vmware networking and security - carahsoft€¦ · visibility and context into application...
TRANSCRIPT
© 2014 VMware Inc. All rights reserved.
VMware Networking and SecurityStrategic Partner Enablement
Matt Cooley18H2
The application is a network
22
PERIMETER SECURITY
The application is a network
33
PERIMETER SECURITYNGFWIPSWAF sFW ENC
What if you could…Enforce security at the most granular level of the data center?
4
Every VM can have:
Individual security policies
Individual firewallsINTERNET
NETWORK PERIMETER
MICRO-SEGMENTATION
What if you could…Maintain that level of consistent security across an entire application
MICRO-SEGMENTATION
Modern apps today are distributed in nature
WEB DBSecurity needs
to reach beyond an individual VM
Each VM is typically part of a larger application
Better security, simplified policy Define a policy using workload characteristics, not IPs and ports
An NSX security policy can be based on things like:
• Operating system
• Machine name
• Services
• Application tier
• Regulatory requirements
• Security posture
MICRO-SEGMENTATION
Creating and managing policies becomes a whole lot easier
DATA CENTER PERIMETER
PCI ScopePCI Scope
7
NSX customer use casesSecurityInherently secure infrastructure
Automation IT at the speed of business
Application continuityData center anywhere
Micro-segmentation
DMZ anywhere
Secure end user
IT automating IT
Multi-tenant infrastructure
Developer cloud
Disaster recovery
Cross cloud
Multi data center pooling
What are VMware’s Networking + Security products?
CONFIDENTIAL 8
VMware NSXNSX is VMware’s flagship networking and security product. NSX provides customers with network virtualization –the ability to abstract switch, route, and security functions into the software layer. This allows for unprecedented network agility and security.
vRealize Network InsightVMware vRealize Network Insight, or VRNI, delivers intelligent network and security operations to customers. VRNI allows customers to manage, troubleshoot, and audit their network with confidence.
VMware AppDefenseVMware’s newest security offering, AppDefense provides endpoint security for virtualized applications. Unlike traditional endpoint security products, AppDefense identifies the intended state of the virtualized application and automatically responds to any deviations.
9
vRealize Network Insight 3.6Intelligent Operations for Network and Security Across Virtual, Physical and Multiple Clouds
Plan Security Troubleshoot Network and Security Manage and Scale NSX
• Plan micro-segmentation and accelerate deployment with firewall rules recommendations.
• Secure SDDC, AWS and hybrid applications and application tiers
• Identify application dependencies to drive app migration to public clouds, other data centers or disaster recovery sites
• Unify troubleshooting experience across the virtual and physical infrastructure
• Optimize network performance by identifying topology bottlenecks such as hair pining
• Troubleshoot AWS infrastructure such as VPCs, Security Groups and firewall rules
• Scale across multiple NSX Managers with powerful visualizations for topology and health
• Avoid configuration issues through an in-product best practices checklist
• Ensure compliance for NSX-V
CONFIDENTIAL
10
• Analyze real customer data center traffic • Generate Risk Assessment and NSX Benefits Report• Takes about a day• Demo Speed and Ease of Micro-Segmentation – provides
sample of potential rulesets• Doesn’t phone home
VMware Network Assessments with vRNI (and Carahsoft)
Signature-based
• Antivirus• IPS• Vulnerability management
Focused on “known bad” threats
• Narrow focus• Misses zero-day threats
Challenges
AppDefense – Changing they way we secure endpointsLegacy endpoint security model
11
12
Behavioral/forensic
• Machine learning• AI• Security analytics• SIEM
Focused on “unknown bad” threats
• Broad focus• High false positive rate
Challenges
AppDefense – Changing they way we secure endpointsCurrent endpoint security model
13
• Highly complex and noisy• Limited context – requires a lot of inputs• Manual effort to confirm valid threat
Pitfalls of the current modelFocused on chasing malicious behavior
14
• Highly complex and noisy• Limited context – requires a lot of inputs• Manual effort to confirm valid threat
Pitfalls of the current modelFocused on chasing malicious behavior
It’s time for a new modelFocused on validating good (intended) behavior
• Simpler and smaller problem set• Better signal-to-noise ratio• Actionable and behavior-based
alerts and responses
Hypervisor
IT provisions a new app
1
Visibility and context into application lifecycle
15
Automated collection of intended state across app lifecycle
IT provisions a change to the app
3
AppDefensenotes the change
4
AppDefense collects intended state of the app
2
AppDefense
NSXInsert security into DevOps process
Hypervisor
Automated detection & response
16
Compare intended state against run-time state to detect deviations
Automate response through vSphere and NSX:
• Quarantine
• Modify security policy
• Increase logging
AppDefense
NSX
Attacker compromises an app
1
AppDefense automatically responds
2
Hypervisor
AppDefense
NSX
Hypervisor
AppDefense
NSX
AppDefense – Primary Use Cases
17
APP A Authoritative Threat Response§ A Security Operations Center can use
AppDefense to detect and automatically respond to threats against applications
Secure Agile Applications§ Security Architects can use
AppDefense to streamline security review process –especially beneficial for rapid app development (DevOps)
VMware N+S – Real World Example
CONFIDENTIAL 18
NSX provides the locking mechanism of access points within the building.
