fbpx
Share

THE NEW IT SECURITY PARADIGM PART 2 – How Network Virtualisation Will Transform IT Security

By Richard Dornhart, National Security Practice Manager, Data#3

[Reading Time – 3 minutes]

Neighbourhood Watch

When thinking of the relationship between infrastructure and data, it is useful to consider the various distributed networks of enterprise IT as a sort of neighbourhood. In this analogy, data centres are the buildings and the network links are the roads. From a security perspective, we have long sought to secure our networks by placing stronger locks on the doors of those buildings.

Yet data and applications constantly move laterally between data centres, Public/Private Cloud infrastructure and the various layers of applications.  The number of possible connection points and the volume of traffic means that total protection of all that internal traffic is simply not viable. It is not feasible, for instance, to have a security guard overseeing every street corner, or every office on every floor of every building.

To cope with this new reality, a new security paradigm is emerging based on network virtualisation.

The key virtue of network virtualisation is that it creates a layer that is effectively a map between the  application and the underlying physical infrastructure. In this way, the virtual fabric can be leveraged to align security policies and controls directly to the application, independent of the infrastucture underneath.

How does this work? Doesn’t this simply constitute another layer to manage, with all the implications of complexity it suggests?

A virtual data centre for every application

Although it is true that network virtualisation does create an abstraction layer between infrastructure and applications, rather than asking ‘how can we secure virtualisation?’, a more useful question is ‘how can we use virtualisation to secure?’

Network virtualisation expands the possibilities of the control points offered by virtual switches, and broadens their functionality beyond routing and switching to include load-balancing, firewall and gateway capabilities. By introducing the notion of a virtual network controller, you introduce a central state distribution mechanism, to simulate control of all your virtual switches across a unified fabric. This essentially creates  a network hypervisor, and a control point between every machine in that virtual network.

“Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.”
– Professor Jerome Saltzer, MIT, Communications of the ACM

The completeness of this approach allows network virtualisation security to act as an integrated system, rather than reactively creating endless silos. Additionally, since it allows us to view the infrastructure through the lens of the application, network virtualisation becomes the perfect platform by which Jerome Saltzer’s concept of ‘Least Privilege’ can be implemented.

Escaping the trust domain trap

Clearly, there is enormous and liberating power in being able to move towards software-based solutions to our problems – but how do we do that, without being forced to operate in the same trust domain as an attacker? This is the question that has necessitated us rethinking what effective enterprise security looks like, and why network virtualisation offers a new pathway forward.

In the 3rd post of this blog series, we’ll examine the role that encryption plays in protecting data flow, and how quickly it can become problematic to manage once it is extended beyond its typical boundaries.

Tags: Cybersecurity, Network Security, Security, Virtualisation

Featured

Related

Why would you deploy SASE?
If Secure Access Software Edge (SASE) with Cisco Meraki is the destination, what does the journey to get there look like?

Firstly, let’s set the scene. The term SASE was first mentioned by Gartner Analysts in July 2019 and Gartner continues…

Data#3 named (HPE) Platinum Partner of the Year and Aruba GreenLake Partner of the Year
Data#3 enjoys double scoops at HPE/Aruba awards night

December 08, 2022; Brisbane, Australia: Leading Australian technology services and solutions provider, Data#3, is proud to announce that it has…

Azure BaaS
Protecting Data in a Cloud World: Will Backup as a Service be what Keeps Your Business Online Through a Crisis?

Very few organisations could run in a technology-free environment, so naturally, strong IT departments put considerable effort into business continuity…

Azure Site Recovery
Beyond Backup: The Role of Azure Site Recovery in Business Continuity

In the first of our Azure Backup blog series, we discussed the value of data, and the critical importance…

Delivering the Digital Future, Securely – for Western Australia
Delivering the Digital Future, Securely – for Western Australia

Data#3, proudly sponsored by Cisco, Microsoft and Palo Alto Networks, are pleased to present to you: Delivering the Digital Future,…

K-12 Video Period
Securing the school network amidst escalating threats

Security threats are now a routine problem for increasingly connected education institutions. The good news is that a new generation…

Protecting Data in a Cloud World: What You Need to Know About Azure Backup

Welcome to part 1 of our 3-part blog series, exploring data protection options and considerations for when you’re operating in…

The Southport School Revisited
The Southport School: Four Years On

How have their investments in wireless networking and security paid off after four years? Download Customer…