VMware Project Arctic Graduates to vSphere+

Introduction

Today, June 28 2022, VMware announced vSphere+ and vSAN+; subscription based offerings of their enterprise compute and storage virtualisation solutions.

First mooted during VMworld 2021, Project Arctic promised to deliver a cloud operating model to customer’s data centre and edge locations. At a high level, that means hands-off maintenance, proactive monitoring, pay-as-you-grow consumption, subscription billing, and a shift to opex funding.

Furthermore, vSphere subscriptions allow VMware to integrate products and services as features. VMware Cross-Cloud Services will enable on-demand scale out capacity and disaster recovery capabilities. We know from the general industry shift towards Software-as-a-Service (SaaS), that the frequency of development cycles and feature delivery are increased, resulting in faster and greater value to the end customer.

The release of vSphere+ and vSAN+ is VMware’s first iteration of the Project Arctic feature set, with more capabilities and products to be added. In this release, customers can expect to benefit from simplified operations, faster time to value, and future investment in IT strategy. Find out more at the vSphere+ microsite.

What is vSphere+?

The launch of vSphere+ and vSAN+ provides customers with a subscription to compute and storage virtualisation solutions. It is aimed at organisations wanting to retain an on-premises footprint, either data centre or edge, with a consistent operating experience to their cloud infrastructure.

This means it is easy for brownfield environments to adopt, and improve their operational processes and security posture. vSphere+ is more than just a subscription to an existing product, it also offers administrators the following benefits:

  • Aggregate vCenter Servers and global infrastructure into a single view
  • VMware assisted lifecycle management, initially for vCenter Server
  • Significantly lower maintenance touch, and reduced down time with vCenter Server Reduced Downtime Upgrades
  • Faster access to new features, fixes, and security patches
  • Check for configuration drift, security issues, consistent errors, and update status across all vCenters and clusters
  • Enable access to the embedded Tanzu services for build, run, and manage, of modern container based applications
  • Global monitoring of VMware environments, see examples in this vSphere+ Tech Zone blog
  • Deploy virtual machines to multiple platforms from anywhere with the new cloud admin interface
  • Co-term licensing and support across VMware environments with flexible scaling options
  • Removes the need for individual vCenter Server licenses (see the licensing section below)

vSphere+ introduces a new cloud admin portal, this is an additional SaaS control plane, which interacts with a gateway server on-premises. The sections below go into more technical detail, but the vCenter Servers do not talk directly out to the Internet, and no workloads or components are moved to the cloud as part of this operating model.

The term cloud-like operating model relates to features like the one-click vCenter updates, one-click Kubernetes cluster enablement (a cloud native container orchestration tool), and flexible subscription, or operating expenditure, nature of the service.

Many customers want the benefits of cloud, namely flexible consumption, minimal maintenance, built-in resilience, developer agility, and anywhere management. They may also need to retain some on-premises infrastructure, for data privacy, security, or sovereignty reasons, and for high-performance or low-latency requirements. The introduction of vSphere+ aims to provide these cloud benefits in the remaining data centre or edge locations.

You can read more about the admin services and developer services available through the new cloud portal, as well as the full range of benefits introduced by vSphere+, in the blog VMware vSphere+ Introducing The Multi-Cloud Workload Platform.

vSphere+ Benefits

How Does vSphere+ Work?

Beyond the licensing information in the section below, there are some further technical considerations and clarifications.

Since the vSphere infrastructure on-premises are already deployed, there is no impact to those existing vSphere, vCenter, or vSAN environments. The vCenter Server needs to be running a minimum of version 7.0.3, so there may be a vCenter upgrade, but there is no vSphere/ESXi update required. vCenter 7.0.3 is backwards compatible with vSphere 6.5 onwards, although note that vSphere 6.x reaches end of support on 15 October 2022.

