Deep Security 9.0 has the following new features and enhancements:
Multi-Tenancy lets you create independent installations of Deep Security within your enterprise. You can create Deep Security Tenancies for individual departments or lines of business within your organization. Each tenant has access to all the functionality of Deep Security except core system settings. Tenants are responsible for the creation and management of their own assets, users, policies and rules independently of other tenants. No tenant's assets or security components are visible to any other tenant. Each tenancy is independent and isolated from every other tenancy.
Deep Security now supports multiple levels of policy inheritance. A newly-created policy can be configured to inherit all or some of its settings from a parent policy. This lets you create a tree structure of security policies which get progressively more granular and detailed. For example, you can create a parent policy called "Windows Server" and two child policies, "Windows Server 2008" and "Windows Server 2003", which inherit from their parent policy. Each of those child policies can in turn have child policies of their own for different editions of Windows Server.
IPv6 is now supported by the Deep Security Firewall and Intrusion Prevention modules. Existing rules will be applied to both IPv4 and IPv6 traffic. New rules can be created to apply to IPv4, IPv6, or both.
Recommendation scans can now be performed on virtual machines being protected by a Deep Security Virtual Appliance. Intrusion Prevention and Integrity Monitoring rules can automatically be assigned based on the result of a recommendation scan, and firewall rules can automatically be assigned based on the result of a scan for open ports.
Scripting support has been added to Deep Security to allow the automated deployment and activation of agents. Upon activation, agents can automatically run a recommendation scan and assign rules based on the results.
Tasks such as Policy, Rule, and Group assignment can automatically be carried out on newly discovered assets based on their hostnames, IPs, Tenancy ID, Tenancy Template, Instance Type, or other cloud asset properties.
VMware TPM is a hardware-based encryption module attached to ESX/ESXi that is used to generate and sign information generated during the ESX boot sequence. A change in the TPM signature indicates a change in the ESX boot sequence, which could represent an attack (a change that replaces or alters a critical component in the hypervisor). The Deep Security Integrity Monitoring module can monitor TPM signatures and raise alerts if changes are detected.