It was at VMware Explore Europe 2022 when I ran into a colleague from Dell who told me about “transparent snapshots” and mentioned that their solution has something in common VMware Cloud Disaster Recovery (VCDR). After doing some research, I figured out that he was talking about the Light Weight Delta (LWD) protocol.
Snapshots
Snapshots are states of a system or virtual machine (VM) at a particular point in time and should not be considered a backup. The data of a snapshot include all files that form a virtual machine – this includes disks, memory, and other devices like network interface cards (vNIC). To create or delete a snapshot of a VM, the VM needs to be “stunned” (quiesce I/Os).
I would say it is common knowledge that a higher number of snapshots negatively impact the I/O performance of a virtual machine. Creating snapshots results in the creation of a snapshot hierarchy with parent-to-child relationships. Every snapshot creates a delta .vmdk file and redirects all inputs/writes to this delta disk file.
VMware vSphere Storage APIs for Data Protection
Currently, a lot of backup solutions use “VMware vSphere Storage APIs for Data Protection” (VADP), which has been introduced in vSphere 4.0 released in 2009. A backup product using VADP can backup VMs from a central backup server or virtual machine without requiring any backup agents. Meaning, backup solutions using VADP create snapshots that are used to create backups based on the changed blocks of a disk (Changed Block Tracking aka CBT). These changes or this delta is then written to a secondary site or storage and the snapshot is removed after.
Deleting a snapshot consolidates the changes between snapshots and previous disk states. Then it writes all the data from the delta disk that contains the information about the deleted snapshot to the parent disk. When you delete the base parent snapshot, all changes merge with the base virtual machine disk.
To delete a snapshot, a large amount of information must be read and written to a disk. This process can reduce the virtual machine performance until the consolidation is complete.
VMware Cloud Disaster Recovery is a VMware-delivered disaster recovery as a service (DRaaS) offering that protects on-premises vSphere and VMware Cloud on AWS workloads to VMware Cloud on AWS from both disasters and ransomware attacks. It efficiently replicates VMs to a Scale-out Cloud File System (SCFS) that can store hundreds of recovery points with recovery point objectives (RPOs) as low as 30 minutes. This enables recovery for a wide variety of disasters including ransomware. Virtual machines are recovered to a software-defined data center (SDDC) running in VMware Cloud on AWS. VMware Cloud Disaster Recovery also offers fail-back capabilities to bring your workloads back to their original location after the disaster is remediated.
Note: Currently, VCDR is only available as an add-on feature to VMware Cloud on AWS. The support for Azure VMware Solution is expected to come next.
To me, VCDR is one of the best solutions from the whole VMware portfolio.
High-Frequency Snapshots (HFS)
One of the differentiators and game-changers are these so-called high-frequency snapshots, which are based on the Light Weight Delta (LWD) technology that VMware developed. Using HFS allows customers to schedule recurring snapshots for every 30 minutes, meaning, that customers can get an Recovery Point Objective (RPO) of 30min!
To enable and use high-frequency snapshots, your environment must be running on vSphere 7.0 U3 or higher.
With HFS and LWD, there is no Changed Block Tracking (CBT), no VADP, and no VM stun. This results in better performance when maintaining these deltas.
Transparent Snapshots by Dell EMC PowerProtect Data Manager (PPDM)
At VMworld 2021, Dell Technologies presented a session called “Protect Your Virtual Infrastructure with Drastically Less Disruption [SEC2764S]” which was about “transparent snapshots” – image backups with near-zero impact on virtual machines, without the need to pause the VM during the backup process. No more backup proxies, no more agents.
As with HFS and VCDR, your environment needs to run on vSphere 7.0 U3 and higher.
How does it work?
PowerProtect Data Manager transparent snapshots use the vSphere API for I/O (VAI/O) Filtering framework. The transparent snapshots data mover (TSDM) is deployed in the VMware ESXi infrastructure through a PowerProtect Data Manager VIB. This deployment creates consistent VM backup copies and writes the copies to the protection storage (PowerProtect appliance).
After, this VIB (Data Protection Daemon (DPD) which is part of the VMware ESXi >7.0 U3 image has been installed on the ESXi host) tracks the delta changes in memory and then transfers the delta changes directly to the protection storage.
Note: PPDM also provides image backup and restore support for VMware Cloud on AWS and Azure VMware Solution, but requires VADP.
