Security in the Software Defined Data Center

By on Apr 21, 2015

Today, almost every component of a data center operates as a generalized pool of hardware resources. Whether it is computing power, storage, or networking, you can provision, operate, and manage your resources in the most efficient way for your requirements. Workloads in these Software Defined Data Centers (SDDC) spread across multiple machines, even multiple locations, expanding and contracting as needed. The SDDC architecture encompasses all the data center functions: virtual machines, software-defined networking, software-defined storage, cloud computing, automation, management, and security.

As each component becomes virtual, it puts pressure on the supporting functions to adapt. Security is now responding to this pressure. Legacy security architectures are disconnected from provisioning, workloads, and network flows. As we watched the data center evolve from one giant machine, to tens, hundreds, and then thousands of machines, security has relied on perimeter defenses and segmentation of machines and networks, referred to as security zones. Unfortunately, managing these zones is quite complex, and therefore most customers create a small number of zones. In this model, enforcement of security occurs at the perimeter, and this has traditionally created an unmanageable centralized policy.

The new approach to securing SDDCs is virtual isolation and micro-segmentation. Each workload now has its own perimeter defenses, isolating it from the rest of the data center and then applying policies as needed. Think of this as the policy being tied to the application. Access is granted with the least amount of privilege necessary to do the job, limiting the opportunity for malicious actions. If a virtual machine moves, its policies move with it.

Historically, traffic in data centers was mostly from client to server, or north-south traffic. Perimeter defenses and network segments were built to corral traffic by function or department and defend from outside threats. Today, up to 80% of data center traffic stays within the data center, also called east-west traffic. We have been seeing recently that once an adversary has made it past the perimeter firewall, the data center becomes a wide-open playground. Segmentation needs to adapt to this new reality, applying policies and traffic steering to individual flows, and defending against threats from all possible attack vectors. Policies are configured and applied for logical groups, not physical ones.

Security for SDDC needs more functionality than a perimeter firewall. Intrusion detection and prevention, deep file analysis and file reputation management, behavioral analysis, advanced threat defense and bot detection are all necessary capabilities. By steering traffic to the appropriate virtual security engines, these and other protections are available when needed.

For example, in a typical three-tier scenario with a web tier, application tier, and database tier, SDDC security is applied at each boundary layer, protecting each tier in all directions. The database tier, which is where the sensitive information resides, would have more advanced security and data loss prevention capabilities. The web tier would be more focused on malicious addresses, URLs, and stack vulnerabilities.

By integrating software-defined security with software-defined networks, you get a more agile and efficient security solution that delivers advanced threat protection to all of the traffic in your data center, not just the north-south flows. Security services are automatically injected into a new workload based on policy, not physical or hierarchical structure. Security capacity scales with the rest of the data center, reducing potential bottlenecks. Virtual security is now a reality.

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs