Changing Data Center Security Models
The old security model is not applicable to new data center architectures since virtual resources cannot be compartmentalized in the same way as physical systems and security controls cannot be applied to each system as was done previously. Instead of a disjointed, siloed approach, a federated security model is required, with security policies and controls tied to each resource, physical or virtual, and based on context and the identity of each resource, not on the physical machine on which it resides. The traditional strategy of bolting on security controls, often in response to a security threat or incident, cannot work in the highly interconnected data center environment that is becoming the norm today. Rather, security needs to be built into the very fabric of the data center design, be it from the ground up for a new data center, or during a major upgrade or refresh.
Build Security into the Design Stage
In next-generation data centers, security needs to be built in at the design stage so that controls can be applied consistently across all systems in a hybrid environment that spans physical and virtual systems, as well as cloud-based computing. However, this is something that organizations that are building out data centers are not doing as effectively as they could. In many cases, security mechanisms are bolted on after the fact, rather than being built in at the design stage.
Not only is this a strategy that could erode the cost and efficiency savings associated with the use of virtualization by implementing cumbersome, siloed security controls, with each requiring standalone management and maintenance, but it could actually increase security risks. In purely physical environments, a single server typically houses one application. However, virtualized servers host multiple applications or components of applications, and the compromise of a single server can affect numerous applications and a large number of users.
Application-aware Controls
Because applications are in many cases no longer tied to physical systems but can be moved dynamically from one virtual machine to another, security controls need to be placed on the application itself. Controls must provide visibility into the application infrastructure so that factors such as application use and other application-level information can be viewed, and so that organizations can precisely define what actions are allowed within certain application instances. For example, an application-aware firewall needs to be able to view and identify all network traffic and provide granular control over application usage and behavior. According to managed IT services provider Computrad, application-aware firewalls must display the following capabilities:
- Identify applications regardless of port, protocol, evasive tactic or SSL.
- Identify users regardless of IP address.
- Granular visibility and policy control over application access/functionality.
- Protection in real time against threats embedded across applications.
- Multi-gigabit, in-line deployment with no performance degradation.
Identity-Based Access Enforcement
Access to resources can no longer be tied to IP address but must be based on the role of the user. This is important as a user is likely to wish to access those resources from more than one device, especially a smartphone as well as a computer. Mobile users may change IP addresses as they move from one location to another and, because of the depletion of the number of available IPv4 IP addresses, network address translation and proxy addresses may serve a variety of users rather than being tied to a particular user.
Controlling access by user rather than IP address is also important given the distributed nature of applications in today’s data centers and may reside on multiple servers, making it harder to control access by user location. Rather, controls need to be used that can enforce identity-based and role-based security policies that tie user identity to application access information and apply security accordingly. According to Juniper Networks, organizations should look for technologies that are able to exchange identity and privilege information and share common notions of user identities such as the Security Assertion Markup Language (SAML), Extensible Access Control Markup Language (XACML) and the Interface for Metadata Access Point (IF-MAP).