The Balancing Act: Matching Innovation and Security in the Data Centre
Trevor Dearing, Juniper Networks
That time just after Christmas once the dust has settled and you start to take stock of the year ahead can be one of quiet confidence or utter panic. Have I over spent? Do I have enough money to pay for holidays and all the other things that are rapidly approaching? How do I reduce my household spending and how do I stay in control?
This feeling must be similar to the security team in any organisation who have just been told that the CEO received a tablet PC for Christmas and wants to use it for business in the same way as his friend does bringing up the issue of creating a “bring your own device” (BYOD) policy and access. Or equally when you see the ambitious targets for virtualised workloads and your colleagues look for reassurance that there will be no security issues.
The reality is that if you do not start thinking about security for the virtual world in a different way things could go horribly wrong. The traditional castle model where all the things you want to protect are on the inside and all the things you want to protect against are on the outside does not work when everything becomes virtual. The model we need is more like a hotel where when we check in we hand over our details and are given a key that provides access to certain areas. Those areas could be dictated by where you are from, who you are and what you want to do.
So, with smart phones and tablets affecting one end of the path and VM live migration affecting the other we do need to think differently. As this is a data centre blog let’s focus on the latter. I have spoken before about the challenges that high density virtualization has on network capacity but equally there is a security issue also. To maintain control we need to install some sort of security onto or into the hypervisor. This will allow us to define what types of applications are run, who can get access, control VM to VM communication and integrate with the rest of the security infrastructure. However, this does not help if the VM security software limits the number of VMs or slows down the performance of the system.
There are a few options with this idea, the first is to install a security system that acts like a VM and sits on top of the hypervisor. This may appear simple but in reality as the traffic increases it will suck more and more resource from the CPU so the performance tax becomes prohibitive. The second idea is to use the built in security that comes with the hypervisor. This is like using the security system that comes with your PC operating system and not installing a security product from one of the top manufacturers, you just would not do it unless you wanted to just tick the security box.
The third and best option is to use a product that is embedded in the hypervisor that is hugely scalable and does not impair the performance of the system. This ultimately leads us to Juniper Networks vGW which is pretty much the only sensible option.
Virtualization of servers is having a major impact on many areas of the infrastructure. Challenges with storage performance are forcing the industry to develop optimised products for the virtual world. Networks have to become fabric based to deliver the required throughput and latency. So security equally has to change. The question for business is whether the return on investment from virtualizing servers is worth the investment in the rest of the infrastructure. Personally I think that the long term benefits of agility and a better economic model justify the investment but what do you think?