Light Weight Delta (LWD)
It seems that LWD has been developed by VMware but there is no publicly available information out there yet. I only found this screenshot as part of this Dell article:
It also seems that Dell is/was the first who could leverage the LWD protocol exclusively but I am sure it will be made available to other VMware partners as well.
A customer of mine asked me a few days ago: “Is it not possible to get NSX Security features without the network virtualization capabilities?”. I wrote it already in my blog “VMware is Becoming a Leading Cybersecurity Vendor” that you do not NSX’s network virtualization editions or capabilities if you are only interested in “firewalling” or NSX security features.
If you google “nsx security”, you will not find much. But there is a knowledge base article that describes the NSX Security capabilities from the “Distributed Firewall” product line: Product offerings for NSX-T 3.2 Security (87077).
Believe it or not, there are customers that haven’t started their zero-trust or “micro-segmentation” journey yet. Segmentation is about preventing lateral (east-west) movement. The idea is to divide the data center infrastructure into smaller security zones and that the traffic between the zones (and between workloads) is inspected based on the organization’s defined policies.
If you are one of them and want to deliver east-west traffic introspection using distributed firewalls, then these NSX Security editions are relevant for you:
VMware NSX Distributed Firewall
NSX Distributed Firewall (DFW)
NSX DFW with Threat Prevention
NSX DFW with Advanced Threat Prevention
VMware NSX Gateway Firewall
NSX Gateway Firewall (GFW)
NSX Gateway Firewall with Threat Prevention
NSX Gateway Firewall with Advanced Threat Prevention
Network Detection and Response
Network Detection and Response (standalone on-premises offering)
The NSX Distributed Firewall is a hypervisor kernel-embedded stateful firewall that lets you create access control policies based on vCenter objects like datacenters and clusters, virtual machine names and tags, IP/VLAN/VXLAN addresses, as well as user group identity from Active Directory.
If a VM gets vMotioned to another physical host, you do not need to rewrite any firewall rules.
The distributed nature of the firewall provides a scale-out architecture that automatically extends firewall capacity when additional hosts are added to a data center.
Should you be interested in “firewalling” only, want to implement access controls for east-west traffic (micro-segmentation) only, but do not need threat prevention (TP) capabilities, then “NSX Distributed Firewall Edition” is perfect for you.
So, which features does the NSX DFW edition include?
The NSX DFW edition comes with these capabilities:
L2 – L4 firewalling
L7 Application Identity-based firewalling
User Identity-based firewalling
NSX Intelligence (flow visualization and policy recommendation)
Aria Operations for Logs (formerly known as vRealize Log Insight)
What is the difference between NSX DFW and NSX DFW with TP?
With “NSX DFW with TP”, you would get the following additional features:
Distributed Intrusion Detection Services (IDS)
Distributed Behavioral IDS
Distributed Intrusion Prevention Service (IPS)
Distributed IDS Event Forwarding to NDR
Where does the NSX Distributed Firewall sit?
This question comes up a lot because customers understand that this is not an agent-based solution but something that is built into the VMware ESXi hypervisor.
The NSX DFW sits in the virtual patch cable, between the VM and the virtual distributed switch (VDS):
Note: Prior to NSX-T Data Center 3.2, VMs must have their vNIC connected to an NSX overlay or VLAN segment to be DFW-protected. In NSX-T Data Center 3.2, distributed firewall protects workloads that are natively connected to a VDS distributed port group (DVPG).
VMware NSX Gateway Firewall
The NSX Gateway Firewall extends the advanced threat prevention (ATP) capabilities of the NSX Distributed Firewall to physical workloads in your private cloud. It is a software-only, L2 – L7 firewall that includes capabilities such as IDS and IPS, URL filtering and malware detection as well as routing and VPN functionality.
If you are not interested in ATP capabilities yet, you can start with the “NSX Gateway Firewall” edition. What is the difference between all NSX GFW editions?
The NSX GFW can be deployed as a virtual machine or with an ISO image that can run on a physical server and it shares the same management console as the NSX Distributed Firewall.
Today, more than ever, both humans and machines consume or process data. We, humans, consume data through multiple applications that are hosted in different clouds from different devices like smartphones, laptops, and tablets. Companies are building applications that need to look good and work well on any platform/device.
