Something stuck with me in a recent discussion with a customer about our data center and cloud solutions. Whilst focusing on future expectations, someone jokingly said that he could see the occasional cloud on the horizon but it didn't seem as completely overcast as everyone was forecasting. This got a laugh but also caught my attention because this was not the first time I had heard uncertainty about what the cloud will eventually become and on what timetable. I don't have a crystal ball, but there are some challenges that we can identify now. The trick, however, is to make sure our solutions to these challenges are flexible enough to help organizations prepare for and/or migrate to the cloud. One of the areas that I’d like to focus on is the problem of securing the cloud. How do we secure an elastic, shared resource where all interaction modes are allowed: client device to client device, client device to computing utility, computing utility to computing utility?
One fundamental shift needs to be made when thinking about security challenges in the cloud, from fixed/owned to variable/shared. From a security perspective this can be easily visualized as castles and hotels. A castle is purpose built for the monarch, surrounded by guards and a moat and is designed to keep people out. The castle is very secure but hard to maintain and the upkeep is expensive. A hotel, on the other hand, is designed to allow people to come in and share the facility. The hotel provides secure access to guests’ rooms and various shared resources via a room key, and in addition safes in each room can secure individual guests’ valuables. In other words various levels of service and resources can be securely accessed based on identity with additional levels of security made available as required.
Virtualization, the fundamental concept behind the cloud, should be embraced when building the security for our hotel. A server running a single application is massively under-utilized, while a server running multiple applications enables higher utilization of the resources for greater efficiency and elasticity. So can we apply the same concept to security appliances? The challenge today is that we are limited to deploying individual security appliances, which can lead to some appliances being overloaded, while others are under-utilized and often creating suboptimal paths through the data center. Sound familiar? Here we can apply the lessons of the cloud server infrastructure to the security infrastructure itself. How would you like the ability to take these disparate appliances and consolidate them in virtualized pools of advanced security services that you can apply to any flow in the data center?
So how does this come together in deployable solutions? Let’s look deeper.
The Juniper Unified Access Control (UAC) solution provides granular and differentiated identity-based access control to the network and applications, based on a number of factors including: the role of the user in the organization, the health of the endpoint being used and the behavior of the user on the network. UAC enforces security policy via network access control with the infrastructure you already have in place, including other vendors’ 802.1x based switches and access points, as well as any Juniper Networks firewall platforms.
For securing the flows between the clients and the data centers themselves we have two new solutions with the capabilities to make this more secure.
The first is Junos® Pulse, a universal network access client that resides on a fixed device, a mobile device, or a virtual device – single secure capability that initially can do SSL VPN termination, WAN acceleration termination and identity. For the second we have teamed up with VMware and Citrix to provide a secure virtual desktop environment with single sign-on. All of the security that you have with a secure stateful environment will be available with a secure virtual desktop environment.
What about securing virtualized server infrastructure on hypervisors? We announced a new solution with Altor Networks to help secure a virtualized server environment. Regardless of which hypervisor you use, this capability will allow you to set up a firewall to filter traffic between zones when that traffic is not exposed to the physical network.
Solving the most difficult problem, of delivering a virtualized pool of resources capable of multiple inline security services, is our SRX Series Dynamic Services Gateways for the data center. The Juniper Networks SRX Series is designed to be able to scale in two directions: number of sessions and bandwidth capability but also to scale in the direction of service density; the number of different services that I can apply in a chained fashion to a flow in the data center. Today we are the leader in both throughput and density and we are working to extend those capabilities. SRX’s are paired together in a cluster to provide the reliability and availability demanded in a cloud ready data center. Multiples of these clusters can be installed in a single data center or in a remote data center and they can act in a coordinated fashion as a single virtualized pool of security services. Why? So there is a single point of establishing policy. From a single point you can orchestrate policy for every SRX within the network and have a single point for reporting and compliance. Imagine the power of identifying flows for application volume tracking, application and user-based policies, application routing, application bandwidth management and application denial of service protection.
These are our solutions to allowing identity based secure access to virtualized, premium security services in the cloud. I think we are on the cusp of big changes and as it happens, with some insights into the coming storm, we can prepare and maybe make sure that all the clouds have silver linings.
Exploring the vision for the networking industry and the issues shaping its future.