Using virtualisation to transform securityA Data#3 Secure eBook

Using virtualisation to transform security 1

1. We need to secure services on infrastructure we can’t always trustThe need to secure enterprise IT infrastructure and data is intuitive, but how we achieve that security must change; traditional security concepts need to evolve. Where we once thought of the firewall as a barrier around the perimeter of the enterprise, that perimeter itself is getting harder to define in an age of Software-Defined Infrastructure, Hybrid Cloud, and increasingly ubiquitous wireless and mobile communication.

The applications we use and the data we protect now travels across infrastructure, and it’s becoming harder to control. The Cloud applications we use inevitably rely on compute resources often far from our direct influence. Even when we use a Private Cloud to directly control compute resources and storage, mobile-enabled users want to access that Cloud from anywhere at any time.

In summary:

Cyber threats are increasingly sophisticated, orchestrated, and persistent

The enterprise perimeter is now blurred, making protection against cyber threats increasingly complex

The applications and data we need to protect, traverses infrastructure that we cannot necessarily control.

The IT environment has changed. We need a radically different approach to security.

PUBLIC CLOUD

WEB

ON-PREMISESINFRASTRUCTURE

PRIVATE CLOUD

Using virtualisation to transform security 2

2. In the past we secured each application as a single buildingTraditionally, enterprise IT security was based on a model of storage, database, applications and user interface components, existing in siloed stacks. In that model, it was relatively easy to align security controls to the applications that we were trying to protect. If the stack was a building, the security could be represented as a security guard at the front door.

This largely made sense where data, compute and storage all resided within a highly secure enterprise data centre that IT administrators could control completely.

In summary:

Many of the security approaches used today are still based on this traditional architecture

The siloed stack is no longer a realistic model; architecture is now dispersed and interdependent.

Security approaches need to change to bridge this architecture gap.

APPS

DATABASE

WEB

STORAGE

Using virtualisation to transform security 3

3. Applications now operate more like dispersed networksModern applications are different to the siloed stack of old. Today, the distributed nature of applications with various application elements operating across multiple underlying infrastructure components, sees applications acting more as a network in their own right.

Think, for example, of scenarios with a single application operating across web servers, app servers, database servers and storage servers, all interacting.

This new world of thousands of distributed applications in an enterprise, all commingled on a common infrastructure, led organisations to deploy relatively flat networks to accommodate the growth and complexity. That in itself creates new security challenges we simply did not have to grapple with in the past. If an app is compromised, it’s relatively easy for a threat to overrun the intrusion point, and then move laterally to other segments. Using our city metaphor, the security challenge is even greater when one recognises that the roads and buildings in this city are often beyond our direct control.

Legacy IT security approaches are ineffective when the modern application is distributed throughout the data centre. Security approaches that traditionally aligned to the underlying infrastructure (servers, network connections) need to adapt to align to the architecture of applications and data you want to protect.

WEB

APPS

DATABASE

STORAGE

Using virtualisation to transform security 4

4. We need to secure applications as neighbourhoodsIf a modern application is like a network of neighbourhoods in a busy city, where do you place the security guards that used to patrol the front of the buildings? In this new metaphor, those security guards might remain, but they would be supported by a reinforced neighbourhood watch program that effectively distributes security throughout the neighbourhood. Each neighbourhood would want the ability to:

Protect against unwanted intrusion

Detect unusual activity inbound, within and outbound from the neighbourhood

Respond to threats and unusual activity.

Applying this security methodology to multiple neighbourhoods, across an entire city, presents a considerable challenge. By the same token, applying it to the many networks, servers, and virtual machines in the average data centre, presents a minefield of complexity, cost and operational hazards. Most organisations have a good handle on their security policy objectives: allow trusted user access, prevent nefarious access, and secure intellectual property. Yet, while security controls have been applied to physical infrastructure, meaningful policies really have very little to do with networks or servers, or even Clouds.

The challenge is an architectural gap; How do we align security policies and controls to what we are really trying to protect - the applications and processes that sit distributed across the top of the infrastructure?

