Securing The Virtualized Data Center - Top Five Considerations
We are currently deep in the throes of a global data center refresh cycle, driven by technology and business drivers. Virtualization and cloud computing are changing how data centers are being architected. The new threat landscape has framed the challenge of securing data and applications in a new light, and secure mobility and the extended enterprise have amplified the complexity of data center access. As organizations look at data center consolidation or new data center designs, it’s a great time to be thinking of security, and building it into the network architecture instead of attempting to bolt it on later.
This principle of “building security into the network” isn’t new. Security architects have long espoused the benefits of doing so, as adding security after the fact is likely to increase costs and complexity. Imagine if automobile companies manufactured cars without seat belts or airbags, the cost to add them later would not only be prohibitive, it would negatively impact both the bolted-on functions delivered and the overall characteristics of the product. Similarly, the performance of a data center would likely be impacted if you bolted security on later.
In principle, building security into the virtualized data center seems simple enough. But where and how do you start? Here are the top 5 things you should consider.
Create a Security Policy
As the King said to Alice in Wonderland, "Begin at the beginning, and go on till you come to the end, then stop”. The very beginning, the very first thing you should do is define your security policy. A security policy is a necessary evil, it is a blueprint that defines the overall security objectives, rules and regulations for an organization. Without it, you either spend your time fighting security fires as they flare up or walking around completely lost as to which rules are enforceable and which are not.
A security policy may include a disaster recovery plan, governmental and industry regulations to comply with, safe application enablement policies and more. The security policies should tightly align with the business objectives for the organization, must have the buy-in of key stakeholders, must be documented and communicated, and must be enforced.
There are specific characteristics of the virtualized data center that you will need to consider in the security policy, such as the ability for services to be delivered in a more dynamic, on-demand way. Therefore, your policy should consider implications of combining virtualization workloads with different trust levels on the same server, and whether live migration of VMs should be restricted to servers supporting workloads with the same trust levels.
Security is complex enough, allow yourself room to address requirements in a phased approach. For example, in the initial phase of your virtualized data center, allow only workloads with the same trust levels on a server. Over time, you can allow workloads with different trust levels on the same server, and plan for a policy change to accommodate intra-host VM traffic inspection within the server.
Define the Applications in the Data Center
The key principle to apply with application enablement in your virtualized data center is to build a positive enforcement policy. A positive enforcement approach for your virtualized data center means that you identify, control and allow what is required for business operations in your organization. The alternative, negative enforcement approach means you would selectively block everything that is not allowed, requiring a significant amount of never-ending effort to track all new applications and decide if they should be enabled or not.
The task to identify and safely enable applications in the virtualized data center is harder than it seems. Application developers have been known to implement applications on any port that is convenient or bypass security controls altogether. It is not uncommon to find tech-savvy employees using remote access tools on non-standard ports. DBAs are equally guilty of running SQL instances on non-standard ports. The ease of application creation and delivery with virtualized data centers and cloud exacerbates the problem.
The problem is that applications can also be used as a launch platform for attacks and carry threats inside a company’s network. Many applications are using tactics like non-standard ports, port-hopping, hiding within SSL encryption, tunneling within commonly used services to bypass traditional security controls. Understanding your applications, and safely enabling only applications required for the day-to-day business operations helps to reduce the attack surface for your organization.
Fortunately, next-generation security solutions can help with this. In fact, by deploying next-generation firewalls in monitor mode, you can get visibility into all data center traffic, begin to create this list of “allowed” and IT-sanctioned applications, before safely enabling different application functions at a granular level. Once you have identified all of your applications, you can also inspect the allowed applications for any embedded threats.
In a well-designed virtualized data center, unknown traffic should be a very small percentage of traffic if it exists at all. The ability to identify and analyze unknown traffic is essential in a data center. A next-generation firewall provides the ability to categorize and analyze unknown traffic in the network to determine whether the traffic is being generated by a legitimate application that is not recognized or is malicious malware.
Understand Who is Accessing your Data Center
The mission of the data center is to serve up applications to users. These users can range from employees and external business partners to contractors, all of whom can access data center applications from a multitude of devices such as tablets, mobile devices. Understanding who is accessing these applications, and how they are accessing them is critical in designing your data center to ensure that you are planning for securing their access. Plan for your security solution to integrate into your user repository so that you can enforce access policies based on users instead of IP addresses, and incorporate user information in reports and dashboards. Consider subscribing to Forrester Research Analyst John Kindervag’s Zero Trust philosophy (“do not trust, always verify”) of least privilege, where access control is strictly enforced, and minimal privileges allowed.
Prepare for Threats in Your Virtualized Data Center
Virtualization-specific security threats and vulnerabilities have been well documented. Because the virtualized server is made up of many different components-- from hypervisor to guest operating system and application-- each of these components need to be secured to ensure protection for the virtualized environment.
But you still need to address other threats that you might see in a traditional data center. For example, an Internet-facing virtualized data center may see denial-of-service attacks or automated script-kiddie attacks, while Enterprise-facing virtualized data centers may see patient, multi-step intrusions leveraging a variety of different threat vectors. By understanding the threats to your specific data center, you can better prepare to handle them.
Segment Your Virtualized Data Center
As you build your virtualized data center network, the fundamental security best practice is to segment. Segmentation in the enterprise data center can ensure that vulnerable parts of the data center are isolated from other parts of the network, or that specific servers that need to comply to regulatory requirements are segmented to manage risks and reduce compliance auditing scope. It can also limit the extent of damage to your data center if a hacker breaches a part of your data center. Segmentation is the best practice even in flat, layer two networks.
You should logically group systems that share similar risk factors and security classifications. For example, all common infrastructure services in the data center such as Active Directory or NTP servers are sometimes the most vulnerable and critical, because they can typically communicate with all other services. These common services must be segmented from other server tiers.
Virtualized servers must be segmented appropriately based on attributes such as similar risk factors and security classification. These servers can be placed in security zones, and traffic between security zones should be selectively permitted in line with security policy and access control requirements. It is critical that segmentation be enabled by a next-generation firewall rather than VLANs or switch ACLs. Only next-generation firewalls that deliver segmentation based on user and applications instead of port and IP will be effective in securing a virtualized data center environment.
Summary – Evolve Securing Your Infrastructure as Your Infrastructure Evolves
This top 5 list by no means addresses all of your design considerations in building security into your virtualized data center. But, it’s a start. And unfortunately, unlike the Alice in Wonderland story, there is no ending to your security considerations. Just like a security policy is a living document that will continually be reviewed and adjusted based on new business objectives, your security considerations will continue to evolve as the application and threat landscape changes.