vShield 5: New Security Features Coming Soon


VMware vShield 5 was announced around the same time as vSphere 5 but for some reason it sort of flew under the radar. Some would say it had something to due to the licensing drama, but who really knows. What I do know is that 1) securing VM’s is an evolving problem that has been limited to hardware enforcement  and 2) VMware is starting to invest significant more resources towards their vShield suite since its launch in August 2010.

If your remember vShield includes vShield App, vShield Edge, and vShield Endpoint and if you curious what was included in more detail with that launch you can find more here from my previous post. In short it was a good start but not a full solution.

 So What’s New:

vShield App now includes Data Security designated for compliance confidence, think data scanning. This hypervisor-based application aware-firewall will create and enforce dynamic application boundries, aka trust zones based on policies vs. physical boundaries of yesteryear. This should help cut down on the hardware costs!

There is now a collaboration with RSA (Another EMC company, no surprise here) that is designed to “optimize the security for virtual and cloud environments.”  “This security protocol will enable enterprises to discover and classify sensitive data residing within the virtual machines.” So if someone is sending Social Security cards, credit cards, or personal information it can within the VM detect this leak. Plus it is host based and agent-less.

Also, based on pre-defined templates, 80 or so, you will now be able to select policies that affect your business, not sure yet if you can modify these presets or not. These policies scan the VM forsensitive data and report back the findings. You can even set a policy if it finds this data it will isolate this VM keeping the sensitive information in its trust zone. Performance shouldn’t be impacted much since it will be using a virtual appliance. The thing to note is that it will report and isolate, see below.

 Doe this solve our Data Loss Prevention (DLP) Problem?

Not so fast. They still have a long way to go. Remember detect, report and isolate not detect, report and block.  To be clear this is a just a detection tool with minor policy enforcement. It will be more clear come demo time at VMworld, but it is missing some key components to be a full DLP solution. For example it doesn’t detect data leaks in transit, won’t prohibit moving data to the cloud, and doesn’t go in-depth enough to protect ultra sensitive data.  It is a good start, and there will be a future release with API’s to integrate to other DLP software.


The VMware vShield 5 is expected to be available in Q3 2011 and individual products will be licensed per VM (noticing a trend?) starting at $50 per VM retail. The vShield products can also be purchased together as a vShield bundle for $300 per VM.

More Information: