Is the software defined data center a security project?

Can security be the catalyst for the software defined data center (SDDC)? Security may be one of the one areas of information technology that’s easy to convey to non-IT executives. The fallout from data breaches such as the one at Target highlight the enormous cost associated with failed security. These events create big attention to data security in their industry and more people look at how they can improve their IT system. For example, 23% of law firms indicated they had suffered a security breach showing just how targeted they are. When the American Bar Association’s Legal Technology Survey Report came out, a lot of firms looked for legal managed services for their IT so they could be better protected. It just shows the opportunities for security and IT professionals to implement new technology controls in the data center. The challenge, traditional data center designs make it difficult to approach security holistically.

There are two approaches to data center security, protecting it at the edge (network) and protecting it at the host. At the network layer, vendors give the ability to inspect packets and traffic to identify unauthorized access. At the host layer solutions allow you to tag and identify sensitive data. This gives the ability to take action on the host if unauthorized actions are taken on the host.

Both have their limitations and trying combine the two for increased effectiveness has been elusive. Consider combining host based data loss protection (DLP) and network-based defense. In the best-case scenario, you’d want some network action to take place if data leakage were to occur. An example would be shutting down the port of a workstation or server that is observed to be accessing or transmitting unauthorized data. This type of integration is difficult to achieve with today’s products. This is due to the lack of data center orchestration. Or more directly put, the ability of your security product to tell storage, networking and compute to do with sensitive data.

Talking with VMware’s Networking CTO Martin Casado, VMware believes the SDDC is the answer to this challenge. Central to VMware’s strategy is the “Goldilocks Zone.” As Casado explains it, the Goldilocks zone is the intersection of data center technology that all data is converged. In VMware’s case, this is the hypervisor or more specifically, vSphere. According to Casado, who spent time working in the intelligence industry prior to co-founding Nicira, the hypervisor has a unique position in the data center. Since, the hypervisor presents and controls storage, compute and networking the insight and orchestration needed for security can be achieved through the hypervisor.

VMware wants to position their data center product suites as an answer to most security pain points. From a high level, it doesn’t take much to string together the possibilities of a VMware central solution. VMware could with relative ease team with a company such as MacAfee that has a DLP suite and add to it the power of vSphere and NSX. A well-integrated solution would allow a security customer to analyze data sitting on a VM, track it through the network and take action if unauthorized movement is detected.

This isn’t the utopia of security. As Casado noted, there isn’t a perfect security solution. I questioned him on one of the potential shortcomings of VMware’s approach, which is the focus on the hypervisor. After all, the more services you add to the kernel the more attack vectors are opened. Now that the hypervisor becomes the single point for security orchestration its a sweet spot for attacks. Casado addressed this by noting that it isn’t any different than it is today. VMware takes great pains to ensure not even security products have direct access to the hypervisor’s kernel. Basically, the security that exists in ESXi isn’t changed because the kernel isn’t growing.

VMware is still at the early stages of communicating their new security strategy. However, this has potential and VMware isn’t the only player in the SDDC space that can offer similar capability. This Goldilocks security zone would in theory apply to any hypervisor based environment from a number of vendors or project such as OpenStack. VMware does have the advantage of being a leader in the space overall and this discussion on security shows that they aren’t sitting back and waiting on competition.

Casado and VMware may have something here when it comes to making a case for the software defined data center. Security is one area that out paces all other IT spending and may be a big enough stick to force change in even the most critical legacy IT.

Published by Keith Townsend

Now I'm @CTOAdvisor

8 thoughts on “Is the software defined data center a security project?

  1. Agreed Keith, and great write up. Looking at Martin’s history, we see that he came from security to networking, and the principles carried forward. Micro-segmentation and multi-tenant networking is primarily about secure segmentation. The ability to do this programmatically creates the ideal marriage of use-case and usability. Regardless of whether NSX, ACI, OpenContrail, or any SDN solution, these are all great enabling technologies.

Leave a Reply to discoposse Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: