VMware App Defense – Secure the Front Door of your Business

More often than not we see and hear news of data breaches and I am sure that this weighs heavily on the minds of IT leaders. But security has been around for decades and IT leaders have put safeguards into place. They execute best practices by layering security in their environment. They have firewalls at the perimeter, limited access to systems, have monitoring in place, update and patch system regularly, automation to reduce user errors, network segmentation between lab, test, dev, prod, DMZ environments, micro-segmentation to shrink the footprint even more, run internal audits to verify processes and execute penetration testing. Even when all the aforementioned, and more that I have left out, is executed at a near perfect rate… I want to say that again, executed at a near perfect rate… It may not be enough, check that, it IS not enough. Enter App Defense.

App Defense is an application that learns how your app is built, deployed and runs. It understands what services are running, what executables are used, systems it is communicating with, and over what network ports. I highly recommend the video at: https://goo.gl/bSSHu3 . This video was part of a keynote at the 2017 VMworld in Las Vegas. To save you some time I have the cliff notes below. If you want to go right to the Demo, which is also highly recommended, go to the 20 minute mark. If you have never seen how easy it is for an experienced hacker to gain access to your systems, even with layered security in place, it is eye opening.

In the video, Tom Corn does a brilliant job of drawing the parallel between your first child and an application. While on the surface this seems like a stretch but it does make sense as he steps through it.

The Phases:

  • Planning Phase
  • Development Phase
  • Functional testing
  • GA

Yes, there are counterpoints from the child perspective here but let’s just move forward with the analogy.

After GA/birth, there is day two operations. It’s that sinking feeling when you load your child and wife into the car and drive home at 5 miles an hour with the flashers on. There is no manual or run book on how to raise a child.

Panic sets in and you start to worry about all of the threats that you see and hear about.

  • News
  • Social Media
  • WebMD

To alleviate this you:

  • Baby proof the house (build a safe environment)
  • Get a new crib (apparently the one I put my kids in ~20 years ago were not safe)
  • You don’t put them where they can be exposed (bring them to a sick relative) – put your DB on the Internet.

You monitor your child, get to understand them by their (analytics):

  • Appetite
  • Temp
  • Mood
  • How often they rest
  • Behavior

 

You learn more by collaborating with your doctor (security team).

As you can see the parallels now we transition to APP Defense…

Since environments are distributed, networking, storage, compute, the attack surface is even greater. Of course we can shrink this with hardware, by restacking everything and putting firewalls up on every network port, but that would incur considerable CapEx and OpEx expense. But the best approach is to leverage a software solution that shrinks the footprint through layering security and leverages least privilege by known good.

App Defense is built on the concept of Capture, Detect and Respond.

Screen Shot 2017-11-02 at 8.57.47 AM

Capture – Discover and capture intended behavior of all VM activity associated with the application, servers and regulatory scope. This is done with collections from vCenter, Infrastructure provisioning systems (vRealize, Puppet, Chef), App frameworks (Ansible, Jenkins) and machine learning at the Hypervisor.

Detect – Monitor what is running, compare what is intended. Applications are protected in an isolated zone monitoring guest manifests. There are partners in this space to enhance the detection as it will continue to change.

Respond – Leverage the SDDC automate action via orchestrated responses. There is a library of orchestrated responses that will continue to grow. For example, suspend, shutdown, or quarantine in the event of a detection. Can be automated or manual operation.

This is the point where the demo would be. I am not going to highlight the demo because it is a must see.

To summarize, App Defense is another security tool to enhance your overall security platform. It brings the IT security team closer to the application side of IT (typical to see a majority of security focused on infrastructure – which is understandable). If you understand data security you know there is no one tool or process that will address all threats. However, I will leave you with this thought. Think of your Application as a door to your environment. Not having App Defense is the equivalent to not having security on your datacenter or sever room door. People have to enter the room but you know what they are doing and what they are taking out. Or at least you should.

HOL Recommendation: HOL-1842-01-NET

As indicated on my website, thoughts are my own and do not reflect those of my employer.