VRNI builds a detailed blueprint of the building, understanding which rooms and doors connect to each other.
AppDefense is the biometric security system that ensures the person going through the door is who they say they are.
Networking and Security Market Momentum
CONFIDENTIAL19
NSX customer momentum is growing exponentially
Customers CertificationsDeployments
2017
2016
Q2 2,800+
Q2 1,300+
2,800+ customers across all industries and organizational sizes — representing 100%
year-over-year growth
Over two new deployments of NSX per day. Number of deployments
increased 3x year-over-year
8,800+ certified NSX professionals
NSX
CONFIDENTIAL
VMware N+S – Why should we care?• VMware’s most strategic customers are already using NSX – The market momentum is
tremendous, especially in GEH
CONFIDENTIAL 21
VMware N+S – Why should we care?• VMware Networking and Security products align to use cases within the Government,
Education, and Healthcare verticals that your reps are already selling against.
CONFIDENTIAL 22
Government Education Healthcare
• Secure Digital Government
• Secure Telecommute
• Secure Agile Applications
• Compliance – PCI, DIACAP,
FedRAMP, CJIS
• Secure Digital Backpack
• Protection of Student info
• DevOps
• Compliance – 800-175, PCI
• Secure EMR/EHR
• Secure Mobile Point-of-Care
• Seamless M&A
• Compliance – PCI, HIPAA
Every GEH Customer has a Compliance Use Case…
CONFIDENTIAL 23
• Every K-12 school needs to protect highly desirable student personal information…
• Every Hospital, Health-Oriented Agency or Military/VA Health Center must protect HIPAA information…
• Every Police Department or Law Enforcement Agency must comply with CJIS requirements…
• Every Military Branch must meet DIACAP requirements…
• Most GEH Entities need to hold and process credit card numbers…
Advantage+: Partner Profitability with NSXStandard Advanced Enterprise
NSX List Price 25 CPU $49,875.00 $112,375.00 $174,875.00
Advantage+* $14,962.50 $33,712.50 $52,462.50
Solution Rewards* 5% $2,493.75 $5,618.75 $8,743.75
Solution Rewards* 2% Premier Bonus $997.50 $2,247.50 $3,497.50
List Price After Discount & Rebates $31,421.25 $70,796.25 $110,171.25
30%
5%
37% Margin
37% Margin
*The above scenarios are for explanatory purposes only and actual profitability may vary by Partner Tier and Region.All reference pricing above is suggested MSRP for the US, in USD. Regional prices will vary, please refer to regional pricing resources.
For more information on Partner Incentives: https://vmware.my.salesforce.com/apex/page?name=Incentives&sfdc.tabName=01r80000000G7sE
2%
37% Margin
VMware confidential – for internal use only
Avoid the “Upsell”
CONFIDENTIAL 25
Security should be a part of every basic conversation:
CONFIDENTIAL 26
Customer wants End-User mobility (Virtual Desktop)
Customer wants more virtualization (vSphere)
“How are you preventing East-West attacks in your data center?”
