Google Cloud VMware Engine enables Synack’s trusted security platform
Ken Drachnik
Product Marketing, Google Cloud
Desktop virtualization technology has been available, in a number of forms, for decades. Today, however, enterprises are showing what's possible with modern virtual desktop infrastructure (VDI) as they leverage Google Cloud VMware Engine to address a range of interesting and often challenging use cases. Google Cloud VMware Engine, a native Google service, enables organizations to seamlessly migrate and run their VMware-based applications within Google Cloud without changing applications, tools, or processes and benefit from on-demand capacity, agility, and cost savings. Synack, a cybersecurity firm specializing in crowdsourced security testing, is demonstrating what's possible when you integrate a modern VDI solution with Google Cloud's existing infrastructure, managed services, and application development solutions.
Synack uses VMware Horizon on Google Cloud VMware Engine to implement a platform for its penetration testing projects and security services. These projects often involve hundreds or even thousands of ethical hackers working as individual contributors in carefully controlled and monitored virtual workspaces, with stringent, client-specific ground rules. Synack's work as a provider of crowdsourced penetration testing services is reminiscent of some aspects of "bug bounty" contests where enterprises offer hackers cash for finding and reporting vulnerabilities in its public-facing systems. Synack goes beyond bug bounty by offering on-demand access to a community of highly vetted ethical hackers (the Synack Red Team). Key differences include the on-demand nature of security services, scale and the tightly controlled nature of the community and testing environment. According to Mark Kuhr, CTO at Synack, the company currently has more than 1,500 ethical hackers in the community who contract on engagements with corporate or public sector clients. With controlled penetration testing, a powerful SaaS platform and the Synack Red Team, Synack can deploy large numbers of highly vetted and skilled hackers who can swarm a target asset, find vulnerabilities quickly, and leave clients with a comprehensive set of issues to prioritize and fix.
Just as important is Synack's ability to maintain absolute security, visibility, and control in an environment where hundreds of hackers are deliberately probing its clients' systems for vulnerabilities. This is one area where Synack is taking a different course compared to most other crowdsourced security firms. Most crowdsourcing entities leave researchers to work within their own individual platforms, typically leveraging some form of VPN. That means the data they're generating as they do their penetration testing stays under their control as well.
Todd Humes, director of infrastructure and security operations at Synack, says that leveraging VDI gives Synack a degree of control over its researchers and visibility into their activities that its competitors can't achieve using other methods. "We're providing a trusted resource that's a completely Synack-owned resource," he stated. "Setting up our researchers with VDI workspaces minimizes the risk of data exfiltration, for example, and it gives our clients confidence that we can define policies and enforce them consistently."
VDI with Horizon and Google Cloud: Faster, easier to manage, and more secure
Synack's penetration testing platform, LaunchPoint, relies on VMware Horizon to manage and deliver virtual desktop environments for researchers to use during penetration testing engagements. Horizon excels at delivering consistent, low-latency performance, which gives researchers a better user experience and eliminates one of the most common obstacles to working with VDI in business-critical settings. In addition, Horizon on Google Cloud VMware Engine gives the company more than enough scalability to provision additional VDI seats quickly on bigger engagements.
Humes pointed out that Synack relies just as much on other VMware applications as it does on Horizon to meet its security and control requirements for the LaunchPoint platform. "One of the great things about Google Cloud VMware Engine is the fact that not only are we getting the VMware ESXi hypervisors, we're also getting VMware vCenter centralized server management. Getting VMware vSAN capabilities in a hyperconverged stack is also a really strong feature: We don't have to worry about storage just because it's software defined. It's there, it's part of the overall stack, and it's extremely fast, extremely resilient."
Humes also says that, “One of the biggest things that we’ve gained is that we're able to leverage VMware NSX network security. As far as I know, this is the only software defined network solution that's running in the cloud that offers native layer two capabilities." Networking at the levels we need to operate in the cloud is a challenge, Humes explained, because it was causing a lot of additional work for the Synack research team as they pivot from one penetration testing target to another. "That transition involved a lot of route manipulation. We don't have that issue anymore because we can define multiple overlays which operate at the layer two level. We can literally take a machine as far as from one layer two layer segment over to another layer two segment and not have to worry about any sort of data convergence between the two."
This also delivers important security advantages around isolating client environments and providing redundancy. Says Humes, "We have to ensure that penetration tests intended for one engagement do not impact another. So that micro-segmentation that we get within NSX gives us an important way of guaranteeing that will never happen."
More advantages: Security, analytics, network management
Google Cloud VMware Engine also gives Synack some other important capabilities — for LaunchPoint and for the company's other research and analytical functions.
First is the value of having Google Cloud VMware Engine as a platform for Synack's VDI environment "Google Cloud VMware Engine is important because it gives us the ability to logically separate our networks, which is something that we couldn't do before within a cloud provider VPC environment," Humes said. “So there are some benefits there around doing more network segmentation than we could in the past."
Security was another factor that drove Synack toward Google Cloud. "We're committed to leveraging Google's high-security model and best practices — for example, VPC segmentation in our core services that we use for hosting," Humes stated. "The fact is, we are hosting some of the world's best penetration testers on our platform. Clearly, we have an obligation to our customers to ensure they're operating within established boundaries."
VDI as a platform for innovation
Synack's experience working with VMware's Horizon VDI and related capabilities on Google Cloud VMware Engine offer an innovative take on what companies can do with VDI technology running in a modern, cloud-native application environment. Cutting-edge VDI tools like Horizon, combined with Google Cloud's security, network performance, and other supporting capabilities, are unique from previous generations of VDI tools in terms of performance, ease of management, integration, and security. As more enterprises discover what's possible with these tools, we're looking forward to seeing how their use cases for VDI continue to evolve in new and interesting ways.