My Personal VMworld 2017 Gratitude

I think it is important to do a recap of my VMworld 2017.  First and foremost there are so many people to thank for their contributions. No one person can contribute to VMworld. It takes a team of dedicated individuals willing to sacrifice their personal time for the company. Being a great company that VMware is, this is not hard to come by, but nevertheless, important to thank those involved.

  • TAM Customer Day Specialists Roundtables – This is my fourth year working on this event, my second year leading the effort. For those who are not familiar with TAM Customer Day, it is an exclusive event held for our TAM Customers. In the past it was a dedicated day starting with a General Session, followed by several break-out sessions, Ask the Expert sessions, closing sessions, and finally the TAM Customer Reception. This year we scaled back to a half day hosting a General Session followed by Specialists Roundtables (formally Ask the Experts). This was done to limit the conflicts of other events happening on this day. IMHO, this worked out much better as attendance was over 1200 customers. We also added Demo Stations to the Specialists Roundtables this year and response was off the charts. TAM Customers got a sneak peak of the new software releases and services that were announced later in the week. #TAMvalue
    • Thank you – Jason D., Cheryl E., Khalid D., Bill S., Bill K., and Niska D.
  • Presenting Break Out Session – Automation Deployed: Now What? Four Different Perspectives of Day 2 Operations in an Automated Environment [LDT2867PU] – This was my second VMworld presentation. This year I decided to go with a customer panel and I am glad I did. I thought the information shared was extremely valuable and I will certainly follow up with a dedicated blog on the content. I always liked hearing customer use cases when I was a customer and I am happy to bring this type of perspective to my sessions. BTW – these are all TAM customers. #TAMvalue
    • Thank you – Erin O., Cecilio A., Will H., Dan R., Michael McGowan, Steve Schofield, Nabeel Chaudhri, Curt Johnson.

booth

  • Booth / Floor Duty – This year VMware had the largest booth in Solutions Exchange and it was awesome. For the first time we had Industry Booths and I was asked to work the Banking booth. During my shift I had to run out for a customer meeting.
    • Thank you – Imran J. and Cecilio A.

 

  • Customer Meetings – If you are a TAM at VMworld and you are not running from meeting to meeting for your customers, you are not doing your job. While I did have a couple of pre-scheduled meetings, there were a couple of impromptu customer to customer meetings that were pulled together. Without help from my peers this would not have happened. #TAMvalue
    • Thank you – Sean D., Sean L., Peter D., Dan C., Jane M., Mandip G.
IMG_1934

Food Tour with Chef Dell

  • Spousetivities (http://spousetivities.com/) – If you travel for business and have the opportunity to bring your significant other, it is a great opportunity to travel together. However, what does he or she do while you are in a conference all day? Spousetivities! This is the third year my wife has traveled to VMworld with me and her third year at Spousetivities. This year I volunteered her to be the liaison for our TAM Customers if their significant others has questions. She fielded DM’s and texts answering questions and getting those set up with activities. Additionally she had to put up with me and my colleagues through a couple of entertaining dinners. #TAMwifevalue
    • Thank you Jenna!

 

I want to acknowledge my the North East TAM Team for their support over the past several months. Whether you realize it or not, your support helps me tremendously. From simply being flexible in rescheduling a meeting, to assisting on a customer call, none of this happens with out the support of arguably the best team at VMware.

Last but certainly not least. Cheryl of the House Principal TAM, First of Her Name, the Undeterred, Queen of TCC, Cheryl of the Great Elastic Sky, Breaker of Issues, and Mother of TAMs (reference). Your guidance over the past year has been priceless. Thank you for your continued support!

 

 

 

VMware Announces Cloud Services – Expanding into a SaaS Portfolio

Wow! What a great time to be a part of VMware. This was by far the most exciting VMworld that I have been a part of. With so much that was announced, I want to highlight the announcements that were made around Cloud Services. With all the excitement of what the tools do, I wanted to simplify what was announced and why it is key to the IT industry.

In October 2016,  VMware announced a strategic alliance with Amazon to bring us VMC on AWS (VMware Cloud on Amazon Web Services). This has been in the works through a limited beta and VMware announced the Initial Availability at VMworld 2017. In addition to this announcement, VMware also announced VMware Cloud Services.

