In vShield 5, VMware is adding a way to do data discovery to find out whether sensitive data, such as that for healthcare, payment card or sensitive financial information, is being held in the VMware virtual-machine environment being scanned. But more DLP functions, such as blocking data leaks in transit, won’t be in this release, which is expected out the third quarter. VMworld 2011 takes place the last week of August in Las Vegas.
“It’s not full DLP,” acknowledged Dean Coza, VMware’s director of product management for security products. But Coza says the data-discovery scanning feature, which is based on technology from the RSA Data Loss Prevention Suite, is going to be a huge help for IT managers that have often found their traditional discovery tools don’t work well in the VMware VM environment. (RSA is the security division of EMC, which owns a majority stake in VMware.)
The DLP features that VMware expects to demonstrate at VMworld do not include monitoring or blocking of data in transit, which are capabilities in the RSA DLP Suite, the company said. In addition, VMware’s DLP isn’t integrated into the RSA DLP Suite at all. But Coza says VMware does plan to release a set of open APIs that vendors and companies could use to capture VMware-based information generated about DLP-sensitive data, their policies and reports.
“At some point in the future, VMware envisions broadening its DLP push to do things such as preventing data from moving from a network into the cloud, for example, if policy prohibits it, or from one country to another if it violates regulations such as national privacy laws,” Coza said.
Phil Cox, director of security and compliance for RightScale, which makes a cloud management platform, said he’s glad VMware is taking small steps into DLP rather than trying to go full bore in the beginning. “You have to start somewhere,” Cox said, adding that it is often difficult to do data discovery in a VM-based environment.
What VMware will have in Dean Coza, based on RSA’s data-discovery tool, is a way to scan VMs to identify the type of data out in the network, and keep track of where and how sensitive data is stored and cordoned off based on policies. No host-based software is required for this, as it’s based on VMware’s architecture for agentless security.
The DLP discovery capability will make it possible to identify data based on a “checkbox” of 80 laws and regulations in the U.S. and internationally for patient healthcare data, payment card and financial. This checklist will assist in setting up network-segmented security zones. It will also provide a way to track sensitive data to ensure certain patching levels or antivirus software is required.
At VMworld, VMware also plans some demonstrations of vShield App5, its hypervisor-based application-aware firewall that installs on each vSphere host, to show how it works with virtualisation-optimised intrusion-prevention systems from partners that include HP TippingPoint and Sourcefire. VMware also plans to show how it’s possible to automate VM lockdowns based on threat data through the interaction of components called vShield Data Security, vShield Inside Navigator (which shows how VMs talk to other VMs at the application layer), vShield App and vCenter Configuration Manager.
VMware’s security framework cannot yet be considered fully complete, but “we’re building pieces of infrastructure,” Coza says. “One important capability for data protection still being worked on at VMware is a way to efficiently facilitate encryption,” Coza acknowledged. VMware wants to find an efficient and inexpensive way to encrypt in the cloud, but that is still a work in progress.