At the same time, developers are building new applications following cloud-native principles. A cloud-native architecture is a design pattern for applications that are built for the cloud. Most cloud-native apps are organized as microservices which are used to break up larger applications into loosely coupled units that can be managed by smaller teams. Resilience and scale are achieved through horizontal scaling, distributed processing, and automated placement of failed components.
Different people have a different understanding of “cloud-native” and the chances are high that you will get different answers. Let us look at the official definition from CNCF:
“Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.
These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.”
12-Factor App
A widely accepted methodology for building cloud-based applications is the “Twelve-Factor Application”. It uses declarative formats for automation to minimize time and costs. It should offer maximum portability between execution environments and be suitable for the deployment on modern cloud platforms. The 12-factor methodology can be applied with any programming language and may use any combination of backing servers (caching, queuing, databases).
Interestingly, we now see other factors like API-first, telemetry, and security complementing this list.
While doing research for my book about “workload mobility and application portability”, I saw the term “API-first” many times.
Then I started to remember that VMware acquired Mesh7 a while ago and they announced Tanzu Service Mesh Enterprise last year at VMworld Europe (now known as VMware Explore). API security was even one of their main topics during the networking & security solutions keynote presented by Tom Gillis.
That is why I thought it is time to better understand this topic and write a piece about APIs. Let us start with some basics first.
What is an API?
An application programming interface (API) is a way for two or more software components to communicate with each other using a set of defined protocols and definitions. APIs are here to make the developer’s life easier.
I bet you have seen parts of Google Maps already embedded in different websites when you were looking for a specific business or restaurant location. Most websites and developers would use Google Maps in this case, because it just makes sense for us, right? That is why Google exposes the Google Maps API so developers can embed Google Maps objects very easily in a standardized way. Or have you seen anyone who wants to develop their own version of Google Maps?
In the case of enterprises, APIs are a very elegant way to share data with customers or other external users. Such public APIs like Google Maps APIs can be used by partners who then can access your data. And we all know that data is the new oil. Companies can make a lot of money today by sharing their data.
Even when using private APIs (internal use only), you decide who can access your API and data. This is one of the reasons why API security and API management become more important. You want to provide secure access when sensitive data is being exposed.
What is an API Gateway?
For microservices-based apps, it makes sense to implement an API gateway, because it can act as a single entry point for all API calls made to your system. And it doesn’t matter if your system/application is hosted on-premises, in the public cloud, or a combination of both. The API gateway takes care of the request (API call) and returns the requested data.
API gateways can also handle other tasks like authentication, rate management, and statistics. This is important for example when you want to monetize some of your APIs by offering a service to consumers or other companies.
What is Spring Cloud Gateway for VMware Tanzu?
Spring Cloud Gateway for VMware Tanzu provides a simple way to route internal and external API requests to application services that expose APIs. This solution is based on the open-source Spring Cloud Gateway project and provides a library for building API gateways on top of Spring and Java.
Because it is intended that Spring Cloud Gateway sits between a requester and the resource that is being requested, it is in the position to intercept, analyze and modify requests.
Revitalize Legacy Apps with APIs
Before we had microservices, there were monolithic applications. An all-in-one application architecture, where all services are installed on the same virtual machine and depend on each other.
There are multiple reasons why such a monolith cannot be broken up into smaller pieces and modernized. Sometimes it’s not (technically) possible, not worth it, or it just takes too long. Hence many companies still use such monolithic (legacy) applications. The best example here is the mainframe which often still runs business-critical applications.
I always thought that my customers only have two options when modernizing applications:
Start from scratch (throw the old app away)
Refactor/Rewrite an application
Rewriting an application needs time and costs money. Imagine that you would refactor 50 of your applications, split these monoliths up in microservices, connect these hundreds or thousands of microservices, and at the same time must take care of security (e.g., vulnerabilities).
So, what are you going to do now?
APIs seem to provide a very cost-effective way to integrate some of the older applications with newer ones. With this approach, one can abstract away the data and services from the underlying (legacy) application infrastructure. APIs can extend the life of a legacy application and could be the start of a phased application modernization approach.
Tanzu Service Mesh Enterprise
At the moment, we only have an API gateway that sits in front of our microservices. Multiple (micro)services in an aggregated fashion create the API you want to expose to your internal or external customers. The question now is, how you do plan to expose this API when your microservices are distributed over one or more private or public clouds?
When we talk about APIs, we talk about data in motion. That is why we must secure this data that is sent from its source to any location. And you want to secure the application and data without increasing the application latency and decreasing the user’s experience.