A Cloud Gateway appliance is used to connect the on-premises vSphere estate with the VMware Cloud control plane. The appliance is a standard OVA, here is some additional information:

  • The appliance needs 8 CPU, ~24 GB RAM, 190 GB disk, and a secondary IP address
  • The appliance does not need backing up or HA deployment
  • The appliance is stateless and can easily be deleted and re-deployed in the event of any issues
  • There is an admin interface for setting minimal configuration such as Internet proxy
  • Lifecycle management of the appliance is automated from the cloud control plane
  • There is a maximum latency requirement of 100ms from the vCenter to the gateway appliance, and from the gateway to the cloud portal
  • The gateway appliance has limited access to the customer environment
  • Communication between the gateway appliance and cloud portal is fully encrypted and there is no VPN requirement
  • The gateway appliance needs outbound HTTPS connectivity only, and there are no network charges
  • The gateway appliance also uploads logs to VMware support, accelerating troubleshooting during incidents
  • The gateway appliance is the point of authentication, and no usernames and passwords are transmitted to the cloud
  • Data is not shared with third parties or used for marketing purposes
  • You can have multiple gateway appliances, with up to 4 vCenter Servers per gateway (note that there is no change in vCenter and vSphere configuration maximums)
vSphere+ Cloud Gateway Appliance High Level Architecture

Subscription services for vSphere+ and vSAN+ can be activated from the cloud portal. Host billing and licensing is also managed here, with no need to install license keys. Outside of vCenter lifecycle management, and subtle differences like the removal of license keys, there is no day-to-day change in how you manage and operate the vSphere environment.

If the gateway appliance, or Internet connection, is lost the vSphere environment continues to work as normal. If the gateway has not connected to the cloud control plane after 24 hours then vSphere administrators will see advisory messages bringing this to their attention, on the login page.

For vCenter updates, VMware do not apply updates automatically without informing the customer. The customer has complete control over the planning and scheduling of updates across vCenter Servers. When a new update is available a notification is generated, and the customer chooses when to have the update applied. The inventory will apply a traffic light system for vCenter instances depending on how many versions behind the latest release they might be.

How Does vSphere+ Licensing Work?

Previously, virtualisation customers would shell out a large upfront cost for perpetual licenses they would own outright. To deliver full value the perpetual license was supplemented with SnS (Support and Subscription), adding technical support, and access to the latest updates and security patches.

With perpetual licenses and SnS renewals, the vCenter Server license (per instance) and vSphere license (per CPU) were purchased separately. The vCenter Server provides overarching management capabilities, including enterprise features like resource balancing and High Availability (HA). The hypervisor vSphere, or ESXi, is installed on physical servers and facilitates compute virtualisation.

From July 2022, customers can upgrade to subscription based offerings of vSphere+ and vSAN+ rather than the traditional SnS renewal. You may have seen a similar early access program, branded vSphere Advantage. Both vSphere Advantage and Project Arctic are officially named vSphere+ at launch.

The vSphere+ license will include vSphere (for the core count stipulated), vCenter Server (for unlimited instances), the new vSphere admin service (SaaS Based), the Tanzu Standard runtime, and Tanzu Mission Control Essentials. Tanzu services enable build, run, and manage for modern applications through the use of containers and Kubernetes orchestration, directly within the hypervisor.

The version of vSphere included with vSphere+ has feature parity with vSphere Enterprise Plus, and production support. You can view the full vSphere Enterprise Plus feature set here.

Once a vCenter Server is registered with the cloud control plane all connected hosts and associated CPUs will be counted as licensed physical cores. Note that 16 cores make up 1 CPU, which is a change to the existing perpetual limit where 1 CPU is currently valid for up to 32 cores. As physical servers are added or removed, the corresponding core count is increased or decreased.

Core commits can be made for 1, 3, or 5 year periods, with additional cores billed as overage (or the commit level increased). Any overage is calculated per hour and billed in arrears at the end of the month. A customer can run a combination of vSphere+ and perpetual vSphere, however they need to be registered with different vCenter Servers.

How Does vSAN+ Licensing Work?

The vSAN+ license is available as an add-on to vSphere+, it cannot be purchased separately. As the license is an add-on it automatically co-terms with the vSphere+ duration. Commit and overage terms are the same as vSphere+.

Using vSAN+, customers benefit from centralised management, global inventory monitoring, and global alert status from the cloud console. Existing vSAN datastores are integrated into the cloud portal virtual machine provisioning workflow, to allow deployment of workloads to a vSAN cluster from anywhere. You can read more in the Introducing vSAN+ blog.