“Extra Secure vSphere”(vSphere + NSX)
“How are you keeping your desktops from talking to each other?”
“Extra Secure Desktop”(Horizon + NSX)
Customer refreshing network hardware
“How are you planning for micro-segmentation?”
VMware NSX + Physical HW
Responses and Answers “How are you preventing E-W attacks?”Response:• “I don’t have unauthorized East-
West traffic on my network”
• “I have (physical) firewalls for that”
• “I’m using SIEM/HBID/etc… to detect threats”
CONFIDENTIAL 27
Answer• Really? How are you stopping it?
• Physical firewalls can only protect around a group of workloads. What happens if a threat gets into that group?
• How can you even tell that a threat is occurring? And if you do see it, do you think you’ll be able to respond in time?
The Goal
CONFIDENTIAL 28
”Are you familiar with Micro-segmentation?”
If “Yes” – “What is your Micro-segmentation strategy?”
If “No” – Explain Micro-segmentation
Then: “Can we schedule some time for a security expert to talk with you, and possibly schedule an assessment to help you understand how much East-West traffic is moving within your datacenter?
CONFIDENTIAL 29
Customer Facts
What we gave them…What they needed…
• Responsible for providing tactical network capabilities for missions worldwide
• Supports more than 75 Army units• Comprises over 90% of the Army’s tactical
networks
• Warfighter Information Network – Tactical (WIN-T) was struggling with providing the needed services to tactical units in the field.
• Multiple applications were required in each vehicles, many being run from their own unique hardware.
• WIN-T was struggling with weight, power, and cooling issues, let alone the complexity in IT operations.
• WIN-T signed a $24M ELA with VMware that included vSphere, NSX, and a few other products.
• This new solution allowed WIN-T to provide a single, virtualized physical server in each vehicle, saving space, power, weight, and cooling.
• Security was baked into the solution from Day 1 – VMware provided “Security-enhanced vSphere” as the solution, a bundled offering provided via Carahsoft.
U.S. Army WIN-T
VMware NSX + Physical Network Refresh
30
• Physical Network– Physical Fabric Automation
– Securing Hosts
– Bare Metal Workloads
– Enforce Overlay
• NSX– Network Virtualization Capabilities– Micro-segmentation for Security– Integration with CMP and VC– Bridging for P to V integration– Services
CONFIDENTIAL
Don’t leave revenue on the table…
• Deal 1 – Partner A – $15M (est)
– Cisco Nexus switches + ACI
– Customer wanted agile hardware underlay
• Deal 2 – Partner B - $6M
– VMware NSX
– Customer wanted complete control over virtual computing assets – micro-segmentation for
security plus network virtualization to enable automation.
– Customer saw NSX as complementary to their Cisco architecture – not competitive
• Partner A is a VMware reseller with the ability to sell NSX – but didn’t engage us during
the network refresh project
CONFIDENTIAL 31
32
SecurityInherently secure infrastructure
Automation IT at the speed of business
Application continuityData center anywhere
Micro-segmentation
DMZ anywhere
Secure end user
IT automating IT
Multi-tenant infrastructure
Developer cloud
Disaster recovery
Cross cloud
Multi data center pooling
NSX Solution Selling – Common Use Cases
NSX Solution Selling – GEH Use Cases• As a starting point, NSX solutions provide value for the following solution areas critical
to GEH customers:– Security
• Compliance (PCI, HIPAA, FISMA, FedRAMP, CJIS, NIST 800-171, DIACAP)
• Data Security
– Automation• Rapid, secure, application deployment
– Application Continuity• Disaster recovery planning and testing• Multi-DC/Cross-cloud computing
CONFIDENTIAL 33
NSX Solution Selling - Compliance• “What compliance requirements do you have?”• ”Do you feel you are adequately meeting those requirements today?”• “What were to happen if you failed a (compliance scheme) audit?”
• Have you heard how Micro-segmentation helps customers meet compliance requirements?