API Security. API security is achieved through API vulnerability detection and mitigation, API baselining, and API drift detection (including API parameters and schema validation)
Personally Identifiable Information (PII) segmentation and detection. PII data is segmented using attribute-based access control (ABAC) and is detected via proper PII data detection and tracking, and end-user detection mechanisms.
API Security Visibility. API security is monitored using API discovery, security posture dashboards, and rich event auditing.
Final Words
APIs are used to connect different applications. They are also used to aggregate services or functions that can be consumed by other businesses or partners. Modern and containerized applications bring a large number of APIs with them, that can be hosted in any cloud.
With Spring Cloud Gateway and Tanzu Service Mesh Enterprise, VMware can deliver application connectivity services that enable improved developer experience and more secure operations.
It took me almost a year to realize the strengths of these (combined) products and why VMware for example acquired Mesh7. But it makes sense to me now. Even I do not completely understand all the key features of Spring Cloud Gateway and Tanzu Service Mesh.
Last year at VMworld 2021, VMware mentioned and announced a lot of (new) projects they are working on. What happened to them and which new VMware projects have been mentioned this year at VMware Explore so far?
Project Ensemble – VMware Aria Hub
VMware unveiled their unified multi-cloud management portfolio called VMware Aria, which provides a set of end-to-end solutions for managing the cost, performance, configuration, and delivery of infrastructure and cloud native applications.
VMware Aria is anchored by VMware Aria Hub (formerly known as Project Ensemble), which provides centralized views and controls to manage the entire multi-cloud environment, and leverages VMware Aria Graph to provide a common definition of applications, resources, roles, and accounts.
VMware Aria Graph provides a single source of truth that is updated in near-real time. Other solutions on the market were designed in a slower moving era, primarily for change management processes and asset tracking. By contrast, VMware Aria Graph is designed expressly for cloud-native operations.
Project Arctic has been introduced last year as a Technology Preview and was described as “the next step in the evolution of vSphere in a multi-cloud world”. What has started with the idea of bringing VMware Cloud services closer to vSphere, has evolved to a even more interesting and enterprise-ready version called vSphere+ and vSAN+. It includes developer services that consist of the Tanzu Kubernetes Grid runtime, Tanzu Mission Control Essentials and NSX Advanced Load Balancer Essentials. VMware is going to add more and more VMware Cloud add-on services in the future. Additionally, VMware even introduced VMware Cloud Foundation+.
Project Iris – Application Transformer for VMware Tanzu
VMware mentioned Project Iris very briefly last year at VMworld. In February 2022, Project Iris became generally available and is since then known as Application Transformer for VMware Tanzu.
Project Northstar
At VMware Explore on day 1, VMware introduced Project Northstar, which will provide customers a centralized cloud console that gives them instant access to networking and security services, such as network and security policy controls, Network Detection and Response (NDR), NSX Intelligence, Advanced Load Balancing (ALB), Web Application Firewall (WAF), and HCX. Project Northstar will be able to apply consistent networking and security policies across private cloud, hybrid cloud, and multi-cloud environments.
At VMware Explore on day 1,VMware unveiled Project Watch, a new approach to multi-cloud networking and security that will provide advanced app-to-app policy controls to help with continuous risk and compliance assessment. In technology preview, Project Watch will help network security and compliance teams to continuously observe, assess, and dynamically mitigate risk and compliance problems in composite multi-cloud applications.
Project Trinidad
Also announced at VMware Explore day 1 and further explained at day 2, Project Trinidad extends VMware’s API security and analytics by deploying sensors on Kubernetes clusters and uses machine learning with business logic inference to detect anomalous behavior in east-west traffic between microservices.
Project Trinidad just dropped from @vmwocto xLabs! This project is near and dear to my heart! (Happy Independence Day 🇹🇹!!! 😉)
Project Narrows introduces a unique addition to Harbor, allowing end users to assess the security posture of Kubernetes clusters at runtime. Images previously undetected, will be scanned at the time of introduction to a cluster, so vulnerabilities can now be caught, images may be flagged, and workloads quarantined.
Project Narrows adding dynamic scanning to your software supply chain with Harbor is critical. It allows greater awareness and control of your running workloads than the traditional method of simply updating and storing workloads.
VMware is open sourcing the initial capabilities of Project Narrows on GitHub as the Cloud Native Security Inspector (CNSI) Project.