The vSAN+ license has feature parity with vSAN Enterprise, you can view the full vSAN feature list here. At initial release, lifecycle management only covers vCenter Server. It is likely that in the future vSphere/vSAN lifecycle management may also be added to Project Arctic.

VMware Sovereign Cloud Overview

Introduction

It isn’t a secret that the overwhelming majority of data hosted by enterprises in the cloud is with US-owned cloud providers. But a study by the Centre for European Policy Studies in 2021 found that a whopping 92% of the western worlds data is currently stored in the US. In principal that has been fine with organisations based in other countries, since the scale of these cloud providers was such that data locality was not a problem. The relevant security controls and technologies also exist to protect the data from unauthorised third parties.

Politically however, the landscape is changing. The majority of the worlds population has privacy regulations inline with GDPR. The number of countries implementing data privacy laws has been increasing annually, for both personal and enterprise data. Furthermore, the very definition of personal information is evolving with our online presence, and it’s only going to get more complex over time.

Thanks to the US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, courts can instruct US companies to collect data on systems they manage, not just on US soil, but in theory anywhere in the world. Separately, in July 2020, the Court of Justice of the European Union (CJEU) made judgement on a case that essentially invalidated the EU/US Privacy Shield framework for transferring data outside of the EU.

This isn’t just a European concern either, it’s on the radar across other regions on a global scale. Legal cases and fines are starting to arise for organisations incorrectly interpreting GDPR, and there are still open questions about how legislation will be enforced internationally.

These are not isolated instances, and in conjunction with an increased risk of data breaches and more sophisticated cyber attacks, companies are starting to seriously consider repatriation of data stored overseas. Through the global network of VMware Cloud Provider Partners (VCPP), and the VMware Sovereign Cloud framework, VMware have the means to implement data sovereign solutions locally across any region.

What is VMware Sovereign Cloud?

VMware Sovereign Cloud is a framework of guiding principles and best practices to help partners deliver cloud services that adhere to the data sovereignty requirements of a specific jurisdiction. A sovereign cloud framework does not replace public cloud, nor does it replace industry compliance. In fact the opposite is true, the sovereign cloud framework seeks to augment existing platforms and regulations, with a specific focus on putting the customer in complete control of their data.

This control is derived by providing both data residency and data sovereignty with full jurisdictional control. Data residency relates to where the data is physically and geographically stored and processed. Due to the extreme scale of the main public cloud providers, this is something they are usually able to provide. Often though, metadata (data about the data) can leak out into other regions, typically the US. In some cases, data residency alone is not sufficient to ensure compliance with data privacy laws. Data sovereignty relates to law, specifically data being subject to the governance structure, and more importantly jurisdiction, of the nation where the data is processed and stored.

Data still needs to be accessible, and this is a really important point. A sovereign cloud solution needs to not only protect critical data, but also unlock its value. Data can be extracted in a meaningful way, for both private and public sector organisations, whilst providing transparency around architecture and operations.

As an example, both my banking and health records are stored extremely securely in a data centre, with a bunch of regulatory and audit processes in place. However, I can access these records on-demand using my mobile phone, which is a device my bank and my healthcare provider has no control over. Equally, there may be times when others need to access the same records, either anonymised or with personal identifiable information. Like if I applied for a credit-based financial service, or if I was referred to a healthcare specialist for a specific condition. Data sovereignty isn’t about locking up data and making it inaccessible.

Clearly, data still needs to be accessible to the right people through an end client, device, or system, whilst maintaining the integrity of the data. It is important therefore, to have an example architecture for how data can be exchanged, or act as a landing platform for data collected from member states and repatriated from other regions. In implementing such an architecture, a national capability for the digital economy can be achieved, whilst securing data with audited security controls, and ensuring compliance with data privacy laws.

High Level Sovereign Cloud Framework

The basis of a VMware Sovereign Cloud is the VMware reference architecture, in the form of VMware Validated Solutions (VVS) and the VMware Cloud Provider Partner (VCPP) stack. There is no need for a dedicated sovereign cloud reference architecture. Instead, an overlay is being introduced to organise the infrastructure into different security classifications and domains. This separation of security domains ensures there is no data leakage, of either primary data or metadata, outside of the required locality and jurisdiction.