WEB

DATABASE

APPS

The architectural gap

STORAGE

ARCHITECTUREPOLICIES CONTROLS

Using virtualisation to transform security 5

5. Virtualisation for security is the key, not security for virtualisationThe emergence of virtualisation was often welcomed for its efficiencies, but raised perceptions of new security challenges to grapple with. As a result, security professionals asked ‘How do we secure a virtualised environment?’ Ironically, the new security paradigm tips that thinking on its head. A far more powerful question is ‘How can we use virtualisation to secure?’

The architectural challenge has been that security policies need to apply to applications and data because that is what people interact with – the right people need the right data and no-one else.

Encryption and application whitelisting began to change that, but what if we could use virtualisation to abstract the entire physical network? It would give us a map between the software architecture and the underlying physical infrastructure. A map that is dynamic; that self-maintains with the ability to track the state of every component in an application, regardless of location. Virtualisation as a form of abstraction provides three extremely useful security characteristics:

Alignment – Security controls can be directly aligned to the application as it’s defined in the virtual layer, not just the underlying infrastructure.

Ubiquity – Provides the same set of security controls – service insertion, security tagging etc. - in software, across almost any combination of underlying hardware – even in a data centre managed by someone else.

Isolation – Filtering of application ports and protocols is applied outside of the application context i.e. not as an agent or control in the guest operating system – which an attacker will easily circumvent, but in the virtualisation layer, the hypervisor.

STORAGE

DATABASE

APPS

Network virtualisation

WEB

Using virtualisation to transform security 6

6.

STORAGE

APPS WEB

DATABASE

STORAGE

APPS

WEB

DATA

BASE

NSX

Micro-segmentation and zero trust are now possibleVMware’s network virtualisation technology - NSX - abstracts and automates security, providing central management of firewall policy - enforced at every virtual machine - all while independent of the underlying network hardware. This allows you to apply security policies quickly and easily to prevent the East-West movement of threats. Security controls move with, and effectively become, inherent to the application itself, not adapted to it. Then, regardless of where application virtual machines move to, security follows, ensuring it’s always applied to maintain protection.

The ability to take a group of virtual machines and segment them off from neighbouring virtual machines – even on the same network segment – is termed “micro-segmentation”. VMware NSX makes micro-segmentation possible, and when aligned to application components, the lateral spread of threats within the data centre can be drastically mitigated. Administrators can now quickly and easily apply security policies that dynamically follow end users’ virtual desktops and application servers - across infrastructure, data centres and even Clouds. VMware NSX also provides an integration with VMware’s mobile device management product – Airwatch – such that only specific apps on a mobile users’ device can establish a virtual private network into the data centre, then only those specific apps gain access to designated services controlled by NSX - essentially creating a personal demilitarised zone.

In an age of needing to secure applications on infrastructure you cannot necessarily control, micro-segmentation means you can shift from a reliance on the network to deliver your traffic to a firewall. Virtualisation for security makes it faster to provision applications with the security controls you want, aligned directly to the workloads you need to protect.

Brisbane (Head Office) 67 High Street TOOWONG, QLD 4066

Melbourne Level 4, 55 Southbank Boulevard SOUTHBANK, VIC 3006

Sydney 107 Mount Street NORTH SYDNEY, NSW 2060

Launceston 23A Earl Street LAUNCESTON, TAS 7250

Follow Us:

youtube.com/Data3Limited

linkedin.com/company/Data3twitter.com/Data3Limited

facebook.com/Data3Limited

1300 23 28 23 www.data3.com.au

Adelaide 84 North Terrace KENT TOWN, SA 5067

Canberra Suite 2, Level 1 220 Northbourne Ave BRADDON, ACT 2612

Hobart 16 Collins Street HOBART, TAS 7000

Perth Level 2, 76 Kings Park Road WEST PERTH, WA 6005

For more information, visit www.data3.com.au/network-security or contact a Data#3 security specialist.