Jul 8, 2013, 05:00 pm EST
Virtualization has redefined the data center and, in so doing, created a new approach to network architecture. An environment that converts servers into files, collapses administrative roles and introduces a new concept entirely – the hypervisor – requires dramatically different management, access and process protocols as compared to physical data centers.
Meeting these challenges are the newly minted “software-defined” solutions. The terms “software-defined data centers” and “software-defined networks” have officially penetrated the IT lexicon. More recently, “software-defined security” has entered the mix. But what are these trendy new solutions all about?
Simply put, software-defined solutions offer visibility and control for virtualized infrastructures by applying principles that mirror those of virtualization more generally: abstraction, elasticity, pooling and automation. Virtual and cloud solutions deliver levels of scalability, flexibility and efficiency unmatched by physical appliances, but they do so within environments that are invisible to those same appliances – or the human eye – and, consequently, are very difficult to manage.
Security Challenges in the Virtual Data Center
Protecting assets in this virtual space also presents unique security challenges. When moving to a virtual environment, significant security gaps are introduced, either because time-worn security approaches are no longer appropriate or adequate, or because virtualization changes data center topology in ways that had not been contemplated by the current security plan. As a result, vanilla hypervisors unprotected by virtualized security render virtualized networks vulnerable to attacks.
Even multiple physical network security devices (like intrusion detection and firewall) deployed across the data center cannot see nor protect the blind spots created by the virtual network fabric. Since VMs are no longer in the data path of physical security devices, there is no way for these appliances to be aware of VM-to-VM activity or even to know if a VM has been turned on or off. Without awareness, there can be no protection, no enforcement and no control. Beyond visibility, the limitations of stateful, hardware-defined security become acute in a virtualized data center as IT needs to address the inherently transient and mobile nature of virtual machines (VMs).
Compliance and audits are also a major concern. Industry regulations such as FISMA, PCI and HIPAA have complex compliance requirements for organizations wishing to adopt a virtual infrastructure. Without a virtualization-aware security solution, it can be very costly to attain, maintain and prove compliance. Unfortunately, management teams who don’t understand this reduce their risk by choosing to move only some of their assets for fear of security breach, and in turn weaken the business case for virtualization in the first place.
Investing time and money architecting a virtual data center that is highly scalable and cost-efficient ought to produce a data center that measures up in security protection as well. Software-defined data centers and networks will help manage the virtual infrastructure effectively. Software-defined security will enforce policies and protect the network, including even mission-critical assets.
Software-Defined Network Security
Software-defined security is actually introducing simplicity to the world of network security. As software, it is decoupled from physical devices and APIs just as computing is decoupled from hardware in virtual infrastructures. This abstraction is the foundation for establishing common security models or policies that can be deployed repeatedly without concern for underlying physical hardware capabilities.
Logical security policies are attached to individual assets, automating detection and response instantly. They are also portable as assets carry their security settings with them as they move or scale. Security, as software, is available “on-demand” and can be deployed on a scale that is appropriate to each host hypervisor, growing as needed. Policies are elastic and can extend across a data center.
Perhaps the most compelling benefit of software-defined security is that security controls are integrated and orchestrated as a coordinated unit for intelligent analysis and action. This level of orchestration is rarely implemented in traditional data centers given the complexity and expense involved in aggregating various types of security devices that typically speak different languages.
Software-defined security lives within the virtualized network with total visibility of assets, resulting in extensive and precise net flow mapping. This visibility also supports efforts to maintain compliance posture and show compliance during an audit. With automated and integrated security controls, software-defined security is an important component for IT and security managers wishing to protect their assets in a virtualized data center.
Essential Security Controls for Virtual Data Center
In the complex world of virtual networks, there are some very specific best practices that are essential to any organization (such as financial institutions, healthcare organizations and government entities) holding proprietary information. Mapping to security defense-in-depth, the employment of these network controls will ensure redundancy to protect against network vulnerability or failure.
- Access control to restrict and monitor administrative access points and configuration changes
- Inventory management capability to ensure visibility and control of all assets
- Policy automation to monitor network activity and enforce against assigned policies
- Vulnerability protection to protect the hypervisor and monitor access points via firewall
- Incident response automation to monitor traffic (net flow) and behavior or intrusion (IDS/IPS), identify attack, compromised endpoint or policy violation and to generate instant alerts, as needed
- Auditing capability to be able to track activity, measure security posture and understand remediation workflow
Conclusion
Deploying software-defined security that integrates and automates classic network security controls with a hypervisor while providing visibility into the network will enable organizations to virtualize more of their assets. Security is all about managing risk. With proper planning, design and implementation, virtual data centers can be more secure than their physical counterparts.
By Tamar Newberger, VP, Catbird
Tamar Newberger is the VP of marketing and an executive on the management team of Catbird, a leading company in software-defined security. Ms. Newberger has over 25 years of experience in technology development, systems engineering and marketing.