By Richard Dornhart, National Security Practice Manager, Data#3
[Reading Time – 4 minutes]
Today, the architecture of enterprise IT is far removed from the days of client/server. Where it was once relatively easy to align IT security controls within the stack to the apps and data that required protection, a typical app is now likely to be distributed across multiple compute, storage and database layers. Alternatively, it could be a composed service comprised of a host of containers, spread across a mix of on-premises and Cloud infrastructure.
In a very real sense, applications have come to reflect the characteristics of the network itself, evolving to accommodate the growth and complexity of new enterprise requirements and capabilities. Apps now consist of a number of components drawn from different silos across a growing number of data centres. This has resulted in a corresponding rise in the amount of East-West traffic between data centres and server environments – all of which is happening with minimal oversight.
Such environments present a very pressing issue for enterprise security. How can applications be protected when in many cases organisations struggle with providing end-to-end control over the infrastructure across which those applications are deployed? Given that the average enterprise environment may consist of hundreds of applications, running on shared infrastructure, across multiple data centres, the security considerations rapidly become extremely complex.
Add to this the difficulties of identifying the true enterprise perimeter, and it is clear that an architectural gap has emerged between the policies that can protect the application layer, and the controls that secure the infrastructure upon which it relies. While often these protections are created based on the characteristics of the application, the infrastructure it is running on and the information it is interacting with lacks sufficient context and dynamism to respond with the agility required to adequately defend against today’s threats.
These are some of the fundamental challenges presented by today’s architecture, which have necessitated a new paradigm for IT security. It is very difficult, for instance, to place controls in the path of an application. Existing security policies, almost entirely focused on protecting applications and data at the access level, struggle to anticipate the evolving threats that are emerging between layers at the infrastructure level. We need to better align these policies and controls with what we are trying to protect.
What has become increasingly apparent is that for a truly effective approach to security, this architectural gap needs to be closed. In this instance, network virtualisation has significant potential in enabling micro-segmentation across discrete server environments via the virtual fabric. This allows a ‘shared’ state to exist between applications and the infrastructure that enables them providing greater oversight and control.
This is the first of four blogs investigating the ways in which IT security needs to evolve. In our next blog, we’ll explore in further detail how network virtualisation is helping bring about this evolution through its ability to provide an abstraction layer between infrastructure and applications and a shared context for network security policies and controls.