Share

THE NEW IT SECURITY PARADIGM PART 2 – How Network Virtualisation Will Transform IT Security

By Richard Dornhart, National Security Practice Manager, Data#3

[Reading Time – 3 minutes]

Neighbourhood Watch

When thinking of the relationship between infrastructure and data, it is useful to consider the various distributed networks of enterprise IT as a sort of neighbourhood. In this analogy, data centres are the buildings and the network links are the roads. From a security perspective, we have long sought to secure our networks by placing stronger locks on the doors of those buildings.

Yet data and applications constantly move laterally between data centres, Public/Private Cloud infrastructure and the various layers of applications.  The number of possible connection points and the volume of traffic means that total protection of all that internal traffic is simply not viable. It is not feasible, for instance, to have a security guard overseeing every street corner, or every office on every floor of every building.

To cope with this new reality, a new security paradigm is emerging based on network virtualisation.

The key virtue of network virtualisation is that it creates a layer that is effectively a map between the  application and the underlying physical infrastructure. In this way, the virtual fabric can be leveraged to align security policies and controls directly to the application, independent of the infrastucture underneath.

How does this work? Doesn’t this simply constitute another layer to manage, with all the implications of complexity it suggests?

A virtual data centre for every application

Although it is true that network virtualisation does create an abstraction layer between infrastructure and applications, rather than asking ‘how can we secure virtualisation?’, a more useful question is ‘how can we use virtualisation to secure?’

Network virtualisation expands the possibilities of the control points offered by virtual switches, and broadens their functionality beyond routing and switching to include load-balancing, firewall and gateway capabilities. By introducing the notion of a virtual network controller, you introduce a central state distribution mechanism, to simulate control of all your virtual switches across a unified fabric. This essentially creates  a network hypervisor, and a control point between every machine in that virtual network.

“Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
– Professor Jerome Saltzer, MIT, Communications of the ACM

The completeness of this approach allows network virtualisation security to act as an integrated system, rather than reactively creating endless silos. Additionally, since it allows us to view the infrastructure through the lens of the application, network virtualisation becomes the perfect platform by which Jerome Saltzer’s concept of ‘Least Privilege’ can be implemented.

Escaping the trust domain trap

Clearly, there is enormous and liberating power in being able to move towards software-based solutions to our problems – but how do we do that, without being forced to operate in the same trust domain as an attacker? This is the question that has necessitated us rethinking what effective enterprise security looks like, and why network virtualisation offers a new pathway forward.

In the 3rd post of this blog series, we’ll examine the role that encryption plays in protecting data flow, and how quickly it can become problematic to manage once it is extended beyond its typical boundaries.

Tags: Cybersecurity, Network Security, Security, Virtualisation

Featured

Related

SOC - Security operations center
Pull your socks up and get a SOC

Your Business Needs A Managed Security Operations Centre (SOC) Investing in high-quality socks can give you generous support and comfort.

To-SIEM-or-not-to-SIEM
To SIEM or Not To SIEM

What is SIEM? The sheer amount of information generated on your network is the stuff…

HP Elite Dragonfly
The HP Elite Dragonfly G2 Has Arrived: Secure, Sustainable, and Spectacular

The old adage that good things come in small packages was never truer than in HP’s latest device offering –…

Cisco-Duo-TechnoPro-Customer-Story-Card
Customer Story: Cisco Duo for TechnoPro

With IoT and digital transformation accelerating at speed to support a newly remote workforce, Japan’s TechnoPro Group…

How Cisco Secure Access by Duo simplifies multi-factor authentication

Multi-factor authentication (MFA) is the simplest, most effective way to make sure users really are who they say they are.

Essential-Eight-Maturity-Model-Patch-Applications
Essential Eight Maturity Model: Patch Applications

On July 12, 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to…

Webinar: Improve your schools’ Essential 8 maturity with Data#3 and Microsoft
Improve your school’s Essential 8 maturity with Data#3 and Microsoft

Many organisations struggle with their cybersecurity posture. Some have managed to arrive at a state of awareness, but very few…

Essential-Eight-Maturity-Model-Application-Control
Essential Eight Maturity Model: Application Control

As of July 12, 2021, the new Essential Eight maturity model became available and inspired me to write a new…