The VMware Sovereign Cloud framework uses transparent, standardised, software-defined architectures along with a number of key principles and best practises:

  • Data sovereignty and jurisdictional control
    • Control, authority, and operations are fully managed within the jurisdiction of the nation state where that data was collected
  • Data access and integrity
    • Cloud infrastructure is resilient across at least 2 data centre locations within the jurisdiction, with secure and private connectivity options
  • Data security and compliance
    • Information security management system controls are audited and applied inline with industry recognised standards
  • Data independence and mobility
    • Data and application portability with modern application architectures to prevent lock-in

These key principles deliver benefits such as increased security, improved control, and continuous compliance, whilst future proofing services and unlocking the power of data. National and sovereign digital capabilities can be developed, with national data pooled together to fuel economic innovation and growth.

How Does VMware Sovereign Cloud Work?

The VMware Sovereign Cloud provider sets up an audited and approved cloud architecture for the customer in the relevant locality and jurisdiction. Each sovereign cloud must have at least 2 security domains within it. A typical example of a security domain will be built in software, with every IT system or data classification representing one or more security domains.

Security domains provide a common authentication and authorisation boundary. The perimeter is typically protected by things like firewalls, access control, and application filters, whilst services like micro-segmentation can provide further optional security inside the security domain itself. You can think of a security domain as a logical network connectivity area with a common security posture, they can be built specifically to house top-secret data, secret data, restricted data, and so on . The 2 types of security domains are as follows:

  • Sovereign domain
    • Used to connect out to other services, similar concept to a DMZ, this security domain features the highest level of security and risk mitigation
  • Resident domain
    • Stores and processes data, will only accept connections from its parent sovereign domain or other trusted resident domains in the same jurisdiction, this security domain features the highest level of trust and confidence

Security domains can be used to make secure connections out to other environments, such as the customers private cloud, or a commercial public cloud provider. The sovereign cloud architecture ensures that if the service is paired with commercial clouds, then no data or metadata is leaked or escapes the sovereign cloud boundary.

The screenshot below is taken from the VMware Sovereign Cloud Technical Whitepaper, which provides a technical deep dive into the aspects and examples of sovereign cloud architectures and integrations. It shows how a sovereign cloud provider can host an application, whilst still consuming the benefits of public cloud services from AWS, Azure, Google, etc.

In this example, the data is encrypted and replicated between the sovereign cloud compliant provider and the public cloud, with the encryption keys only stored on the KMS server with the compliant provider. Other methods can also be used to integrate with third party tooling, such as anonymising data, or replacing sensitive data with specific key pair values that can then be mapped back on the sovereign cloud compliant provider.

Sovereign Cloud Compliancy Chain from the VMware Sovereign Cloud Technical Whitepaper

You can find a local VMware Sovereign Cloud provider, from the likes of Telefonica, UK Cloud, and OVH, on the VMware Cloud Provider Services page. Further reading material that may be of interest around sovereign cloud and the Gaia-X project in Europe is listed below.

What is Gaia-X?

Gaia-X is a broader project beyond sovereign cloud, that attempts to build a federated cloud ecosystem of data, infrastructure, and service providers. The aim is to deliver European digital sovereignty with a future cloud architecture, whilst controlling the flow of data for an overarching state through different legislation boundaries.

Data assets should be able to move freely between approved providers, with both parties providing tools to assist with the migration process to prevent lock-in. Access permissions and data usage controls will travel with the data as it moves through the ecosystem. As with sovereign cloud, the hyperscalers are not excluded and can still participate, providing data sovereignty remains intact. VMware are contributing to the development of the Gaia-X reference architecture as a day 1 member.

VMware Explore 2022 Session Picks

VMware Explore is the new flagship conference from VMware. This year the Europe event is back to real life, hosted in Barcelona November 7-10 2022. Explore replaces VMworld and has big shoes to fill; the latter running for a consecutive 18 years and attracting a combined 35,000+ visitors each yeah across 2 different regions.

