White Paper. Architecting the security of the next-generation data center. why security needs to be a key component early in the design phase

Transcription

1 White Paper Architecting the security of the next-generation data center A White Paper by Bloor Research Author : Fran Howarth Publish date : August 2011

2 teams involved in modernization projects need to factor in security into the design phase of data center builds Fran Howarth

3 Executive summary Due to the increase in the adoption of productivity and collaboration tools, and due to pressures to make mobile and other smart computing devices network ready, the workload on IT has increased exponentially. Data centers that house the systems necessary to support the organization have grown in scale and complexity. Much of this growth has occurred in an ad hoc fashion, with new systems added as required, including point security controls to address challenges as they have occurred. This introduces multiple inefficiencies, including low levels of resource utilization, and makes re-envisioning security within the data center infrastructure a challenging, yet necessary, task. Because of these factors and because the majority of organizations face budgetary constraints that force them to try to do more with less, a high proportion of organizations are looking at modernizing their data center infrastructure through consolidation, virtualization and by leveraging the cloud. The resulting architecture is very different to that seen previously, comprising a mix of both physical and virtual systems, and this has far-reaching implications for security. In traditional data centers, security controls can be applied to each physical system and systems with different levels of criticality or those that contain the most sensitive data can be physically separated. This is no longer the case for nextgeneration data centers where virtual resources cannot be compartmentalized in the same way and security controls can no longer be tied to physical resources. Instead of a disjointed, siloed approach, with all its inherent inefficiencies and liabilities, a federated security model is required, with security policies and controls tied to each resource, physical or virtual, and based on context and identity of each resource, not on the physical machine on which it resides. The traditional strategy of bolting on security controls cannot work in a dynamic, highly interconnected data center environment. What is needed is in-depth, integrated security controls that span the entire infrastructure, covering physical, virtual and cloud environments. This can only be achieved if security is built into the very design of the data center, whether ground up, or during a major upgrade or refresh as part of the very fabric of the data center design. Therefore, security must be part of the design considerations from day one. This document is aimed at those looking at data center builds, upgrades or consolidation. It provides an introduction to some of the new security challenges of such environments and provides recommendations for implementing security in next-generation data centers. Fast facts Security needs to be built in at the design stage during key inflection points as data centers are built out, virtualized or upgraded and must be applied consistently across all systems in a hybrid environment that spans physical and virtual systems, as well as cloudbased computing. While the chief goals of data center modernization projects are to enable the business by being able to accommodate rapidly changing business needs, whilst reducing operational complexity and cost, risk and compliance obligations must also be prioritized. Organizations embarking on data center modernization projects should look for an integrated set of security controls that provide common, federated management and reporting across hybrid environments that may include extensions to private and public clouds. The bottom line Many security challenges are new and evolving and those engaged in data center modernization projects need to understand them before such projects are implemented so that security is planned and built in, rather than bolted on as an afterthought. Achieving effective security across next-generation data centers that are a hybrid mix of physical, virtual and cloud environments will enable the business by improving its ability to offer dynamic services that are always available, and that are resilient and secure. This will improve the capability to manage risk, apply and enforce consistent security policies, and to achieve compliance objectives. A Bloor White Paper Bloor Research

4 Data center modernization According to the Uptime Institute, demands on data centers double every five years and demand for storage is growing even more rapidly. Data centers are also increasingly inter-connected and linked to the outside world as organizations embrace new technology delivery models such as software as a service and cloud computing to drive down capital expenditures and must cater to the needs of the always-on mobile generation of workers connecting to resources via smartphones. Because of factors such as these, as well as the ongoing need to streamline new business processes, reduce operational costs and further improve efficiencies through automation, many organizations are looking to consolidate and upgrade their data centers. According to a recent survey by Network World, 62% of respondents are planning or are engaged in data center upgrades. One key area in which organizations are looking to modernize their data centers and reduce expenditures is through virtualization, which means that capital expenditures on physical systems can be reduced. According to consultants McKinsey & Company, most servers in data centers use just 6% of their available capacity. With virtualization, utilization rates can be driven up considerably. The Network World survey shows that more than half of respondents are expecting to virtualize 40% of their servers in 2011, and one-third to virtualize about 60%. Technology vendor CDW LLC recently conducted a survey in which it found that 95% of respondents indicated that server virtualization has brought them considerable cost savings in the form of increased IT productivity, greater business agility, adaptability and flexibility, and reduced energy consumption and costs. Data centers are used to house data, applications and other resources that are critical to the success of the business and therefore must be secure, resilient and fully available to ensure productivity remains high and the organization is protected from harm. Traditionally, organizations have put in place many security controls, including physical controls to prevent unauthorized access. Information security controls are also important for data centers and almost every organization uses technologies such as anti-virus controls, intrusion detection and prevention, and firewalls. However, these are often point solutions that are applied to specific systems and are often bolted on as an afterthought. Organizations do not want to erode the cost and efficiency savings associated with virtualization by implementing cumbersome, siloed security controls, each requiring standalone management and maintenance. A siloed approach is no longer sufficient for the next-generation data centers that are being built today, with their complex array of physical and virtual systems, and with all manner of devices connecting to the applications and resources that they contain. In traditional data center architectures, resources are physically separated and different levels of security can be set for each zone. Prior to virtualization, applications were installed on physical servers, each of which had its own identity for controlling access via policies set for each individual machine, and point security controls could be applied to each system. This classic architecture is depicted in Figure 1. With virtualization, that model changes. It allows for many virtual machines to be housed on one physical server. Not only that, but also those virtual machines can be migrated across data centers or even out to the cloud. This mobility is essential for the smooth and efficient running of next-generation data centers and provides the foundation for cloud computing, where resources are required to move between clouds, or to and from the data center. It allows for new, efficient methods of provisioning resources and for maintaining those resources in an optimal state to ensure robust and continued service delivery. Applications that require maintenance can be migrated to another server without causing downtime or resources can be migrated to another data center to solve space or other constraints as a data center expands. Figure 2 illustrates an example of this new paradigm. Physical servers support multiple virtual machine containers and the virtual machine hosts an application. Instead of traffic flowing hierarchically, as in traditional architectures, a new distributed architecture is required which efficiently supports east-west and north-south traffic with minimum latency whilst fully utilizing the available bandwidth. However, this new architecture brings with it many implications for security. Virtual machines that can be moved around break the model of Bloor Research A Bloor White Paper

