This guest blog post is by Shiv Agarwal, CEO, Arkin, a Software-Defined Data Center Operations Company. We thank Arkin for being a sponsor.
Traditional Security in the Virtualized Data Center
Are you confident that the security controls you’ve implemented in your data center actually create the outcomes you intended?
Traditional security models are losing relevance in the age of virtualization, workload mobility, and the software-defined data center. In the traditional model, firewall rules were defined on IP addresses and subnets, and those IPs were tightly coupled with workloads. The relationship was fairly static and enforced in a centralized physical firewall that governed traffic flows into and out of the machines. It looked something like this:
Modern Security Is Not Without Challenges
To address these limitations, vendors have enabled new approaches that allow for dynamic and granular application-level security regardless of network settings and the location of the machine.
For example, VMware NSX, Cisco ACI and Amazon AWS let administrators write high-level rules in a declarative fashion. The different components of the data center architecture then try to ensure that the security you declared and intended is what you get at runtime. These new approaches fall under the umbrella of Software-Defined Security and Micro-Segmentation and look something like this:
This is clearly a more flexible and superior model. However, it has several moving parts and is very dynamic, leading to several real-world operational challenges for IT teams. Here’s why.
In the new model, an organization defines security groups that have a hierarchy and can be static or dynamic. These groups can be based on network addresses, application tiers, security tags, compliance zones and so on.
A virtual or physical machine gets assigned to one or more of these security groups. The assignment is based on the machine’s properties and the security group definitions.
At runtime, the relationships between security groups, firewall rules, and machine are translated and processed to determine who inherits what rules, who can talk to whom, and which flows are allowed.
That’s all well and good, but the following challenges arise:
- Predictability: A machine may not get assigned to any security group or might get assigned to an incorrect security group, which can get masked due to the complex hierarchy of security groups and relationships.
- Accuracy: An application might inherit some unwanted firewall rules and security policies because it’s part of multiple security groups or the definition of a security group is very broad. Or a higher-level rule can mask or shadow a rule lower in the hierarchy, thereby changing the effective policy for the machine.
- Consistency: The management plane (policy point) and data plane (enforcement point) could go out of sync or the runtime mapping and behavior could drift with time as the environment evolves.
Effectively, the runtime security posture of an application is now very different from the original intent! This is a huge security risk. Unwanted communication and flows can show up in data centers. Two machines can start talking to each other when they are not supposed to. An unsecured network communication might start with the outside world.
Introducing the Assured Security Model
In the Assured Security Model, the security you configured is the security you get at runtime. Analytics play a key role. Using real-time data from management, control, and data planes, the analytics layer continuously measures, reports, and corrects any inconsistent or inaccurate security state between security groups, virtual machines, and firewall rules. This can easily extend into the public cloud, enforcing a consistent security posture in hybrid cloud setting.
The Arkin Platform is built to enable the Assured Security Model paradigm, enabling organizations to rapidly embrace software-defined security layers and operate them in a predictable and compliant manner. Let’s look at some examples of how organizations looking to adopt and implement micro-segmentation can benefit from Arkin:
This is just a glimpse of how Arkin can enable an Assured Security paradigm in organizations. For a full understanding of the Arkin platform, you can test drive the platform for free at http://www.arkin.net/try-arkin.
Implementing micro-segmentation is half the equation; it’s the right architecture for the digital and cloud era. Putting the right operational model in place to ensure consistent and assured security is the other half. Security is inherently complex. Making a change to an existing, well-baked model is even more challenging. Organizations need to take a comprehensive approach that combines the right infrastructure with the right operations.
You can learn more about the Arkin Platform by visiting http://www.arkin.net/video.