VMware is known across the industry for innovation. First pioneering virtualisation, then the software defined datacentre, and more recently the multi-cloud universe. The new Explore event expresses some of the transformational areas of the VMware portfolio like modern applications and multi-cloud.

Although there is no hybrid or digital offering, many of the in-person sessions will be recorded and added to the VMware Explore Video Library, along with a significant amount of on-demand technical content. Check back to the Video Library after the event, as accessing the content is free of charge with a Customer Connect account.

You can browse the 300+ sessions in the VMware Explore 2022 Europe Content Catalog, or check out some of the interesting sessions I have pulled out below. What’s more, the back catalog of VMworld sessions from 2021 and 2020 is also available to view for free in the Video Archive. It’s great to see so many customer success stories this year, as well as several themes that tie in with the wider UK Public Sector policies and initiatives.

Public Sector and Customer Sessions

  • The Royal Air Force – Gaining Information Advantage [DOSB1822EUR]
  • Kingston University: Customer Journey with HCX [MCB3058EUR]
  • Police Pursuits and Microsoft Azure: Surrey and Sussex Police Talk SD-WAN [CEI1930EUR]
  • Migration to Cloud Using VMware Cloud on AWS: Police Digital Services [CEIB2777EUR]
  • Unleashing the power of AI in Healthcare with Nvidia and VMware [VIB8000EUR]
  • The Future of Healthcare was Yesterday [VIB2027EUR]
  • Keeping a University Medical Centre running during a VCF transition [MCLB1452EUR]
  • EDGE and IoT, the Next Public Sector Revolution? [CEIB1819EUR]
  • #TechForGood – Breaking Cycles of Criminality & Poverty in Criminal Justice [VIB2462EUR]
  • UK’s National Crime Agency is fighting crime with Horizon, NSX and Nvidia [SECB1455EUR]
  • Transforming the network of the UK’s largest public service department to improve citizen experience and increase efficiency [CEIB2901EUR]
  • Accenture Partners with VMware for Multi-Cloud Load Balancing Strategy [NETB3072EUR]
  • Deploy a Simplified and Resilient Disaster Recovery: Capgemini Success Story [CEIB2402EUR]
  • Data Spaces: enabling the digital economy [VIB2915EUR]

Cloud Infrastructure

  • Multi-Cloud Adoption Framework: Moving from Chaos Cloud to Smart Cloud in 5 Steps [CXS2947EUR]
  • Need to Migrate Thousands of Workloads? No Problem! [CXS4056EUR]
  • A Way to Get from Cloud A to B – An App Migration Story [CMB2229EUR]
  • 10 Exciting Things to Know About VMware Cloud Flex Storage [CEIB1327EUR]
  • Secure Your vSphere Workloads in VMware Cloud [CEIB1446EUR]
  • What’s New in Azure VMware Solution [MCLB1426EUR]
  • Google Keynote – Accelerate Transformation with Google Cloud VMware Engine [MCLB3096EUR]
  • Bring the Power of Google Services to Google Cloud VMware Engine [MCLB3097EUR]
  • Horizon on Google Cloud VMware Engine: Deployment and Migration Deep Dive [MCLB3098EUR]
  • Planet Scale Networking for Google Cloud VMware Engine [MCLB3099EUR]
  • A Unified Cloud Management Control Plane – Update on VMware Aria [CMB2210EUR]
  • Reduce IT Downtime and Maximize Productivity with Proactive Intelligence [CMB2525EUR]
  • How VMware IT Optimized Carbon footprint in Datacenters utilizing vRealize Operations [NETB2242EUR]
  • An Overview of Cost and Capacity Management in vRealize Operations [CMB2339EURD]
  • A Better Way to Onboard and Govern Native Public Clouds – AWS, Azure and GCP [CMB2355EUR]