Also introduced on day 2, Project Keswick is about simplifying edge deployments at scale. It comes as an xLabs project coming out of the Advanced Technology Group in VMware’s Office of the CTO.
A Keswick deployment is entirely automated and uses Git as a single source of truth for a declarative way to manage your infrastructure and applications through desired state configuration enabled by GitOps. This ensures the infrastructure and applications running at the edge are always exactly what they need to be.
At VMware Explore 2022 day 2, VMware demonstrated what they believe to be the world’s first quantum-safe multi-cloud application!
VMware developed and presented Project Newcastle, a policy-based framework enabling and orchestrating cryptographic transition in modern applications.
Integrated with Tanzu Service Mesh, Project Newcastle gives users greater insight into the cryptography in their applications. But that’s not all — as a platform for cryptographic agility, Project Newcastle automates the process of reconfiguring an application’s cryptography to comply with user-defined policies and industry standards.
Closing Comment
Which VMware projects excite you the most? I’m definitely going with Project Ensemble (Aria Hub) and Project Newcastle!
VMworld is now VMware Explore and is currently happening in San Francisco! This is a consolidated of the announcements from day 1 (August 30th, 2022).
VMware Introduces vSphere 8, vSAN 8 and VMware Cloud Foundation+
VMware today introduced VMware vSphere 8 and VMware vSAN 8—major new releases of VMware’s compute and storage solutions.
vSphere 8 – vSphere 8 introduces vSphere on DPUs, previously known as Project Monterey. In close collaboration with technology partners AMD, Intel and NVIDIA as well as OEM system partners Dell Technologies, Hewlett Packard Enterprise and Lenovo, vSphere on DPUs will unlock hardware innovation helping customers meet the throughput and latency needs of modern distributed workloads. vSphere will enable this by offloading and accelerating network and security infrastructure functions onto DPUs from CPUs.
vSphere 8 will dramatically accelerate AI and machine learning applications by doubling the virtual GPU devices per VM, delivering a 4x increase of passthrough devices, and supporting vendor device groups which enable binding of high-speed networking devices and the GPU.
vSAN 8: vSAN 8 introduces breakthrough performance and hyper-efficiency. Built from the ground up, the new vSAN Express Storage Architecture (ESA) will enhance the performance, storage efficiency, data protection and management of vSAN running on the latest generation storage devices. vSAN 8 will provide customers with a future ready infrastructure that supports modern TLC storage devices and delivers up to a 4x performance boost.
VMware Cloud Foundation+ – VMware introduces a new cloud-connected architecture for managing and operating full stack HCI in data centers. Built on vSphere+ and vSAN+, VMware Cloud Foundation+ will add a new cloud-connected architecture for managing and operating full-stack HCI in our data center or co-location facility.
VMware Cloud Foundation+ will deliver new admin, developer and hybrid cloud services through a simplified subscription model and keyless entitlement. VMware Cloud Foundation 4.5 will enable VMware Cloud Foundation+ by adding vSphere+ and vSAN+, plus a cloud gateway that provides access to the VMware Cloud Console as part of the full stack architecture.
VMware Cloud for Hyperscalers
VMC on AWS – Amazon Elastic Compute Cloud (Amazon EC2) I4i instances for I/O-intensive Workloads: Powered by 3rd generation Intel® Xeon® Scalable processors (Ice Lake), Amazon EC2 instances help deliver better workload support and delivery, lower TCO, and increased scalability and application performance. Compared to I3, the I4i instances provide nearly twice the number of physical cores, twice the memory, three times the storage capacity, and three times the network bandwidth.
Amazon FSx for NetApp ONTAP Integration Availability – as a native AWS cloud storage service that is certified as a supplemental datastore for VMware Cloud on AWS, FSx for ONTAP offers fully managed shared storage built on the familiar NetApp ONTAP file system trusted by VMware customers running on premises today. Customers can now use FSx for ONTAP as a simple and elastic datastore for VMware Cloud on AWS, enabling them to scale storage up or down independently from compute while paying only for the resources they need.
VMware Cloud Flex Storage Availability – A new VMware-managed and natively integrated cloud storage and data management solution that offers supplemental datastore-level access for VMware Cloud on AWS. With just a few clicks in the VMware Cloud Console, customers can scale their storage environment without adding hosts, and elastically adjust storage capacity up or down as needed for every application. Customers also benefit from a simple, pay-as-you-consume pricing model. Together with VMware vSAN, VMware Cloud Flex Storage offers flexibility and customer value in terms of resilience, performance, scale, and cost in the cloud.
