Virtualization Technology News and Information
Securing the Modern Data Center - Addressing New Challenges with a New Mindset

Article Written by Nitzan Niv, System Architect, Alcide

Niv and thousands of other attendees will be discussing a variety of open source and cloud native topics while attending KubeCon + CloudNativeCon EU, May 2-4, 2018 in Copenhagen, Denmark.

The modern data center continues to grow in scale and complexity. It contains a growing, changing and evolving collection of applications that address the burgeoning demand for better, faster and more efficient data processing. Three major trends are shaping today's data center:

  • The rise of public and private cloud usage: Data centers increasingly use cloud-based infrastructure, which enables organizations to quickly scale and centrally manage computational infrastructure according to changing demand.
  • Containerization of workloads: More and more applications are running in containers and other virtualization environments, facilitating better resources utilization and easier deployments.
  • Microservices architecture: Increasingly, developers create and deploy software using a microservices architecture that enables easy addition, upgrade or removal of application components.

Security threats to the data center are evolving, as well. Attacks from highly-motivated and skilled attackers are a constant risk, and recent trends in data center operations make these even harder to prevent. Enterprise data center security teams face new challenges, including:

  • How to gain visibility over applications and microservices running in constantly-changing data center?
  • How to create, maintain and enforce a security policy that enables business functionality while preventing prohibited activity?
  • How to identify and eliminate malicious activity when critical software and data are widely distributed in the data center?

Reality Check

In many organizations, the data center is comprised of thousands of distributed application components that interact over multiple network communication paths. To secure this complex and dynamic environment, a traditional security policy focuses on the perimeter, limiting incoming (and sometimes outgoing) Internet traffic via a traditional firewall or a Web Application Firewall.

Yet this security model is challenged to create and maintain valid and consistent policies for a large dynamic data center. And given the limited performance and scalability of enforcement, outbound traffic often goes unmonitored. Moreover, once an attacker gets past the perimeter and gains a foothold in the network, perimeter-based security can't address lateral movement that can destroy or extract valuable data, or hamper crucial data processing.

Low Visibility and Understanding

As more critical data is stored and processed in the cloud by a growing ecosystem of interacting applications, it is harder to see, understand and control what happens in the data center. For example, a traditional network security policy is based on parameters like endpoint IP addresses. However, in a virtual environment, these addresses are also virtual and are reassigned as the data center evolves.

While the development team designs and analyzes the data center through the view of microservices architecture, and the operations team manages it as a collection of cloud services, containers and virtual resources, the security people may easily be left behind, without the means to map security requirements and policies to virtual environments and application deployments. They are challenged to distinguish between good and bad traffic when that traffic is associated with transient network addresses, or understand communications patterns between containerized endpoints when they cannot identify the application roles (for example, "a database" or "a web server") of the containers.

The end result is a dangerous combination of insufficient visibility and lack of security clarity that leads to severe security gaps in most data centers.

A New Security Mindset

The success of unified DevOps teams, which broke down the barriers between Development and Operations teams, using shared concepts, methodology and tools, has paved the way for adding security into the mix. Known alternately as DevOpsSec, SecDevOps or DevSecOps, this hybrid concept integrates the best of all worlds and should be based on the following principles:

  • Full visibility: Data centers are more dynamic and complex than ever. Security needs a simple way to see all data, focus on what is most important, and understand what is at risk. For example, communication paths within the data center are just as important as communication paths outside the data center, so Security needs full visibility of both.
  • Policy creation and management: Organizations have clear policies that secure data movement beyond the perimeter. It is equally important to create and manage policies that ensure legitimate traffic can flow, while malicious traffic is blocked, within the data center.
  • Full enforcement capabilities: Policies are only as effective as they are enforceable. The scale of the data center demands solutions that can properly handle enforcement within it.
  • Identification and analysis of malicious traffic: When the perimeter is inevitably breached, there must be a mechanism to identify active threats inside the network and mitigate potential damage.

The Bottom Line

As the data center is growing and evolving, advanced security solutions need to keep up and be able to collect and process data from the thousands of moving parts in the data center, observing and controlling all internal traffic, as well as all incoming and outgoing traffic.

An effective data center security solution must also show how traffic interacts, in a way that both Security and DevOps can understand. To accomplish this, it must identify associations between low-level and high-level elements (i.e., network addresses, microservices, applications), and translate requirements and observations on demand between abstract and specific views.

Finally, a good solution should provide context and insights that enable Security and DevOps to focus attention on what is most relevant to each. When all stakeholders are in sync, they can together deliver holistic data center security fully in-line with today's challenging environment.


About the Author


Nitzan Niv is a 20-years veteran in the software industry. He is currently the system architect at Alcide, as well as leading its security research. Previously he worked for 8 years at Imperva creating the internal web-application security research platform and contributing to various Web Application Firewall research projects and publications. He holds a M.Sc. in Computer Science, M.E. in Systems Engineering and B.Sc. in Computer Engineering from The Technion - Israel Institute of Technology.

Published Monday, April 16, 2018 11:38 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2018>