I fully understand the excitement of  having VMC on AWS available, the use cases are quite compelling (Disaster Recovery in the cloud, Datacenter expansion or relocation, TCO savings), and I am sure technologists were chomping at the bit to see the pricing.  There were plenty of demos and customer endorsements around the product as well. However in talking to a few customers, the Cloud Services announcements seemed to be a bit muted or lost in conversation.

VMware Cloud Services is VMware Software available as a Service or VMware SaaS. This is key to the IT industry as we have seen the paradigm shift in how IT software  is offered. IT is consistently asked to do more with less.  We have all heard the buzz words like, agility, elasticity and efficiency. Well, these buzz words are the CIO’s deliverables. They are to provide new products at faster speeds wile using technology efficiencies to drive down costs. VMware listens and continues to address these needs.

The argument can be made either way for on-prem and off-prem services; maybe a topic for another blog. However, VMware gives customers the flexibility to choose a traditional licensing model, SaaS, or even a combination of both (yes I avoided the “h” word there). Not all of VMware’s licensing is available as a service, but most of the core products are.

VMC on AWS is part of the VMware Cloud Services Portfolio. If you visit: https://cloud.vmware.com/service-catalog you can find the full menu of the Cloud Services offerings.  The new offerings that were announced during VMworld 2017 are:

VMware Cloud on AWS – VMware Infrastructure Services (vSphere/vSAN/NSX) available through AWS.

Wavefront by VMware – SaaS based monitoring and analytics.

HCX Technologies –  Software that abstracts version differences between platforms for full mobility between cloud platforms private & public (IBM and OVH late 2017).

Network Insight – Network Visibility for Private and Public Clouds.

NSX Cloud – The ability to use NSX across multiple clouds. Removing networking silos, increasing operational efficiency and security consistency.

AppDefense – vSphere hypervisor based protection for application endpoints.

Cost Insight – Private and Public cloud cost based analysis.

Discovery – Private and Public cloud discover of assets.

As you can see this is a significant shift to expand VMware services into cloud based offerings. It was my intention to keep the descriptions at a high level for this article with plans to post follow ups to each offering as I dive into them more. I am excited to see VMware’s shift to this model and looking forward to see how our Enterprise customers respond to this offering. If it is anything like what we have seen with the VMC on AWS beta program, we are in for something good!

 

Thoughts and opinions are my own and do not represent those of VMware.

 

 

 

Catching Up

Well it has been a few months since my last blog. Priorities and additional responsibilities have delayed me from getting something posted. Re-organizing my time as taken longer than I expected. I apologize to my few followers. I cannot believe we are wrapping up June 2017 already. It seems like we were just getting ready for the winter break not too long ago.

So lets catch up.

Personally, wait can I say that, oh yea it’s a personal blog. Personally I have been pushing my spare time to the limit. I have been updating my home for about a year now. It started last year when my daughter, Teia, wanted her room re-painted. Well, a weekend job turned into installing hardwood floors on the second floor, a kitchen update (with some home automation 🙂 ), office update, and now I am working through the remainder of the house with hardwood. I am finishing the dining room now. I find this work relaxing at times, and honestly, I am pretty good at it. Something to fall back on if needed; having a craft that can make you money is never a bad thing right? Thankfully I have a very patient wife but I think I am getting close to the limit. There has been at least one room in disarray for over a year now. I need to pick up the pace.

IMG_3732

The home improvement project happens on nights and weekends when I am not taking care of higher priorities. Teia just wrapped up her Junior year in High School so we have been college shopping on a few weekends. A couple, much needed, trips to Florida for vacation (those who live in the North East understand this), writing an abstract for VMworld 2017 and of course studying for my VCP-DCV that was going to expire in March; which thankfully I passed.

Since the last blog our CESF Inc. foundation has been hard at work too. We have held three successful fund raising events, Party with a Purpose , Teacher Basketball game, partnering with the Clarence Teachers Association, and our Annual Peach Cup golf tournament. All were a great success that is credited to the superb Board of the foundation.

