Using Micro-segmentation to Secure Network Traffic Within the Data Center
Evolution of the Data Center: From Physical to Virtual
The traditional approach to data center operations was once riddled with physical hardware and manual operations. Today, data center operations are often entirely software-defined, giving enterprises the ability to virtualize compute, storage, and networks. Modern data centers are about consolidation, delivering cost effective, improved efficiency, and gaining visibility into the security and management of data.
This transition has been made fairly quickly, and not without security ramifications. According to VMware, a number of shifts within the data center are bringing about the need to use a different method for securing network traffic:
- Increase in software-defined data centers
- Prevalence of multi-cloud IT strategies
- Mobile devices accessing corporate data centers
- Migration from physical to virtual workloads
- Frequent adoption of new architectural/deployment models, such as micro-services and containers
All of the capabilities which accompany the software-defined data center have spurred a great deal of excitement, sometimes resulting in overlooked security. VMware further explained that the rapid speed at which new applications can be deployed often surpasses what traditional networking and security controls are capable of protecting.
When the Physical Firewall is Not Enough
Virtualization has brought a lot of value to the data center, but it’s also changed the way resources are consumed. Historically, servers were physically separated by disparate racks and data center spaces. Today, the base of a virtualized environment is shared resources; in a shared infrastructure, resources communicate within the same host, which makes physical firewalls and security perimeters ineffective.
The more organizations move toward cloud environments, the greater the need to increase security, protect shared resources, and provide isolation for workloads. Not to mention, the threat landscape of the data center has evolved beyond the effects of virtualization. While insider threats are a longstanding vulnerability, they’ve come to prevalence on the front line recently, which is a major challenge for security administrators. There needs to be a way to control access without preventing administrators from being able to execute their job duties.
How Micro-Segmentation Secures Traffic and Controls Access in Shared Environments
Here’s where micro-segmentation comes in. Essentially, micro-segmentation is a way to increase security within the data center, making it possible to safeguard traffic moving to and from each and every workload. Micro-segmentation is the deployment of a stateful firewall at every single virtual network interface, which enables security administrators to create a zero-trust protection scheme at scale.
Micro-segmentation is designed to place a firewall where network traffic enters and leaves each virtual machine—basically, getting directly in between the way these virtual machines communicate. Within data centers, micro-segmentation is used to ensure that communication is secure and authorized between shared resources, which is critical now that different customers and workloads are operating within the same environment. Using traditional methods, ensuring that the right people have the right access, and more importantly, that unauthorized access is blocked between machines, is very difficult—micro-segmentation is fundamental to solving that problem.
Improving Data Center Security Via Isolation
The power behind micro-segmentation really lies within isolation, by securing workloads at an individual level. It eliminates the vulnerability of intercommunications between VMs by establishing a barrier with a stateful firewall at each individual VM’s network interface. As a result, data center customers gain isolation in spite of using a shared environment, and it becomes possible to set strong security controls without requiring traffic to traverse outside the network to a central firewall device and back again.
- Stops attacks not protected by the data center perimeter firewall
- Eliminates the vulnerability of exposed workloads
- Achieves network security within the data center
- Provides server to server and user to server zero-trust networking model
Micro-segmentation also better lends itself to automation than previously used physical security tools. Because it occurs on the software layer, security controls can be accessed and used at software speed. In addition, because management of these firewalls is done through software, even though they’re distributed throughout the environment, they’re managed through a single consolidated administration interface based on shared policy and rules settings for the entire organization. The end result is a single point of control for managing a set of enterprise-wide distributed firewalls. Finally, when VMs are migrated from one host to another, their firewall configurations migrate with the VMs; when VMs are decommissioned, so are their specific firewall rules.
August Schell is committed to keeping pace with emerging technologies within the software-defined space. If your organization is interested in finding out more about how micro-segmentation can enhance the security of your data center, reach out to an August Schell specialist, or call us at (301)-838-9470.