In my earlier blog I had referenced Steve Todd, an EMC Fellow, on the increasing complexity of our workloads. This complexity is explained through the two data axes, the North-South data movement is adding infrastructure stack complexity and East-West data movement through the geo dispersion of data. I had explained that such complexity is causing lack of visibility and control on Service Levels.
Another serious consequence of this complexity is the increased surface exposure of the workload to malicious threats. On one hand, the malicious attacks are becoming more disruptive and destructive in nature and on the other hand, we are increasing the surface exposure for such attacks. An EMC and RSA global IT trust curve survey finds that 61% of organizations have suffered unplanned downtime, a security breach, or data loss at least once in last 12 months. Clearly, different kind of solutions will be needed to secure such environments.
We will need to look at the next generation security solutions through two lenses. Firstly, we will need to re-organize our security solutions as services driven by workload requirements. And secondly, we need to promote transformational paradigm of intelligence driven security to counter the sophisticated threats of today and the future. Let’s dive into more details.
Not all workloads are created equal; hence, their security measures may vary. Security will need to be treated as Service Level objective of workloads, with the objectives defined beforehand such that appropriate security can be provisioned. It is the security requirement or categorization of the workload that should dictate the security to be provisioned. To this effect Open Data Center Alliance has defined a security framework that can be used to categorize workloads into Platinum, Gold, Silver, and Bronze. The advantage of using such predefined and industry agreed semantics of Security service levels is twofold. You now have a standardized way of categorizing workloads and you can compare industry solutions with an agreed set of requirements. Categorizing security requirements is not new, but adhering to an industry recognized set of definitions is new and promotes the right industry behavior for effective solutions. Here is an excerpt of the Compute Infrastructure as a Service usage model. Be sure to read the entire ODCA paper for details.
Once the definition is standardized, the second focus area is to be able to provision security services to the dynamic and granular requirements of the workload. Security enablement for individual workloads itself implies a more fine grained security infrastructure. Take a look at the following Illustration as an example.
The first point to make in the picture is that we are taking a VM or Virtual Machine as a proxy for workload. With the ubiquitous nature of virtualization, that is a pretty safe bet and, frankly, makes our process of delivering fine grained security a lot easier. The second key point here is that while one virtual firewall is provisioned at the parameter of the virtual data center, a second one is provisioned right next to the workload itself. Virtual data center, with network and compute virtualization, provides us with this flexibility and granularity.
Such transformational solutions are available today, with network virtualization. In my own proximity is the VMW NSX solution that provides automated fine grained security including workload/segment isolation, distributed firewalling, and provisioning, enabling, and enforcing advanced security features. For details, please refer to the blog by Rod Stuhlmuller, of VMWare, on Network Security: the VMWare NSX Network platform’s hidden gem. VMW / NSX solutions offer automations through integration with vCenter and vCaC. IT admins will be able to setup repeatable security configurations as templates, which would allow point and click provision from an approved template. One could also use best of breed third party tools by interfacing through open APIs.
Hope you enjoyed the perspective on workload driven Security. In my next blog I will cover another transformational shift occurring with the advent of Intelligence driven security which attempts to trace the threat before it strikes.
- Solutionization with Software defined networking (solutionizeit.com)