The proliferation of mobile devices and cloud services has caused a geometric increase in security threat possibilities as each device type and OS version can potentially be vulnerable. In addition, these devices need access to more and more cloud information – which means even more opportunities for attackers to hitch a ride along a VPN tunnel and then move laterally in the data center in the search for information to harvest or other damage to cause.

Some people questioned the acquisition of AirWatch by VMware as BYOD and MDM live in a space far removed from virtualization. The benefits of the deal however are beginning to come to fruition as the company has shown its grand vision of allowing mobile devices access to specific information in the corporate data center. In fact, Mike Maxey, Director of Content Solutions at VMware recently discussed with me how VMware NSX, when deployed with AirWatch EMM or VMware Horizon, addresses the enterprise security challenge of over-provisioned data center access through the use of network micro-segmentation. This model, he explained can prevent users from accessing or even seeing resources that exist within the data center to which they are not entitled.

The VMware NSX approach to securing user access offers several advantages over traditional security approaches—automated provisioning, automated move/add/change for workloads, distributed policy enforcement at every virtual interface and in-kernel, scale-out firewalling distributed to every hypervisor or virtual desktop and baked into the platform.

Deploying VMware NSX with AirWatch Enterprise Mobility Management – combining AirWatch identity management and per-app VPN controls with VMware NSX network virtualization completes the security bridge from the device to the data center. This solution allows IT to assign exact data center resources to specific applications based on the organizational groups already set up through AirWatch EMM. The permissions set by IT can prevent the enterprise from overexposing data center information to applications on any device while still empowering the mobile user with the corporate resources they need to do work efficiently and effectively. The combined solution also gives administrators greater visibility into what mobile users can access and eases change management as new applications come online.

Deploying VMware NSX with Horizon enables effective firewalling for each virtual desktop at a VM level, preventing the spread of threats from desktop to server as well as desktop to desktop. Security policies can be created based on individual users or logical groupings, rather than being tied to network topologies, and VMware NSX streamlines and simplifies configuration of security policies based on types of users such as engineering and types of data being accessed payroll.

The company believes that since mobile and virtual desktop sessions are more dynamic than server workloads, static security policies are far less effective. This is why their goal is to provide VMware NSX to simplify and automate the application of network and security policies to users or virtual desktop pools.

Mike went on to explain that AirWatch understands the device, knows its role in the company and using encryption with rights management can ensure information is kept secure. In addition, he explained the system knows when a mobile device is on a 3G connection and can subsequently prohibit large file transfers on such a network as a result. He continued by saying the company has partnerships with other cloud vendors and as I’ve written about before, can ensure encrypted documents do not leave the container – for example, in a situation where a board of directors is getting financial information the company wants to ensure is not shared beyond the board.

Finally, he explained the company has built a set of standards enabling developers to embed security and simultaneously work with the AirWatch console. Salesforce, Xilinx and Box are a few of the companies as part of this initiative he continued.

When you realize the number of attack vectors a malicious user can take such as spear phishing through a social network, locking down everything and coordinating access rights with specific data types makes a great deal of sense.