CONFIDENTIAL 34
CONFIDENTIAL 35
Customer Facts
What we gave them…What they needed…
• ~70,000 Employees• 3 billion trips per year• $15.1B operating budget• 7 different major transit lines
• 7 different major transit lines had been combined under the greater Customer umbrella. With that came agency standardization and consolidation projects, trying to combine 20+ data centers down into 2.
• Customer was struggling in both consolidation and standardization, as departments did not feel that central IT could meet their security needs.
• In addition, Customer recently failed a PCI audit. With 90% of the 8 million customers each day using a transit pass (usually purchased via credit card), Customer could not afford a security breach or the perception of not protecting consumer personal info.
• Products positioned: NSX was the key component of a $10M ELA that also included vCloud Suite, Airwatch, and SRM.
• NSX and micro-segmentation provided the customer with a means to meet the unique security needs of their tenants as they get consolidated into the central data centers.
• VMware worked closely with the Customer team to help them understand how NSX can help them meet their PCI requirements while also saving costs by avoiding having to build duplicate PCI and non-PCI infrastructures.
CONFIDENTIAL 36
Customer Facts
What we gave them…What they needed…
• 25th largest state by population, 32nd by area• GSP is ~$210B (24th), but average income is ~$31K (41st)• 21 primary customers for Office of Technology Services• OTS consolidated IT operations of 16 agencies
• The State of Louisiana needed to consolidate the IT operations of 16 agencies under the Office of Technology Services. While doing this, applications needed to be modernized to address issues with scalability, agility, and end-user security.
• OTS needed a datacenter solution that would allow them to meet the high-availability needs of their applications.
• OTS needed a solution that would help them increase agility and their ability to respond to both rapid needs and innovation.
• Products positioned: The VMware SDDC with NSX as a primary component
• NSX was first used in the LA OTS SDDC strategy in 2 critical apps: the Medicaid Eligibility and Enrollment system and the Medicaid Management Information System. NSX allowed OTS to deliver a “Service First” approach in these applications, prioritizing security and scalability.
• NSX enabled OTS to build a metro-cluster architecture with over “four nines” (99.99%) availability through an active-active topology and near-zero RTO and RPO.
• NSX was they key component in allowing the state to rapidly and securely deploy new apps during the 2016 flooding disasters, allowing constituents access to key safety services.
37
Driving value with our NSX partner ecosystem
ComputeInfrastructure
Network Infrastructure
Networking & Security Services
Orchestration & Management
PlatformsOperations & Visibility
vRealize Automation
vCloud Director
vRealize OrchestratorVIO
vSANReady Node
CONFIDENTIAL 38
Customer Facts
What we gave them…What they needed…
• 44,000+ Students• 19 Schools and 2 extension campuses• $10.5B Endowment• Annual IT budget ~$65M
• Customer was struggling to provide security for their hosted server offering – they needed to meet the unique security requirements of each tenant without having to build separate network zones.
• They were using a host-based product from Juniper that was going end-of-life. Juniper was forcing them to pay to upgrade to a newer version which opened the door for a new platform.
• The hosted offering team is extremely cost conscious – they are not a profit center, so all costs are directly passed on to their customers. Any new capabilities in the offering must be carefully evaluated and must provide direct value to their consumers.
• Products positioned: NSX• VMware provided Customer with a micro-segmentation
solution to meet their needs of segregated tenants with unique security for each device.
• NSX met the needs of the customer while being under the cost of the proposed solution from Juniper and from competing solutions such as Cisco ACI. The customer was educated thoroughly on the TOTAL cost of competing solutions and operational changes.
• Customer was so impressed with the capabilities of NSX, they bought more licenses the following year, and later selected Palo Alto as their next-gen firewall provider based on its integration capabilities with NSX.
Next Steps• Make NSX the “Pickle” - make security an embedded part of your VMware deals• Have security specific conversations – ask customers what they are doing about compliance• Don’t leave anything on the table – Someone is going to ask your customer about their micro-
segmentation strategy – shouldn’t it be you?
CONFIDENTIAL 39
Thank YouMatt Cooley – NSX Partner Manager – [email protected]