By John Harpell on October 07, 2015 06:11
I was shocked to see a recent study by the Center for Strategic and International Studies that stated damages due to hacking are greater than $300 billion each year. Threats to enterprise information security have escalated to entirely new levels, and those responsible for IT security need to elevate their game to avoid becoming the next headline story. The good news is that there are revolutionary technologies available to protect your organization and mitigate potential damage.
Traditional IT security depends on strong perimeter defenses. The uncontested consensus in the IT security world is that data centers have hard, crunchy shells, and soft, chewy centers. In other words, once through the often formidable perimeter security, hackers can all but lounge around compromising systems and steal information at will. Generally, once a hacker penetrates the perimeter and compromises one server, they execute a pivot attack – they use the compromised server as a base from which to attack other servers inside the data center. This is possible because inside the data center, where your most important information resides, internal security elements are not the norm but the exception.
Micro-segmentation essentially compartmentalizes all IT workloads into virtual fortresses so that, even if hackers penetrate your perimeter security, they cannot access your information resources. Once inside your data center the hackers are left in a virtual no-man’s land, with no damage done and no weak points to attack. If a security issue is detected, affected systems can be automatically disconnected from the network and sandboxed for review! This is truly revolutionary technology. Micro-segmentation via network virtualization achieves a level of security which was simply impossible until now.
In order to microsegment a data center without network virtualization, you must buy a physical firewall to place in front of every server in your data center, which will more than double your data center hardware costs. You will also need to double your operations budget to deal with trying to manage all of those firewall rulesets. Make sure you plan for recurring outages due to the complexity introduced by all these devices. The cost and complexity far outweigh the risk for most organizations, so this model was a non-starter. Even if you decided to break the bank and microsegment your data center physically, you could not achieve the automation and operational control inherent to network virtualization. Period.
In a software defined data center with virtual networking, perimeter security controls are still necessary however, controls internal to the data center network are now possible and practical. Network virtualization has opened the door to a new operational model for the security team on the physical infrastructure you already have. No new networking hardware is required. There is no longer an excuse for an organization allowing hacker’s free rein once they penetrate the data center perimeter defenses.
With the advent of network virtualization, micro-segmentation and information security becomes a question of, “Why not?”