Protecting Private Clouds by Implementing Security in the Virtualized World
Private clouds cannot be fully realized until issues related to security are addressed and it can be done via security virtualization.
- By Brian Robertson
The adoption of virtualized servers and the movement toward next-generation data centers (NGDCs) are enabling IT organizations to create more dynamic, efficient and flexible environments. At the center of this movement is the private cloud, which has the potential to be a powerful model for delivering IT services across the enterprise.
However, the promise of the private cloud cannot be fully realized until issues related to security are addressed. Many enterprises have already virtualized different areas of their data centers (e.g., servers, storage), but their security infrastructure often remains exactly as it was in the physical world -- i.e., one security appliance per security application. This can impede virtualized environments that are scaling and adapting to IT demands at a much faster pace than previously seen, placing a huge demand on security to move as fluidly.
The way to address this problem is through security virtualization. Many IT organizations have tried to retrofit the traditional approach to security to the virtualized world, but it's important to know why this doesn't work.
Traditional Security Cannot Adapt Easily
Traditional security infrastructure was not designed to be change-ready. In the physical world, the rigidity of security systems is more acceptable because it's easier to control traffic flows and set policies when you can identify which cables and routers went to a specific server.
In the virtualized world, change is easy. But if a VM is moved from one physical device to another, the security infrastructure needs to align accordingly. This is where the traditional approach becomes time consuming and cumbersome, eliminating all the efficiency and operational benefits that virtualization is supposed to provide in the first place. It also opens the door to human error and, therefore, to security risk.
For example, to realign the security infrastructure, IT organizations must schedule a maintenance window. Because many organizations are trying to achieve zero-downtime service levels, maintenance windows are highly scrutinized and can take weeks depending on how many projects are occurring in parallel. When and if a maintenance window is scheduled (usually on weekends or off hours), the security team can begin to move the security infrastructure by removing appliances from a server rack and moving them to another server rack, which could require moving power sources, network cabling, patch panels, and even switches. Then everything must be tested to ensure optimal security. If not, more configuration and testing takes place.
Although moving a VM can take minutes and does not require a maintenance window, aligning the traditional security infrastructure takes longer and demands certain periods of downtime. If the VMs are moved without waiting for the security infrastructure, organizations can open themselves to unanticipated threats or risks because the proper security controls aren't in place.
Traditional Security Does Not Effectively Scale
As more devices using bandwidth-intensive, latency-sensitive applications, such as video, are added to the network, the performance of virtualized machines must likewise increase to accommodate higher traffic rates. In the server world, two things usually happen. Either more memory is added to existing virtual environments and allocated to the necessary VMs, or more physical servers are added and the VMs, along with their OS and applications, are moved to the new hardware to achieve higher performance.
Security infrastructure also needs to address this traffic growth. As more traffic tries to go to the applications housed in VMs, the security infrastructure must inspect and make decisions against higher traffic rates. To improve throughput using the traditional model, existing appliances must be replaced with higher-performing appliances or more appliances must be added. If not, the security infrastructure will become a bottleneck and inhibit traffic from the user to the applications on the VMs. When appliances are added in this scenario, supporting network components must also be added, including load-balancers, cabling and power – all of which increase power and cooling costs and add complexity.
Once again, while changes to the virtual server infrastructure may take only a few days or hours, the project time as a whole takes much longer due to all the time-consuming changes that need to be made in order to transition in the traditional security infrastructure.
Moving Toward Virtualized Network Security
Many organizations are looking to virtualize their network security infrastructure in the same way they virtualize application servers and storage infrastructure. Doing this would extend the private cloud to include security, and should address the problems associated with traditional security infrastructures. But moving to this model has been slow-going.
In a recent survey of more than 500 IT professionals, more than 40 percent of respondents said that network security is the biggest obstacle to the successful deployment of their NGDC.
The survey also revealed that 94 percent of respondents cite network security as the top reason why NGDC deployments are stalled, with virtually no progress anticipated in the next 12-18 months.
Changing the "Traditional Security Mindset"
As long as the security infrastructure is not aligned to the virtualized server infrastructure, IT organizations will not be able to advance the state of their data centers and protect the private cloud.
One step in the right direction is to think of security as an extension of the private cloud and to develop a virtualization strategy that enables network security to be as dynamic as the rest of the environment. IT organizations should evaluate whether their security infrastructure offers any of the following capabilities to align with other virtualized environments, and then weigh that against their needs.
- The consolidation of security appliances into fewer physical devices
- The ability to quickly scale to meet growing security and business demands
- The flexibility to adapt to changing business requirements and potential threats
- The use of intelligent automation that understands the security environment to ensure optimal performance and reliability
With these capabilities as the underlying foundation, organizations will be less likely to repeat the security mistakes of the past and start reaping the benefits of the private cloud.
Brian Robertson is a product marketing manager for Crossbeam Systems.