VMware Cloud Flex Compute – “Preview” of a new cloud compute model that will help customers get started faster with VMware Cloud on AWS. With this new model, VMware introduces a “resource-defined” cloud compute model in place of “hardware-defined” compute instance model which will provide customers higher flexibility, elasticity, and speed to better meet cost and performance requirements of enterprise applications. It will help customers get started faster with VMware Cloud on AWS by using smaller consumable units.
Oracle Cloud VMware Solution – New features and capabilities with VMware Tanzu Standard Edition and introduced support for single host SDDCs for non-production workloads.
VMware Cloud Management – VMware Aria
VMware unveiled a multi-cloud management portfolio called VMware Aria, which provides a set of end-to-end solutions for managing the cost, performance, configuration, and delivery of infrastructure and cloud native applications.
VMware Aria is a new brand for the vRealize components, Tanzu Observability by Wavefront and CloudHealth unified under one umbrella, one name.
The VMware products and services within the VMware Aria portfolio are:
VMware Aria is anchored by VMware Aria Hub (formerly known as Project Ensemble), which provides centralized views and controls to manage the entire multi-cloud environment, and leverages VMware Aria Graph to provide a common definition of applications, resources, roles, and accounts.
VMware Aria Graph provides a single source of truth that is updated in near-real time. Other solutions on the market were designed in a slower moving era, primarily for change management processes and asset tracking. By contrast, VMware Aria Graph is designed expressly for cloud-native operations.
VMware Aria provides features and functions that span management disciplines and clouds to deliver unique value for multi-cloud governance, cross-cloud migration, and actionable business insights. In addition, there are three new end-to-end management services built on top of VMware Aria Hub and VMware Aria Graph:
VMware Aria Guardrails – Automate enforcement of cloud guardrails for networking, security, cost, performance, and configuration at scale for multi-cloud environments with an everything-as-code approach
VMware Aria Migration – Accelerate and simplify the multi-cloud migration journey by automating assessment, planning, and execution in conjunction with VMware HCX
VMware Aria Business Insights – Discern relevant business insights from full-stack event correlation leveraging AI/ML analytics
Networking and Security
Project Northstar – Project Northstar is a SaaS-based network and security offering that will empower NSX customers with a set of on-demand multi-cloud networking and security services, end-to-end visibility, and controls. Customers will be able to use a centralized cloud console to gain instant access to networking and security services, such as network and security policy controls, Network Detection and Response (NDR), NSX Intelligence, Advanced Load Balancing (ALB), Web Application Firewall (WAF), and HCX. It will support both private cloud and VMware Cloud deployments running on public clouds and enable enterprises to build flexible network infrastructure that they can spin up and down in minutes.
DPU-based Acceleration for NSX – Formerly known as Project Monterey, VMware announced that starting with NSX 4.0 and vSphere 8.0, customers can leverage DPU-based acceleration using SmartNICs. Offloading NSX services to the DPU can accelerate networking and security functions without impacting the host CPUs, addressing the needs of modern applications and other network-intensive and latency-sensitive applications.
Project Trinidad – Available as tech preview, Project Trinidad extends VMware’s API security and analytics by deploying sensors on Kubernetes clusters and uses machine learning with business logic inference to detect anomalous behavior in east-west traffic between microservices.
Project Watch – VMware unveiled Project Watch, a new approach to multi-cloud networking and security that will provide advanced app-to-app policy controls to help with continuous risk and compliance assessment. In technology preview, Project Watch will help network security and compliance teams to continuously observe, assess, and dynamically mitigate risk and compliance problems in composite multi-cloud applications.
Additionally, VMware NSX Advanced Load Balancer adds new bot management capabilities to help enterprises address threats quickly and efficiently, providing enhanced multi-layer application protection with existing Web Application Firewall, DDoS protection, and API security.
Edge
VMware Edge Compute Stack 2.0 – VMware announced the VMware Edge Compute Stack v1.0 last year and is now adding more features and functionalities optimized for different use cases at the enterprise edge – shipped with vSphere 8 and Tanzu Kubernetes Grid 2.0. VMware, for the first time, will introduce initial support for non-x86 processor-based specialized small form factor edge platforms to simultaneously run IT/OT workloads and workflows on a single stack.