5 Data center modernization Figure 1: Classic hierarchical Ethernet infrastructure Figure 2: Ethernet fabric architecture A Bloor White Paper Bloor Research

6 Data center modernization tying security policies to physical resources. Instead, a federated security model is required, with policies applied to applications and their virtual containers according to context, such as what type of application it is, and tied to the identity of the user accessing it. Virtualized machines also have implications for network security because it is quick and easy to put up a new virtual machine, making it a hard job to keep track of all resources and to ensure that each has security controls that are sufficient to establish and maintain trust boundaries and to enforce compliance objectives. Virtualization erodes the ability to segregate the data center into separate security zones, such as placing corporate finance servers in a physically segregated area, because this prevents the ability to scale across all resources, which is a key design objective of next-generation data centers that aim to boost utilization. This means that security controls must be applied at a much more granular level according to context to avoid applications with different risk sensitivities running side by side, which can cause compliance violations or increase the risk of security attacks between virtual machines, such as privilege escalations or denial of service attacks. To get around the problem of a lack of physical segregation in a virtualized environment, virtual switches are used to provide isolation and security monitoring between virtual machines, providing secure zones. Another security implication of next-generation data centers is that network designs are being flattened owing to the changing topology from server stacks with north-south traffic flows to flattened network designs with east-west traffic, as shown in Figures 1 & 2. One of the drivers for this change is virtualization, which requires a great deal of server-to-server traffic, rather than client-server,as in the old model. Efficient eastwest traffic flow is essential for virtual machine mobility and the use of such Ethernet fabric will increase compute speeds significantly by reducing latency and providing full network bandwidth. A flattened network design is a key enabler for building very large, scalable networks and forms the basis for private cloud deployments. However, there are implications regarding where security controls should be placed and over their effectiveness. For example, enforcing policies with traditional firewalls is fairly straightforward for north-south traffic, but they are not effective for east-west traffic, in which security is applied independent of physical layer enforcement. In a flattened network, firewall, intrusion detection and prevention systems, and anti-malware must be interoperable with flat network standards so that there are no security blind spots. Security and access policies must be tied to virtual machines so that they are consistently applied. This requires that security be integrated so that those policies can be monitored and managed through a central console that spans both physical and virtual systems Bloor Research A Bloor White Paper

