Share

THE NEW IT SECURITY PARADIGM PART 2 – How Network Virtualisation Will Transform IT Security

By Richard Dornhart, National Security Practice Manager, Data#3

[Reading Time – 3 minutes]

Neighbourhood Watch

When thinking of the relationship between infrastructure and data, it is useful to consider the various distributed networks of enterprise IT as a sort of neighbourhood. In this analogy, data centres are the buildings and the network links are the roads. From a security perspective, we have long sought to secure our networks by placing stronger locks on the doors of those buildings.

Yet data and applications constantly move laterally between data centres, Public/Private Cloud infrastructure and the various layers of applications.  The number of possible connection points and the volume of traffic means that total protection of all that internal traffic is simply not viable. It is not feasible, for instance, to have a security guard overseeing every street corner, or every office on every floor of every building.

To cope with this new reality, a new security paradigm is emerging based on network virtualisation.

The key virtue of network virtualisation is that it creates a layer that is effectively a map between the  application and the underlying physical infrastructure. In this way, the virtual fabric can be leveraged to align security policies and controls directly to the application, independent of the infrastucture underneath.

How does this work? Doesn’t this simply constitute another layer to manage, with all the implications of complexity it suggests?

A virtual data centre for every application

Although it is true that network virtualisation does create an abstraction layer between infrastructure and applications, rather than asking ‘how can we secure virtualisation?’, a more useful question is ‘how can we use virtualisation to secure?’

Network virtualisation expands the possibilities of the control points offered by virtual switches, and broadens their functionality beyond routing and switching to include load-balancing, firewall and gateway capabilities. By introducing the notion of a virtual network controller, you introduce a central state distribution mechanism, to simulate control of all your virtual switches across a unified fabric. This essentially creates  a network hypervisor, and a control point between every machine in that virtual network.

“Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
– Professor Jerome Saltzer, MIT, Communications of the ACM

The completeness of this approach allows network virtualisation security to act as an integrated system, rather than reactively creating endless silos. Additionally, since it allows us to view the infrastructure through the lens of the application, network virtualisation becomes the perfect platform by which Jerome Saltzer’s concept of ‘Least Privilege’ can be implemented.

Escaping the trust domain trap

Clearly, there is enormous and liberating power in being able to move towards software-based solutions to our problems – but how do we do that, without being forced to operate in the same trust domain as an attacker? This is the question that has necessitated us rethinking what effective enterprise security looks like, and why network virtualisation offers a new pathway forward.

In the 3rd post of this blog series, we’ll examine the role that encryption plays in protecting data flow, and how quickly it can become problematic to manage once it is extended beyond its typical boundaries.

Tags: Security, Virtualisation, Cybersecurity, Network Security

Featured

Subscribe to our blog

Related

Networking for K-12 Education
Taking the Work out of the School Network

While there’s no consensus on who coined the phrase ‘truth is stranger than fiction’, you’d be hard pressed to find…

Improve Security with Microsoft 365 and Surface
Improve Security with Microsoft 365 and Surface

Security is a rising cost for most organisations. And it’s not a welcome one, with 81% of IT Managers currently…

Networking 2020. What now? What next?

It seems like only yesterday that I was working with customers to help craft their ‘Networking 2020 strategy’. As we…

5 Steps to Implement DevSecOps

The 1980s gave us many good things, such as U2, Metallica and Bon Jovi (questionable). But from a security…

VMware and Carbon Black: An Advance for Cloud Endpoint Protection

Initially, analysts were surprised when VMware completed its $2.1 billion cash purchase of Carbon Black in August…

7 Minutes of Security | Splunk for IT Ops

In our first episode of 7 Minutes of Security, our host and National Practice Manager – Security, Richard Dornhart…

A new era of security risks in education
A new era of security risks in education

For educators, ensuring the safety and wellbeing of students has always been a critical priority – one that’s been seriously…

Splunk ITSI eBook
Predict and Prevent with Splunk ITSI: 6 Customer Stories

Too many alerts, too little time In Asia Pacific 69%1 of companies receive more than 5,000 threats a day –…