Recently, I have been asked several times about what other income options can be unlocked using VMware vDefendoutside its well-known and well-received core Distributed firewall (micro-segmentation) abilities. This is what inspired me to write this blog – to explore advanced features and value-added services that vDefend offers and how they can be used Cloud Service Providers (CSPs) expand your cloud security portfolio and drive new monetization models.
Core capability of VMware vDefend Core
- The basic offer is Distributed Firewall (DFW) (sometimes also “firewall”) — i.e. east-west plus north-south firewall at the software/hypervisor layer.
- It supports layer 2-7 stateful firewall, identity and application oriented policies, dynamic workload grouping, etc.
- It is tightly integrated with VMware Cloud Foundation (VCF).
New revenue streams with advanced VMware vDefend features:
These are additional features/capabilities beyond basic micro-segmentation that you should look at adding to your portfolio of security service offerings:
- Firewall
- In addition to DFW, there is a “gateway” component as part of vDefend for perimeter or segmented zone control (L2/3/4 firewalling at edge points).
- Useful for ISPs when offering tenant isolation, inbound/outbound traffic control, etc.
- Advanced Threat Prevention (ATP) / IDS/IPS / NDR / Sandbox / Traffic Analysis
- The “advanced threat prevention in Defend Firewall” tier adds: IDS/IPS functionality, Network Traffic Analysis (NTA), Sandboxing, Network Detection and Response (NDR).
- This is a key value add for a CSP – you can offer more than just segmentation, you offer threat detection, prevention and response.
- Security Intelligence / Segmentation Assessment / Analytics
- Features like the “Security Segmentation Report” that analyze flows to identify segmentation gaps, generate segmentation scores and provide rule recommendations.
- tea”Security Services Platform (SSP)” – a scalable architecture for security intelligence and visibility in large-scale environments.
- This is especially useful for ISPs because you have multi-tenants, large, possibly complex workloads, and want to offer visibility and analytics dashboards as part of the service.
- Container / multi-load support
- vDefend supports workloads not only of VMs, but also of containers, bare metal, etc.
- This is important for CSPs if you support Kubernetes/containers, hybrid or multi-cloud workloads for customers.
- Multi-tenant / delegated management capabilities
- Recent enhancements enable “VPC-Aware Lateral Security” – the ability to apply per-tenant or VPC policies with delegated management for tenants/application owners.
- Self-service micro-segmentation: application owners can define fine-grained policies within the zones defined below.
- For CSPs, this is critical: you want to offer self-service services to tenants while maintaining central control/oversight.
- Geo-IP / edge control
- Example: Geo-IP filtering on the gateway firewall (allow/block by country) for traffic flows
- Useful for compliance/regulatory or global CSP scenarios.
- Support for air-gapped / isolated environments
- The NDR feature now supports environments that do not connect to the public internet for threat information updates (important for regulated/private CSPs).
What this means for CSP offers
If you are a CSP evaluating and considering vDefend as part of your security/service offering, you should think about:
- Which level do you want to offer basic segmentation (DFW) versus full threat prevention (ATP/IDS/IPS/NDR).
- Tenant / multi-tenant needs: You need segmentation by tenant, delegated admin, self-service, etc. vDefend supports this.
- Scale and visibility: Analytics and intelligence modules are key to large-scale operations.
- Workload types: VMs, containers, bare metal – if you support them, you’ll need broader features.
- Compliance/Regulations: Policies like geo-IP, offline threat updates, fully isolated operations.
- Automation/DevOps integration: Micro-segmentation as code, API-driven policy creation, CI/CD integration, etc.
- Gateway/Edge Control: If you offer ingress/egress firewall or edge segmentation to customers, make sure the firewall feature is included.
Key Licensing Considerations
- VMware vDefend single SKU is sold as supplement on VMware Cloud Foundation (VCF) and includes all features.
Summary
To maximize revenue, CSPs should focus on packaging these advanced features into differentiated service bundles and focus on selling the business outcomes of securing the environment with a more integrated cloud operating model that extends beyond IaaS to managed security services.