VMware Private Mobile Network (Beta) – Delivered by service providers, this new managed service offering provides enterprises with private 4G/5G mobile connectivity in support of edge-native applications. VMware will empower partners with a single PMN orchestrator to operate multi-tenant private 4G/5G networks with an enterprise-grade solution.
Modern Applications (VMware Tanzu)
Tanzu Application Platform – VMware pre-announced new Tanzu Application Platform (TAP) 1.3 capabilities like the availability on RedHat OpenShift or the support for air-gapped installations for regulated and disconnected environments.
Tanzu Kubernetes Grid – With the release of TKG 2.0, VMware now includes a unified experience for applications running on any cloud. In the near future, Tanzu Kubernetes Grid 2.0 should support both Supervisor-based and VM-based management cluster models. On vSphere 8, both Supervisor-based and VM-based models will be supported, and VM-based management clusters will continue to be available on previous versions of vSphere and public clouds. This means in other words, that VMware continues with their “TKGS” and “TKGm” flavors.
Support for customer-owned enterprise certificate authority through integration with Venafi
Improved security with enterprise-approved container image registries, data services support, external services support
and a global SLO dashboard that allows developers and site-reliability engineers to view all managed service SLOs, helping with capacity planning, troubleshooting, and understanding the health of their applications.
VMware unveiled how it is advancing self-configuring, self-healing and self-securing outcomes across four key technology areas that are delivered by the Anywhere Workspace platform:
VDI and DaaS
Digital Employee Experience
Unified Endpoint Management
Security
VMware is introducing a next generation of VMware Horizon Cloud that will enable multi-cloud agility and flexibility. This new release represents a major update to Horizon Cloud on Microsoft Azure that can dramatically simplify the infrastructure that needs to be deployed inside customer environments, reducing infrastructure costs in some cases by over 70% while increasing scalability and reliability of VMware’s DaaS platform.
Workspace ONE UEM’s Freestyle Orchestrator will be expanding to include support for mobile devices.
Workspace ONE support for Windows OS multi-user mode is now available in Tech Preview for Azure Active Directory-based deployments; and it will soon be extended to Active Directory-based deployments.
VMware also announced the coming tech preview of Workspace ONE Cloud Marketplace, which will feature dashboards, widgets, reports, Freestyle Orchestrator workflows, and other resources that can be imported to help customers adopt additional solutions.
Horizon Managed Desktop – I am very excited about this announcement, because it will provide a managed service offering that takes care of lifecycle services, support, and more, on top of a customer-provided infrastructure. This will help customers that don’t have in-house experts get to value with VDI faster.
Availability
VMware Cloud Foundation+, VMware vSphere 8, VMware vSAN 8 and VMware Edge Compute Stack 2.0 are all expected to be available by October 28, 2022 (the close of VMware’s Q3 FY23). VMware Private Mobile Network is expected to be available in beta in VMware’s Q3 FY23.
Closing Comment
Not bad for the first day, right? Stay tuned for more exciting VMware Explore announcements!
It has been a while since I wrote about end-user computing (EUC) or anywhere workspace related topics, but I was waiting for a solution like this when I joined VMware back in 2018 as a EUC Solution Architect focusing on Horizon and Workspace ONE. Before I left for vacation in mid-June, VMware announced the general availability of Workspace ONE Mobile Threat Defense (MTD), which brings mobile security integrated directly into Workspace ONE Intelligent Hub.
Workspace ONE (WS1) is VMware’s digital workspace platform that enables companies to simply and securely deliver and manage any app on any device. It integrates access control, application management and multi-platform endpoint management and is available on-premises deployment or as a cloud service (SaaS).
Part of WS1 is Workspace ONE UEM (Unified Endpoint Management), which gives customers the capabilities to manage the full lifecycle of any endpoint – mobile (iOS, Android), desktop (Windows 10/11, macOS, Chrome OS, Linux), rugged devices and even IoT devices – in one single solution and management console.
While Workspace ONE can enable a full zero trust architecture and provides different components that make a digital workspace more secure, there was no integrated solution available for mobile devices.
Before this announcement back in June 2022, Workspace ONE customers had to use Workspace ONE Intelligence with Workspace ONE Trust Network that integrates threat data from 3rd party vendors that provide EDR (endpoint detection and response) solutions, mobile threat defense capabilities, or cloud access security brokers (CASB). WS1 Intelligence provides users and admins insights into the risks of devices and users.
