No matter which way you slice and dice the numbers, the data center is typically one of the most costly items within an enterprise IT budget. The costs are high not only from a CapEx perspective but also from the day to day operations of keeping servers up and running.
When faced with the daunting costs of a data center, it can be easy to allocate for security only as an afterthought, or to only assign a small percentage of the IT budget to security. But, choosing the right network security solution is “budget smart”, and can actually increase the productivity and efficiency of the data center in the long run. Here are the top five things to consider:
1) Choose a network security solution that is agile
As background, let’s revisit the limitations of traditional security within a nimble, dynamic, virtualized data center environment. Within a virtualized data center environment, a virtual machine can be provisioned in minutes. In order to enable security features, the traffic flows within the virtual environment need to be traffic engineered to the right firewall. Security policies then need to be approved and manually provisioned within the firewall via a change control process. This process – approval of policy changes to accommodate a new application and making the right changes on the right firewall — can take weeks if not months. Security therefore becomes the biggest barrier for enterprises in keeping up with the demands of the business.
As you prioritize your data center security budget, your network security solution needs to not only deliver the fundamentals of safe application enablement and threat protection but must support automation and orchestration, and must track virtualized workloads for consistent policy protection. This will then help increase the efficiency of your data center in the long run.
2) Prioritize physical over virtualized hardware
Prioritize physical network security appliances over virtualized network security appliances? But wait, you say. In the section above, I said it is important for the network security solution in the data center to be nimble and address the dynamic nature of virtualization and cloud. Therefore, doesn’t that mean enterprises need to be purchasing more virtualized firewalls instead?
The answer is no. While your network security solution needs to embrace the dynamic nature of virtualization and cloud, it most likely will be delivered via physical firewalls except when there are applications of different trust levels within a virtualized server. For this specific use case, (i.e. when applications of different trust levels reside within a virtualized server), East-West traffic inspection is most effectively delivered with a virtualized firewall.
3) Be specific about the problems you want to solve
There are three fundamental network security use cases in the data center- safe application enablement, threat protection and network segmentation. The safe application enablement use case is fundamental; it is, after all, the primary objective of the data center. But, with threat protection, the focus should extend to modern attacks that are propagating via legitimate users in the network. Finally, the network segmentation use case will address compliance, containment and limit data exfiltration.
Assuming that there is additional budget for the data center after the above use cases are addressed, then it would be wise to address the challenge of distributed enterprise access—anytime, anywhere access to the data center using a variety of different devices and access types. BYOD and mobility (as described in my last SecurityWeek column) are ultimately data center challenges because they enable users to access corporate data from their personal devices wherever they are.
4) Don’t forget management, reporting and logging
Hand-in-hand with the actual network security spend should be equivalent spending on the management of these systems, and a real-time monitoring system that provides full visibility into what’s happening in your network. The configuration of virtual workloads and network security today are rigidly distinct functions, administered by independent IT administrators. Therefore, when selecting a network security management system, look for one that integrates with data center management and workflows, yet provides the ability to maintain independent security policy creation in the security IT administrator’s hands. In addition, the SIEM or big data monitoring system selected in the data center needs to be able to understand and incorporate security data.
5) Training your team
Part of the data center IT budget should also be allocated to training. Training will be necessary on new network security products and new software releases on those products. In addition, building a rapid response team that is prepared to tackle a potential breach in the network is critical. Only regular, consistent training can accomplish this.
According to Infonetics Research and their Data Center Security Strategies and Vendor Leadership: North American Enterprise Survey, enterprises participating in this survey spent an average of $14.6 million on data center security products in 2012, and expect to spend nearly $17 million in 2013. The goal to strive for as you budget for your data center network security spend will be to hit all of the five considerations above, while staying within this $17M budget.