From a work perspective – I was selected to the CTO Ambassador Program at VMware. I am humbled and honored to be part of such a prestigious group of thought leaders. This happened in January, and since then, there has been weekly meetings and a couple of trips to the West Coast. We are also gearing up for VM World 2017 and I am involved in some of the conference planning as well as preparing for the panel session I am hosting.

Now that we are caught up I am hopeful to get blogs out on a more regular basis. I am crafting one now that will most likely be posted on the TAM Blog in the near future. I will post a link here if that is the case.

The Little Things Make the Biggest Difference

I am proud of VMware’s focus and commitment to our EPIC2 values. EPIC2 stands for Execution, Passion, Integrity, Customers and Community. More on our EPIC2 values can be found here. This article focuses on the Community aspect of these values.

I am honored to be the President and Board member of the Clarence Schools Enrichment Foundation (CSEF Inc.). CSEF Inc. is a non-profit 501c3 foundation that raises funds to enhance the education experiences of the students in the Clarence School District. I wanted to share this story because I was recently moved by the results of our funded grants. Each year CSEF supports the funding of two grant cycles, one in the fall and one in the spring. We also consider and support various special requests throughout the year. More information about our foundation can be found at www.clarenceschoolfund.org.

During the fall of 2016, we received 25 grant applications totaling over $34,000. Unfortunately, we cannot fund all requests. Each request is reviewed and scored by a committee comprised of business and community members.  The committee then provides recommendations back to the CSEF board. This fall there were two grants that we funded for the equipment to build sensory rooms in the Clarence Center Elementary and Harris Hill Elementary Schools.

On Monday February 13th, I attended the Clarence School District Board of Education (BOE) meeting where the Clarence Center Elementary Principal, Colleen Coggins, and Anne Marie Olczak an Occupational Therapist, presented to the Board the Clarence Center Elementary School Sensory Room. Before the presentation to the board, I was able to see the room for myself where I met a student who was preparing for his presentation. Although this grant was only for $1000, I immediately saw the impact it had on this student and how appreciative and excited he was. In talking with both Ms. Coggins and Ms. Olczak I knew they also appreciated the grant. He showed me around the room, the items we purchased, how they are used, and I even got to play a little catch with him using the weighted ball.

img_3250

During the presentation to the BOE, Ms. Coggins and Ms. Olczak went through their presentation explaining the purpose of the sensory room, who will use it, and the activities the kids will partake in. They reviewed the sensory activities that will impact touch, sight, hearing, smell and taste. They also explained the vestibular as well as proprioceptive activities which will be implemented as strategies within the sensory room.  I was back in elementary school learning once more.

The sensory room can be used by students that are dealing with stress, sensitivity to touch and sounds, fear of crowds, hyperactivity, trouble with balance and several other conditions that we would normally dismiss.  The goal of the sensory room is to proactively manage students struggling with focus, attention, self-control. They will teach the student how to manage and self-regulate their emotions and modulate their movements. The school phycologist and principal in coordination with the occupational therapist will be involved in the referral process. The occupational therapist will also be involved in assisting and training staff members.

After the BOE presentation, we all took a short walk to the sensory room where the student I previously met delivered an excellent presentation of the room to the BOE and attendees of the meeting. With his 3×5 cards in hand, he read through his notes with fearless precision, showed us each device and how it is used, then dazzled us with solving a rubik’s cube in less than 2 minutes, mostly without looking at it and carrying on a conversation. Needless to say we were all impressed. I hope to see him on the stage at VM World in 15 years or so.

I am happy to see how $1000 can make a huge difference in the lives of children and it really motivates me to do more. Clarence Center is not the first Elementary School to do this in the district. There is another in flight that also received a fall grant from CSEF that we are waiting with anticipation on how that will turn out.

VMware continues to support efforts like this and many more globally. I am happy to be part of an organization that embraces the ‘community’ ethos and encourages their employees to do the same. The VMware Foundation also matches employee donations which helps the charities that employees contribute to.

So next time you are asked to participate or volunteer in a local organization, remember that a small amount, whether it is financial or by donating your time, will go a long way.

 

Disable ATS Heartbeat?

