VMwareロールエージェント、SASE Playへのゼロトラスト
VMwareは、VeloCloudセキュアアクセスサービスエッジ(SASE)プラットフォームに、ゼロトラストネットワーキングとエージェントベースのアクセスを追加しています。VMware is adding zero-trust networking and agent-based access to its VeloCloud secure access service edge (SASE) platform.
Users of Workplace One, VMware’s end-user computing client can now take advantage of zero-trust access to VMware’s SASE software stack running in the company’s points of presence (PoPs) and cloud gateways.
The announcement comes as millions of Americans enter their fourth-consecutive month working from home, and IT teams are scrambling to secure a growing perimeter.
“We have tens of millions of managed clients already out there,” said Sanjay Uppal, SVP and general manager of VeloCloud, adding that this install base should help to ease the adoption of the service.
Until now, VMware’s SASE platform, which stitches together elements of SD-WAN and managed security, was entirely reliant on CPE at the edge. While CPE hardware is no longer required, Uppal notes it won’t be going anywhere.
VMware is taking a three-pronged approach to SASE. For branch offices and remote workers deemed “power users,” VMware anticipates enterprises will deploy an edge device.
“For the power user, it is really about converting the home office to become a branch office,” Uppal said.
This addresses a common criticism that SASE doesn’t solve the LAN security problem, and enables SD-WAN functions like quality of service to be applied from the home.
However, Uppal notes that VeloCloud’s edge hardware for home use will differ slightly from devices used for larger branches, particularly where it concerns security.
For typical users, VMware anticipates most employees will use either an agent, in the form of Workplace One running on their computer or mobile device, or access business-critical applications through a zero-trust portal online.
Regardless of how users connect, Uppal said network architecture is changing in demonstrable ways.
Rather than traversing edge to edge with SD-WAN, the network is becoming “client to cloud to container,” he said. “This is the bedrock of what is going to happen with remote networking, not just because of remote access, but most networking is going to move in this direction.”
While among the first vendors to adopt SASE, VMware is still working to fill out large portions of its security stack. The addition of zero-touch network access today fills in one of the missing pieces, but the vendor still has a ways to go.
VMware is working to fill in those gaps in the next phase of its SASE journey, according to Uppal, but for the moment, the company is working with partners to provide services like secure web gateway, cloud access security broker, and risk-based inspection. The company will be adding services to its PoP in the coming months, Uppal said.
It remains to be seen whether VMware will develop those capabilities internally or acquire the pieces from another vendor. The company has never been shy about throwing money at a problem. VMware last year paid $2.1 billion for endpoint security vendor Carbon Black and $2.7 billion for Pivotal.
Even if VMware fills out its SASE stack, the company won’t force customers to use all of its services, according to Uppal.
Users with an existing risk-based inspection service, or secure web gateway, for example, will be able to continue using it with the rest of VMware’s SASE stack.
In that scenario traffic would pass through VMware’s service edge before being handed off to the service in sequence, Uppal explained. VMware is providing single-pass service chaining, or what it calls services, not traditional multi-pass service chaining, which is dogged by latency and user-experience challenges.
“Service chaining has a particular connotation, and the connotation is that it’s a multi-pass architecture, which it doesn’t have to be,” he said. “We bring the traffic and it comes to our point of presence, and then we can terminate it there, or send it off to some other security provider as long as we don’t terminate it in two places.”