Innovation and Self Development

  • Formula 1: No-Limits Engineering Delivered at the Edge by VMware and Lenovo [CEIB2262EUR]
  • Compelling New Innovations from the VMware Office of the CTO [VIB1542EUR]
  • Design Thinking in IT [VIB2801EUR]
  • How to Thrive in Today’s Remote or Hybrid Workplace [PCB4022EUR]
  • How to Justify What Cloud Training is Needed by Your Team [CXS1344EU]
  • Acquiring Practical Cloud Native, Kubernetes and Open Source Skills [OSB1812EUR]
  • Career Growth Fireside Chat: Cloud Path [PCB4024EUR]
  • Career Growth Fireside Chat: Security Path [PCB4017EUR]
  • 10 Amazing Innovations in vSphere 8 That You Absolutely Need to Know [CEIB1574EUR]
  • Technical Overview of vSAN 8 and vSAN Express Storage Architecture [CEIB2172EUR]
  • 60 Minutes of Virtually Speaking LIVE: Accelerating Cloud Transformation [MCLB2804EUR]

End User Computing

  • Create the Future of Candidate & Employee Experience in the Digital Space [EUSB1936EUR]
  • How BMW Delivers a VDI in 10 Minutes or Less [EUSB1814EUR]
  • On the Front Lines: Workspace ONE for Frontline Workers Technical Deep Dive [EUSB2082EURD]
  • Explore the Future of VDI and DaaS with VMware Horizon [EUSB4003EUR]
  • Horizon Cloud Service on Microsoft Azure: Nuts and Bolts [CXS1894EUR]
  • Architecting Multi-Cloud Horizon [EUSB2088EURD]
  • What’s New with Horizon 8? [EUSB2095EURD]
  • Load Balancing Use Cases for VMware Horizon [MCL2478EURD]

Networking and Security

  • Enforcing a Strong Zero Trust Ransomware Defense [SECB1960EUR]
  • A Light in the Darknet: Stopping Cyberthreats with SASE [CEIB1234EUR]
  • How Can Great User Experience Improve Security? [EUS1350EUR]
  • VMware SASE: What’s New and What’s Next [CEIB1892EUR]
  • Workspace ONE + SD-WAN – The First Step into SASE [CEIB1672EUR]
  • VMware SD-WAN Makes Working From Home Seamless [PCM3009EUR]
  • Evolve SD-WAN Use Cases for Enterprise, Government, Home, Cloud and Beyond [CEIB1931EUR]
  • SD-WAN to transition a global corporate WAN from MPLS [NETB2418EUR]
  • Day in The Life of a Cross Functional Security War Room [SECB2988EUR]
  • Defining XDR with Forrester and the XDR Alliance [SECB2360EUR]
  • Supercharge the Implementation of Micro-Segmentation with NSX Intelligence [NETB2791EUR]
  • Delivering Ransomware Protection with VMware NSX, VMware Carbon Black, and VMware Cloud Disaster Recovery [SECB1237EUR]
  • First Line of Defense: Secure Ingress Before Attacks Reach Your Apps [SECB2152EURD]
  • Flexible Cyber DRP in the cloud with VMware Cloud Disaster Recovery (demo) [CEIB2721EUR]

Hornetsecurity Cyber Threat Report

Introduction and Chapter 1

Hornetsecurity recently published their Cyber Threat Report Edition 2021/22. This post will examine why cybersecurity, and the Cyber Threat Report, are relevant in today’s digital world.

Cybercrime ranks amongst the highest of threats worldwide. In the UK, we have experienced cyberattacks on public services such as healthcare and local authorities. Just looking up cyberattacks in the news confirms recent attacks on a wide range of industries, such as retail providers, snack companies, news corporations, research centres, political parties, and airlines.

The impact of these attacks is far and wide reaching. Individuals can be impacted by data breaches, fraud, and loss of products and services. On a national scale, society can be impacted by the loss of critical national infrastructure, underpinning things like financial services and emergency response services.

Chapter 1 of the Cyber Threat Report starts by examining the monetary cost of cybercrime on a global scale, which has increased by 345 billion US dollars in just 2 years. The author moves on to more thought provoking subjects: world affairs like a pandemic, global espionage, and even war, can all be accelerated by cyberattacks.

Public sector and private sector industries of all kinds have multiple attack vectors in common. The report makes the case that email is typically one such example. This can be as an ingress point for ransomware attacks, or as a means of hijacking business or official email addresses. The news search I mentioned earlier highlights the breach of an official email address within one of the world’s largest intelligence and security services. Clearly anything we use in day-to-day life with a digital footprint carries a risk of being compromised, and that’s why this report is so important.