Before the winter break one of my customers ran into storage disconnect issues with their ESXi hosts on a particular cluster connected to a specific shared storage. I will keep this high level and lacking specifics as they do not pertain to the overall article.

During the troubleshooting process it was recommended at one point to disable VAAI ATS heartbeats on the ESXi hosts as the storage vendor thought this may be a contributing factor to the underlying issue. The timing of a recent upgrade to vSphere 5.5 U2 led them down this path. This recommendation is low impact to the ESXi hosts, command line, and if it was the issue you would see a reduction of storage disconnects in the logs. In this case, the change was made during a green-zone and did not resolve the issue.

While this was found NOT to be the cause of the issue, I thought I would share some valuable information that is already well documented on VMware websites and VMW employee Blogs.

So what Changed?

The way ESXi hosts communicate with the storage arrays in ensuring a VMFS heartbeat.  Before this update, the ESXi host would use SCSI read/write for validation, now this process is off loaded to the storage system. ATS is enabled on VMFS5 by default. It is disabled for VMFS3. Reference https://kb.vmware.com/kb/2113956 for more information.

Why the change?

According to a blog article on the topic, http://blogs.vmware.com/vsphere/2012/05/vmfs-locking-uncovered.html, the ‘critical section functionality’ is expanded giving your hosts more reliable/consistent results when VMFS metadata is updated. Basically it is a better way to assuring VMFS is ready to commit changes to the data. Give Cormac’s article a read, much more detail.

Should I disable ATS in my environment?

No. I would recommend leaving this feature on unless directed to do so by support.

If you see an issue with storage disconnects that is directly related to this feature being enabled, and your storage vendor is recommending it, reference the aforementioned KB article. As I previously stated, the disablement is not that intrusive and should confirm this being the issue in short order.

If your storage vendor is recommending this change, you may want to confirm with the storage vendor that there are not any updates available for your storage array that addresses this issue.  There are a few out there.

Old School

One of my customers is near my parents house and I have the benefit of stopping by there when time permits. My mother found one of my elementary school folders from 5th grade which was from a computer class. I typically take a look and toss the folder, I am not a pack rat, but thought no better way to enshrine something that to toss it up on the web.

The year was 1983 and I never thought back then that I would end up in the IT field. Pretty cool to see my first introduction to the computer and command lines.

 

 

In retrospect, 5th grade was an impressionable year that would change my life. It was the year I changed schools (we moved staying in the same town but different school district). This was a pretty big deal back in the 80’s since we actually went outside and played with friends. The new neighborhood was filled with kids who would become great friends, the new school district is where I would meet my future wife and those new friends would end up in my wedding party. One life change setting a new path.

Man am I getting old…

Not My First blog post…

…but it is my first website.

I have already had the honor of writing a few blog posts for work and I will continue to do so (check out http://blogs.vmware.com/tam/tag/joe-depasquale). So why have my own site? Because all the cool kids are doing it. All kidding aside, I can use this platform to express my views as it relates to IT. Not because anybody told me I could not but this allows me to type and hit submit.

A little bit about me. I started in the IT space about 25 years ago. When I was a young adult, bouncing from college to college, I wanted to be a Police Officer. Once I accumulated 60 credit hours, I took the County Police Civil Service exam. During this time a friend got me a job installing computer cable. Mostly Cat 5 but there was still some Type 1 and BNC going around. This is Buffalo we are a little bit slow on adoption. Anyway, I scored well enough on the exam but retirements where light that year and I was never selected.

While installing the physical layer I noticed how cool these IT people were. They had offices, played with new technology and were heavily relied on; assets to the organization. Sure there was weekend work but that seemed a little safer than police work. Over the next few years I progressed in the roles I held, accumulating experience and taking on more responsibility. I would only change companies a handful of times over my career but when I did it was to gain more experience and take on more responsibility.

I have been at VMware now for over 5 years. I am proud to say it was the best decision I ever made. It is truly a great company to work for and they continue to impress. There is ample opportunity to learn more each day, everybody is willing to help each other, and we continue to evolve.

I know I skipped over a lot but I have to keep some back, for at the very least, security reasons. I hope you enjoy the site as much as I enjoy putting it together. More to come…