Zero trust. It sounds like a security strategy straight from “The X Files,” but a zero-trust architecture is something of a holy grail among security experts.
It implies that both internal and external networks cannot be trusted, and implement micro-perimeters around data or assets to enforce more granular security policies. Unfortunately, building a zero-trust architecture has not been operationally feasible — until NSX.
If you read my last blog, you know that VMware NSX is not only good for network virtualization, but also network microsegmentation. Another benefit of NSX is in the creation of identity-based firewalls. Unlike a physical firewall or a VM-based firewall, an ID-based firewall enables the creation of dynamic firewalls at the individual user level. In other words, when a user logs into the network from a physical or virtual desktop or device, they’re automatically assigned a firewall with personalized security policies and access restrictions.
NSX does this by mapping firewall policies to your existing Microsoft Active Directory groups. For example, someone assigned to the “accounting” group might have complete access to financial data, but have limited access to engineering data. NSX looks up the group security policy for the user when they log into the network and immediately applies it to them for the duration of the network session. In effect, the enterprise security team can control the access privileges of every single individual, without having to create thousands of unique policies or continually updating dozens of physical firewalls.
When I talk to customers about the benefits of an ID-based firewall system, I typically cite these three common use cases:
Departments/Branches
Most mid-sized businesses have different departments and/or multiple physical offices that share the same data center. In my previous accounting example, I point out that not everyone should have access to everything. The reason for this isn’t just for the purpose of stopping internal espionage. A lot of malware, including ransomware, is unwittingly tracked in by employees, at which point the malware has the same access privileges as the employee themselves. Restricting what employees can access is one of the simplest ways to prevent data encryption or data exfiltration from spreading through your data center.
Partners/Offshore Developers
Today, it’s not uncommon for organizations to create a separate pool of data for their partners or offshore developers as a security measure. This approach is an added cost, however, and can create data inconsistencies over time. With ID-based firewalls managed by NSX, partners and developers could securely access data and files directly from your data center, but would be blocked from accessing data and servers that are not essential to their roles.
Tenants
Service providers may host thousands of tenants in their data center. ID-based firewalls can ensure that tenants don’t venture past their “rented rooms” into other tenants’ personal spaces. ID-based firewalls also allow service providers to deliver a more robust security experience to their customers through the creation and enforcement of user-based policies.
The security side of NSX is very compelling for organizations in this age of advanced persistent threat. The ability to control individual movement (ID-based firewalls) and lateral movement (microsegmentation) brings organizations closer to the “zero trust” ideal. The question of who to trust to plan, install and manage your NSX solution is considerably easier. As one of just a handful of elite NSX partners in the world, Rolta AdvizeX can help you leverage NSX’s security capabilities quickly and easily. ▪