Cookie policy: This site uses cookies (small files stored on your computer) to simplify and improve your experience of this website. Cookies are small text files stored on the device you are using to access this website. For more information on how we use and manage cookies please take a look at our privacy and cookie policies. Some parts of the site may not work properly if you choose not to accept cookies.


From moats to motels

  • Print
  • Share
  • Comment
  • Save

The global debate around data privacy and the surge in sophisticated cyber-attacks has put data center security at the top of the IT agenda. But many CIOs are struggling to come to terms with the complex changes to the type of threats they now face every day.

Traditionally, CIOs could build a castle and dig a moat around the data center, using drawbridges and portcullises to control access. It could be done because applications, compute resources and storage databases were tightly coupled and deployed in silos that were physically separated. However, virtualization and networking of compute and storage is invalidating old security architectures and the consolidation of applications into fewer, larger data centers is drawing the attention of increasingly more sophisticated attackers as a concentrated source of valuable information.

According to a recent data breach investigations report , of 621 confirmed data breaches in the last year:

  • - 53% of attacks were external, targeting the data center
  • - 73% of companies hacked through web applications in past 24 months
  • - 61% of security pros say next-generation security addresses only part of the problem*
  • Impact of virtualization
    The proliferation of virtualization is causing organizations to lose visibility and control of the traffic flows between virtual machines (VMs), because traditional tools can’t see them. An added complication in the virtual environment is the fact that it is dynamic; VMs are created as required and may be moved from one server to another as load or application needs dictate.

    So the application of security in the virtualized environment not only needs to support the performance needs inherent with operating at the hypervisor level, it also needs to support the very dynamic nature of VM instantiation and VM migration.

    Impact of distributed applications
    Lego-like applications, built on re-usable services, are increasingly common in today’s data centers. They accelerate development considerably but they also make it more difficult to enforce access requirements because of the fan-out hierarchy per user session and high number of TCP connections per client interaction.

    The popularity of public and private cloud models further complicates the control of application to application interactions that may even traverse company boundaries.

    To ensure only the appropriate access is granted to each application element, organizations need to re-think their security strategy. Defining access privileges based on IP addresses is inappropriate in a virtualized environment as they are inherently dynamic. Companies must put in place network security solutions that can consistently enforce identity and role-based policies right across these highly distributed environments.

    Greater external threats
    Mobile workforces with new collaboration tools are driving greater employee productivity and improved customer services at many organizations. The trouble is that the combination of browser-based ‘cloud’ computing, mobile data platforms and social networking is also bringing a new breed of threat – highly organized botnets that open a callback channel to expose confidential data.

    Organizations need to be able to implement a consistent set of security policies across the entire data center, eliminating the potential vulnerabilities created by having a patchwork of policies.

CIOs must address key security issues head on to deliver the greatest benefits for their organizations.

Building a motel model
Instead of castles, CIOs need to think more on a motel model. Sure, the perimeter needs to be secured, but once inside administrators need to be able to fortify each room (VM) independently and easily define, control and monitor who has access and who can pass from one room to another.

Deploying the motel model starts with the network architecture itself. The dynamic nature of the virtual environment means that any physical or virtual security appliance must be able to apply policy to a large footprint within the data center.

Traditional 3 tier architectures of core, aggregation and access switches result in tree topologies. The tree has many branches and a security appliance in one branch cannot apply policy to traffic flowing in an adjacent branch which may happen when a VM is migrated or with distributed applications.

The first step in creating a motel model is therefore to flatten the network architecture to as few layers as possible using virtual chassis or fabric technologies. With this flatter physical architecture it is now possible to deploy a range of security technologies that will have a broad footprint.

Inter VM security can be deployed using virtual security solutions. The key needs here are performance and the ability to auto-apply policy to VMs as they are created and moved; either through a default policy or by intelligently associating policy with the type of application running.

Application security can be deployed at a higher level, especially for web based applications that are a major target of attack.

Distributed Denial of Service (DDoS) attacks are changing in their characteristics from attacks based on high volume connection requests to much more sophisticated ‘low and slow’ attacks designed to go under the radar and consume processor resources. Latest DDoS security therefore focuses on monitoring processor performance and relating that to user sessions to identify attackers.

And finally, COIs can deploy deception security solutions designed to identify hacker activity and use role play that deceives the attacker into believing they are being successful while actually fingerprinting them for potential federation across multiple data centres through an attacker database.


*Sources: Verizon DBIR Report 2012 and Ponemon Institute Report on Efficacy of Emerging Network Security 2013

Related images

  • Motel

Have your say

Please view our terms and conditions before submitting your comment.

  • Print
  • Share
  • Comment
  • Save


  • Overhead Power Distribution – Best Practice in Modular Design

    Tue, 10 Nov 2015 16:00:00

    Overhead power distribution in your data center offers many attractive possibilities but is not without its challenges. Join UE Corp’s Director of Marketing, Mark Swift, and CPI’s Senior Data Center Consultant, Steve Bornfield, for an exploration of the options and some of the pitfalls, supported by real-life examples from the field.

  • Overcoming the Challenges of High Power Density Deployments

    Wed, 4 Nov 2015 19:00:00

    Increasing rack power densities saves space and energy, and improves both OPEX and CAPEX. But it can also create unintended problems that could bring your data center to a screeching halt. Join Raritan’s VP of Products & Marketing, Henry Hsu, and DCD’s CTO Stephen Worn, as they reveal the three key challenges in deploying a high density cabinet, and explain how to: Reduce operating costs, Increase up-time , Improve mean time to repair, become more energy-efficient manage existing capacity and plan for growth.

  • Squeezing the Lemon - The Power to do More with Less

    Tue, 20 Oct 2015 08:00:00

    Energy costs rising, manpower resources falling – managing a data center is getting more stressful by the day. One cold night could be all it takes to tip your power supply over the edge. And let's not forget the never-ending demands from IT for additional space. More information on its own is not the answer. Join Rittal's webinar to understand how to: • Lower your power consumption and OPEX charges, with 'smart' power distribution • Identify issues before they become problems, with intelligent PDUs' monitoring capabilities • Expand your DC as your business grows, with modular PDUs • Profile your power requirements to help you plan and make better-informed decisions REGISTER NOW Note: All attendees will receive a free copy of the latest White Paper from Rittal.

  • Live Customer Roundtable: Optimizing Capacity (12:00 EST)

    Tue, 8 Sep 2015 16:00:00

    The biggest challenge facing many data centers today? Capacity. How to optimize what you have today. And when you need to expand, how to expand your capacity smarter. Learn from the experts about how Data Center Infrastructure Management (DCIM) and Prefabricated Modular Data Centers are driving best practices in how capacity is managed and optimized: - lower costs - improved efficiencies and performance - better IT services delivered to the business - accurate long-range planning Don;t miss out on our LIVE customer roundtable and your chance to pose questions to expert speakers from Commscope, VIRTUS and University of Montana. These enterprises are putting best practices to work today in the only place that counts – the real world.

  • Power Optimization – Can Your Business Survive an Unplanned Outage? (APAC)

    Wed, 26 Aug 2015 05:00:00

    Most outages are accidental; by adopting an intelligent power chain, you can help mitigate them and reduce your mean-time to repair. Join Anixter and DatacenterDynamics for a webinar on the five best practices and measurement techniques to help you obtain the performance data you need to optimize your power chain. Register today!

More link