Workspace ONE Intelligence provides visibility by aggregating data from multiple sources with the goal in mind to better understand the security posture of a user’s device and employee experience. In the case of mobile security, by using Workspace ONE Trust Network, admins can integrate and aggregate threat data from external sources like Zimperium Mobile Threat Defense, Netskope or Lookout Mobile Endpoint Security.
Mobile Endpoint Security
The next step in the evolution is a WS1 UEM-integrated mobile protection powered by Lookout. Finally, customers can provide mobile specific protection and not only identity or network-based security mechanisms.
What started with an API integrated approach with Workspace ONE Trust Network has become one solution by integrating Lookout’s SDK (Software Development Kit) into Workspace ONE’s Intelligent Hub. Customers do not have to install or activate a separate app.
Workspace ONE Mobile Threat Defense Key Features
WS1 MTD addresses the dangers of phishing and web content, threat, vulnerabilities, and behaviors unique to mobile (Android, iOS, Chrome OS):
Application-based threats including mobile malware, app vulnerabilities, and risky application behaviors and configurations
Web and content vulnerabilities exposed through phishing via email, SMS, and messaging apps. This includes malicious URLs; malicious web pages, videos, and photos; and web and content behaviors and configurations
Zero-day threats and device vulnerabilities including jailbreak and root access detection. Device risk including OS version and update adoption.
Machine-in-the-middle attacks (MITM) and risky behaviors such as SSL certificate stripping; forcing weaker algorithm negotiation; anomalous application network connection activity; and vulnerabilities associated with rogue Wi-Fi
Integrated with Workspace ONE Intelligence, customers get these additional capabilities:
Aggregate view of events across users and device types
Interconnect endpoint, app, and identity analytics; CVE data; and threat data
Automate remediation of devices back to secure and compliant state
Flag users and devices for investigation and follow up
Notify users of issues that require self remediation
Lookout has developed the Mobile Risk Matrix to help organizations understand the components and vectors that make up the spectrum of mobile risk:
How does it work?
This video provides a short and good explanation:
Product Components and Requirements
There are different components required to use Workspace ONE Mobile Threat Defense:
WS1 MDT is available for Workspace ONE UEM on-premises, SaaS or managed hosting customers
Workspace ONE Intelligent Hub 2204 or later
Lookout for Work Mobile App is optional
Only required for phishing and content protection, Android dual enrollment, and Chrome OS support
Workspace ONE Intelligence is optional
Required for customers that want to see threat data and use Intelligence’s automation engine
How to get Workspace ONE Mobile Threat Defense?
Workspace ONE Mobile Threat Defense is available with all Workspace ONE editions that deliver mobile management and UEM. This add-on SKU per device can be subscribed with these editions:
Workspace ONE Mobile Essentials
Workspace ONE UEM Essentials
Workspace ONE Standard
Workspace ONE Advanced
Workspace ONE Enterprise
Anywhere Workspace Enterprise
The Workspace ONE editions comparison datasheet can be found here.
Lookout has a huge install base with more than 200 million devices and was first in the industry to provide an enterprise mobile security product. Lookout’s demonstrated track of record of continuous innovation creates value for customers and a competitive advantage (they hold more than 175 patents!):
The Company also continued to enhance its market-leading Mobile Threat Defense solution – Lookout Mobile Endpoint Security – with the release of two new innovative features: Mobile Endpoint Detection and Response (mEDR) and Protective DNS for iOS and Android platforms. Mobile EDR is used to detect and investigate threats on mobile endpoints through real-time continuous monitoring and endpoint data analytics. Protective DNS encrypts DNS queries and implements safeguards to prevent users from accessing domains associated with phishing, malware, botnets, and other high-risk categories before a connection to the endpoint can be established.
Currently working as a Lead Solution Architect for VMware Switzerland and focus on some of the largest and most strategic customers. Additionally, I am part of VMware's Office of the CTO Global Field and Industry team in the role of a CTO Ambassador. I also engage with the VMware community as a co-leader of the Swiss German VMUG and became a VMware vExpert PRO in 2022. Opinions are my own.
VMware CMTY Podcast #607 – VMware Cloud Foundation
VMware CMTY Podcast #546 – VMware Carbon Black Cloud Workload