The Death Of VMWare May Be Good For Security

It can also be really bad… let’s go over The Good, The Bad, and The Ugly

Broadcom acquired VMWare in November 2023, and has just announced some major changes across its product lines. Let's go over them and the possible impact on security.

Broadcom - VMWare Chaos Overview

The internet is in uproar about the changes Broadcom has made to its VMWare products. From dumping the entire End User Computing business unit which includes the beloved desktop version VMWare’s Workspace One, to the biggest move which was to instantly EOL (they used End of Availability - EOA) 56 different products by ending perpetual licensing and moving towards subscription based renewals.

According to VMWare’s they promise:

• Continuous innovation

• Faster time to value

• Predictable investments

Note: To be clear, they do say some products can continue to be used perpetually with active support contracts.

This is not the first time for a major company to do this. Adobe did this with its creative suite products as well as Autodesk.

Let’s face it, these are financial and business decisions - not technical decisions. Google kills products we love all the time, such as our beloved Google Domains. It’s just our reality.

So let’s go over what the impact is on security overall.

The Good

Some positive security byproducts of this whole thing can be as follows:

Forced Upgrades

One of our most prevalent issues in managing cybersecurity risk at companies is outdated, unpatched, and vulnerable software. Maintaining an updated license could potentially open up the way to forcing System Administrators and companies to update their software or it will no longer work.

Now, yeah this is the optimist in me speaking here. See The Ugly section below for how this can go wrong

Migrating To The Cloud

If you think migrating to the cloud will automatically make anything secure, sadly that is not the case. I’ve seen too many lift and shift cloud transformations go to the cloud quite insecurely, then they ask me to come in and secure things or give them an assessment.

However on the flip side, I know there are a TON of production vmware environments out there that are wholly insecure. From unencrypted drives, folders, and objects, to wide open and unencrypted network connections internally or worse between data centers!

I was once asked to advise a company on how to build their own private cloud. The bottom layer of securing infrastructure from physically encrypting drives to allowing internal customers to utilize and manage their own keys is just so monumental. There is a lot of security that happens at the infrastructure and service layer we take for granted from cloud providers.

As I said before, you can migrate to the cloud in a wholly insecure way. Cloud providers give you that freedom. However, the hope is that companies that have been putting off security improvements will now bake it in as they decide to migrate to the cloud.

The Bad

 There is a lot to talk about here.

Increased Costs Will Lead To Smaller Security Budgets

Companies are already laying off IT and Security folks to reduce costs. Now with a 10X infrastructure bill heading their way, do you think anyone is going to get a security budget? No. Whether it’s hiring folks, having time to take care of things on the security backlog, or buying/upgrading tools.

Rushed Migrations Will Lead To Security Misconfigurations

The leading issue in security is security misconfigurations. As such any migration done in haste can result in a lot of misconfigurations. From open firewall ports to key material in code to unencrypted storage. There are a number of ways things can go wrong.

The Ugly

Ok, here is where it can get crazy. 

VMWare Customer That Decide To Do Nothing

Yes, there are still companies out there that have Windows 7 machines on the network!

So in this case, will they leave unsupported VMWare installations out there? Hopefully not, but I wouldn’t put it past companies to wait as much as possible, if at all, to migrate.

Discarded Unencrypted Hardware

So as companies move off VMWare and to another provider, they will likely have to purchase new hardware and discard existing hardware.

What will happen to existing hardware? Will it be disposed of properly? Think about all the data and configuration files that exist on those drives.

VMWare - Good, Bad, or Ugly

What do you think? Anything I may have missed here that could impact security in any direction? Did this open to you possibilities you didn’t consider?

Would love to hear your thoughts. Feel free to drop a comment or hit reply with your thoughts.

Ps. Thanks for reading this far! I appreciate you.