Chapter 2

The second chapter starts to lift the lid on the risk of email; starting out by stating that around 300 billion emails are sent every day. This number is expected to rise by a further 61.6 billion over the next 2 years, leading to an exponential rise in threats.

By analysing the email traffic of the first half of 2021, the Hornetsecurity Security Lab concluded that 40% of emails sent were classified as undesired emails. That’s potentially 120 billion unsolicited emails sent every day.

Most of these emails will already be blocked in advance, using known spam filters, known bad sender’s lists, and identifying common traits. It’s obvious that executables will be rejected, and individuals are now savvier to opening links or Excel files from unknown senders. However, as education and cybersecurity protection improves, attackers themselves are becoming more sophisticated.

Embedding web pages, downloads, and links in HTML files or PDFs is now a common attack format. The Cyber Threat Report goes into the detail behind the most-used file types in malicious emails, really showing the wide range of tools attackers have adopted.

This same trend is echoed when it comes to both the industries affected, and the type of attacks carried out by cybercriminals. Examples include phishing, spearphishing, malicious attachments, blackmail, ransom leaks, and brand impersonation.

The global covid-19 pandemic accelerated a shift towards online services, for public services like healthcare, as well as private services like shopping and banking. Although digital enablement is a good thing, it does have potential to increase the attack surface. Brand impersonation is a great example, and it’s good to see the report call out the impact of the pandemic on this type of attack vector. As expected, impersonation of brands like Amazon, DHL, and Fedex are commonly used with malicious URLs.

The final section of the second chapter talks to the rise of as-a-service offerings on the dark web, which is something I was hoping would be called out. There is a growing market for Ransomware-as-a-Service, as well as for attackers to penetrate networks or systems, and then sell that access to the highest bidder. There are several use cases for this type of transaction, it could be selling secrets to competitors, opposing governments or nation states, for criminal or monetary extortion, and so on.

Chapter 3

The third chapter in the Cyber Threat Report breaks down Malware-as-a-Service (MaaS) further, with a compelling example. Emotet evolved from a banking trojan to a widely distributed MaaS operation, forming a network of cybercriminals. Before being disabled in early 2021, Emotet could infect a system and hijack email conversations, spreading amongst email contacts and mailbox recipients.

Emotet was eventually taken down by an international operation of law enforcement. In the aftermath, many other botnets have emerged, but none yet have the same scale. That said, the landscape is ever changing and as the report highlights, the existing customer base of Emotet’s MaaS operation still exists.

The final note for the ‘threat-highlights’ of 2021 is the Microsoft Exchange hack. Microsoft Exchange is perhaps one of the worlds widest used technologies, and an estimated 250,000 email servers were hit by attacks in March 2021.

The vulnerabilities were made up of 4 separate types, impacting multiple versions of Microsoft Exchange Server. Although an unscheduled security update was released, breaches were widespread before the patch could be fully rolled out.

It is believed the attack was carried out by a Chines state-sponsored hacker group, and in the clean-up that followed even the FBI were involved in removing traces from corporate networks to take out the risk of further attacks.

Chapter 4 and Summary

The report closes by highlighting the increase in digitalisation, as well as the number of devices and accounts, all providing opportunities for cybercrime to continue across borders and continents. As predicted, a huge increase in ransomware attacks is already starting to materialise. We’ve read throughout the report of the many and evolving attack options for cybercriminals, and the role in which email plays.

Microsoft 365 is an Office 365 suite with over 258 million active users, it provides Microsoft Exchange and other Microsoft products as Software-as-a-Service (SaaS). Whilst SaaS in general can help reduce the manual overhead of securing IT infrastructure, it doesn’t in any way rule out cyberattacks.

According to Hornetsecurity, every fourth business that uses Microsoft 365 has been affected by an email security vulnerability. Reading the Cyber Threat Report is really an eye opener for both individuals and business as to the risks we encounter, and often don’t even see, every time we carry out any form of digital interaction.

The Cyber Threat Report Edition 2021/22 from Hornetsecurity is available to download and read now.