Few technologies have enhanced business agility and economics as much as data centre virtualization. By abstracting physical servers as software running on a hypervisor, server virtualization has enabled IT to deploy new virtual servers and applications in minutes, speeding time to market for new business services and initiatives. Storage virtualization followed close behind, allowing fast provisioning of a virtual storage pool to applications at will.
A software-defined data centre (SDDC) is a data centre where all infrastructure is virtualized and delivered as a service. Control of the data centre is fully automated by software, and hardware configuration is maintained through intelligent software systems. The SDDC allows businesses to ramp up scale, migrate and take down services and applications at a pace never seen before in the physical data centre.
With all of its advantages however, the SDDC introduces new security challenges that can only be met with a comprehensive, virtual-enabled security strategy and the next-generation security tools to implement it. Specific to SDDCs, the following questions often arise:
- Abstracting resources comes with a layer of management overhead; will each virtual machine or tenant be managed individually?
- Will there be visibility into East-West traffic within the virtual network?
- Servers can be provisioned at speed, will security be able to keep up?
Virtualized security is not equal to security virtualization. Compared to traditional physical networks, a virtualized environment has different security requirements. Therefore, security providers should understand the features of cloud platforms and requirements of the business first, before architecting and delivering a security solution for the virtualized environment. It is important to have an added layer of security in setting the virtual machine and the network as protected objects, based on traditional network and security zones.
The move from a physical to a virtual SDDC introduces a host of new security challenges.
- No physical boundary: The traditional physical boundaries between network segments no longer exist. IT can configure one or more virtual networks that span not only multiple physical servers but even multiple dispersed data centres.
- An expanded security zone: Since many virtual machines (VMs) can run on a single physical server, a security zone that once encompassed several physical servers may now cover hundreds or even thousands of VMs.
- Blurred responsibility: Cloud users can deploy VMs, storage and networks almost instantly on-demand. In such a fast -moving environment, with virtual resources spinning up and down all the time, it’s often not clear whose responsibility it is to ensure that all those deployments happen in a secure manner.
- East-west visibility: For years, security strategies, tools and solutions focused on network traffic entering and exiting the supposedly trusted data centre or network segment, often called north-south traffic. Virtualization, distributed applications and the cloud have led to dramatic increases in east-west traffic among VMs in the same data centre and sometimes even on the same physical server. Many multitenant cloud services pack virtual machines from different customers on the same physical server, requiring isolation of each tenant’s infrastructure and traffic flows from those of the others, except in cases where it is explicitly allowed. Legacy firewalls and other security tools offer little visibility into or control of east-west traffic. Without a solution that can monitor and limit east-west traffic in accordance with security policies, hackers that succeed in penetrating the network can move laterally across virtual hosts, networks and tenants with nothing to stop them.
- Security agility: With their manual configuration and physical network deployment, legacy security solutions were not designed to keep up with the fast, dynamic pace of the SSDC, where workloads can be orchestrated, provisioned, scaled, migrated and automated at a pace never seen in the physical world. SDDC’s need security strategies and solutions that can keep up with this constant change, securing and following workloads and their VM’s automatically as they deploy, expand, contract and migrate.
Addressing key challenges
The following are some key features a solution should have in order to address the security gaps in an SSDC.
- Fully Automated, Advanced Layer 4-7 Threat Protection for all traffic entering, exiting and moving within the data center and cloud.
- Comprehensive Threat Visibility across all data center traffic, including virtual networks and applications. Cloud administrators should be able to easily zoom in or out on parts of the map display for more information, open or close a subnet group, and check on traffic or threat details simply by clicking on the components of a topology graph.
- Effortless Scaling Through Active Orchestration. When a new VM is brought up and scaled according to user demand, it is important to be able to swiftly register, orchestrate and deploy virtual security service modules (vSSM). It is important for total performance to be linear with the number of vSSMs started so it doesn’t degrade or have a negative impact on application performance as new virtual security service modules are deployed.
- Automated migration with VM’s, forwarding session data to the target vSSM automatically. As VM traffic resumes on the target host, vSSM has the session information to process the traffic without interruption.
Today’s dynamic data centers operate against the backdrop of cyber threats faced by businesses everywhere. However with the right solution addressing the challenges faced in deploying secure SDDC solutions, customers can now reap the full benefits of a true software defined data center, without compromising security.