7 Recommendations for next-generation data center security To cut costs, increase business agility and support an ever-increasing number of devices connecting to data centers for productivity and efficiency gains, organizations embarking on next-generation data center projects must re-think their security strategies. Perimeter defence mechanisms are no longer sufficient and the objectives of virtualization mean that organizations can no longer rely on physical separation for security. Traditional security controls are also ineffective in the hybrid physical-virtual environment of the next-generation data center as they are unable to monitor virtual machines properly or effectively enforce policies in dynamic environments. Security is also something that must be built in at the design stage to provide in-depth, integrated security to ensure that attacks cannot spread unchecked across all systems on a single infrastructure spanning physical, virtual and cloud environments. The traditional strategy of bolting on security, often to protect a particular host in response to a security incident, cannot work in the highly interconnected environment of the next-generation data center. As organizations rearchitect their data centers, this creates an opportunity for a complete overhaul of the security required for these new data centers. However, the survey from Network World indicates that half of respondents are relying on the same security model for virtualization as for physical servers even though respondents view targeted attacks and security breaches as the biggest threats to their next-generation data center. Selected best practices for next-generation security Include security and compliance objectives as part of the data center design and ensure the security team is involved from day one. Security controls should be developed for each modular component of the data center servers, storage, data and network united by a common policy environment. Ensure that approach taken will not limit availability and scalability of resources, as these are prime reasons for investing in a next-generation data center. Develop and enforce policies that are context, identity and application-aware for least complexity, and the most flexibility and scalability. Ensure that they can be applied consistently across physical, virtual and cloud environments. This, along with replacing physical trust zones with secure trust zones, will provide for seamless, secure user access to applications at all times, from whatever device is used to connect to resources in the data center. Choose security technologies that are virtualization-aware or enabled, with security working at the network level rather than the server. Network security should be integrated at the hypervisor level to discover existing and new virtual machines and to follow those devices as they are moved or scaled up so that policy can be dynamically applied and enforced. Monitor everything continuously at the network level for the ability to look at all assets, physical and virtual, that reside on the LAN, even those that are offline, and all interconnections between them. This monitoring should be done on a continuous basis and should be capable of monitoring dynamic network fabrics. Monitor for missing patches or application or configuration changes that can introduce vulnerabilities that can be exploited. Look for integrated families of products with centralised management that are integrated with or aware of the network infrastructure, or common monitoring capabilities for unified management of risk, policy controls and network security. This will also provide detailed reports across all controls that provide the audit trail necessary for risk management, governance and compliance objectives. A Bloor White Paper Bloor Research

8 Recommendations for next-generation data Integrated families of products need not necessarily be procured from just one vendor. Look for those that leverage the needed capabilities of a strong ecosystem of partnerships to provide a consolidated solution across all data center assets. Consider future as well as current needs and objectives at the design stage, such as whether access is required to public cloud environments. Define policies and profiles that can be segmented and monitored in multi-tenant environments. Consider security technologies that provide secure gateway connections to public cloud resources Bloor Research A Bloor White Paper

9 Summary Data centers protect and make available the business information that is the lifeblood of organizations. Yet, with the onus on increasing efficiency, providing innovative services to enable business differentiation and at the same time reducing costs, many organizations are looking to modernize their data centers. This creates many opportunities, but also throws up new challenges, among which are new security concerns. To deal with this, teams involved in modernization projects need to factor in security into the design phase of data center builds and move from a reactive security stance whereby security controls are bolted on when needed to a proactive one in which security becomes part of the basic fabric. Further Information Further information about this subject is available from A Bloor White Paper Bloor Research

10 Bloor Research overview Bloor Research is one of Europe s leading IT research, analysis and consultancy organizations. We explain how to bring greater Agility to corporate IT systems through the effective governance, management and leverage of Information. We have built a reputation for telling the right story with independent, intelligent, well-articulated communications content and publications on all aspects of the ICT industry. We believe the objective of telling the right story is to: Describe the technology in context to its business value and the other systems and processes it interacts with. Understand how new and innovative technologies fit in with existing ICT investments. Look at the whole market and explain all the solutions available and how they can be more effectively evaluated. About the author Fran Howarth Senior Analyst - Security Fran Howarth specializes in the field of security, primarily information security, but with a keen interest in physical security and how the two are converging. Fran s other main areas of interest are new delivery models, such as cloud computing, information governance, web, network and application security, identity and access management, and encryption. Fran focuses on the business needs for security technologies, looking at the benefits they gain from their use and how organizations can defend themselves against the threats that they face in an ever-changing landscape. For more than 20 years, Fran has worked in an advisory capacity as an analyst, consultant and writer. She writes regularly for a number of publications, including Silicon, Computer Weekly, Computer Reseller News, IT-Analysis and Computing Magazine. Fran is also a regular contributor to Security Management Practices of the Faulkner Information Services division of InfoToday. Filter noise and make it easier to find the additional information or news that supports both investment and implementation. Ensure all our content is available through the most appropriate channel. Founded in 1989, we have spent over two decades distributing research and analysis to IT user and vendor organizations throughout the world via online subscriptions, tailored research services, events and consultancy projects. We are committed to turning our knowledge into business value for you.

11 Copyright & disclaimer This document is copyright 2011 Bloor Research. No part of this publication may be reproduced by any method whatsoever without the prior consent of Bloor Research. Due to the nature of this material, numerous hardware and software products have been mentioned by name. In the majority, if not all, of the cases, these product names are claimed as trademarks by the companies that manufacture the products. It is not Bloor Research s intent to claim these names or trademarks as our own. Likewise, company logos, graphics or screen shots have been reproduced with the consent of the owner and are subject to that owner s copyright. Whilst every care has been taken in the preparation of this document to ensure that the information is correct, the publishers cannot accept responsibility for any errors or omissions.

12 2nd Floor, St John Street LONDON, EC1V 4PY, United Kingdom Tel: +44 (0) Fax: +44 (0) Web: