential security breaches. It analyzes network traffic and compares it to predefined patterns or signatures of known threats. When it identifies a match, it generates an alert for further investigation.
Intrusion Prevention System (IPS): IPS is an active system that not only detects threats but also takes action to block or mitigate them. It can automatically respond to detected threats by blocking malicious traffic, modifying access control lists, or taking other preventive measures to protect the network.
Identity Firewall
An Identity Firewall is a security system that integrates user identity and access management with firewall policies. It combines user authentication and authorization with traditional firewall capabilities to enforce security policies based on individual user identities or roles.
Key Features:
- User-Centric Security: Identity firewalls allow organizations to create fine-grained security policies that control access based on individual user identities or roles.
- Dynamic Access Control: Access permissions can change dynamically based on user activity and context, enhancing security while minimizing user disruption.
- Audit and Compliance: Identity firewalls provide detailed logs and reporting, aiding in compliance with regulatory requirements and security audits.
Additional Service - Disaster Recovery as a Service
VMware Cloud Disaster Recovery
This is VMware's on-demand disaster recovery (DR) offering that is delivered as a simple, easy-to-use SaaS solution leveraging the benefits of cloud economics. It enables IT and business continuity teams to easily and cost-effectively resume critical business operations into the cloud (VMware Cloud on AWS) after a disaster event in their on-premises VMware Cloud on AWS Outposts.
VMware Ransomware Recovery
VMware Ransomware Recovery is a purpose-built ransomware recovery-as-a-service solution, which is part of VMware Cloud Disaster Recovery, that enables businesses to recover from ransomware attacks faster and with more predictability and confidence. The solution delivers safe recovery by preventing reinfection of production workloads through its innovative use of an on-demand isolated recovery environment on VMware Cloud on AWS. Guided recovery workflows allow customers to quickly identify recovery point candidates, validate restore points using embedded behavioural analysis, and recover data with minimal loss.
For more information about VMware Cloud Disaster Recovery and Ransomware Recovery, please take a look on following Techzone articles:
Conclusion
VMware Cloud on AWS Outposts is a powerful solution for fortifying and enhancing the defence of your on-premises datacenter. It combines the best of VMware's SDDC technology with the scalability, security, and managed services of AWS, offering a robust platform to protect and manage your workloads efficiently and securely, all delivered and managed within the borders and control of your own datacenter.