Next-Level Security and Resilience with VMware Cloud Foundation 9.0

When you think about cloud infrastructure security there are three main goals you are trying to achieve. First, you want to be secure quickly and stay that way. Second, you want to drive trust in your infrastructure. Third, you want to be resilient, easily. Broadcom’s Bob Plankers will take you through the latest security innovations in VMware Cloud Foundation 9.0 for providing next-level security, trust and resilience, empowering IT operations amidst regulatory complexities and geopolitical uncertainty.

The presentation focused on security and trust in VCF 9.0, emphasizing a “security first” approach, prioritizing ongoing security practices over infrequent compliance audits. A key theme was enabling customers to be secure faster, recognizing that security is a means to delivering services and running workloads. Plankers highlighted the importance of resilience, referencing features like vMotion and the EU’s Digital Operational Resilience Act, addressing both tactical and strategic scenarios such as failed application upgrades and disaster recovery.

The core differentiator of VCF 9.0 is inherent trust in the stack, moving towards less trust and more continuous verification. This includes verifying the platform’s security state, data sovereignty, and controlled access. The discussion covered lifecycle patching enhancements with Lifecycle Manager, aiming to simplify updates and manage multi-vendor cluster images. Features like live patching, custom EVC profiles, and improved GPU usage were also discussed as facilitating easier maintenance and patching, reducing friction.

The presentation went into deep dive on enhancements inside the hypervisor for security, including code signing, secure boot, and sandboxing. Confidential computing with AMD SEV-ES and Intel SGX technologies was explored, along with the introduction of a user-level monitor to de-privilege VM escapes. Workload security improvements encompass secure boot, hardened virtual USB, TPM 2.0 updates, and forensic snapshots. Cryptographic enhancements included TLS 1.3 by default, cipher suite selection, and key wrapping. Centralized password management, unified security operations, and standardized APIs for role-based access control further enhance security and automation.