Professional Documents
Culture Documents
Centric
SECURITY
Content
The State of Data Center Security 3
Conclusion 15
, , ,
Figure 1
Source https://www.breachlevelindex.com/. Every month the number of security breaches increases. Cyber criminals are targeting high value data
with sophisticated attacks designed to bypass perimeter-based controls. Once inside the corporate network, attackers can be free to move from
one system to another, in search of sensitive or personally identifiable information. These breaches can go unnoticed for weeks or even months.
The State of
The state of security today can be Amidst all this rapid change, the
summed up in one word: more. More approaches to security are struggling
security breaches. More sophisticated to keep up. Organizations continue to
3
“ Data is a pervasive asset that crosses traditional boundaries on-premises
and into cloud services. Every business needs a data-centric security strategy
to prioritize datasets for mitigation of growing business risks caused by data
protection and privacy laws, hacking, fraud, and ransomware.”
– Gartner – Hype Cycle for Data Security, 2018
4
CHALLENGE:
Organizations Face
Growing Cyber Security Risk
PRIVATE OR HYBRID CLOUD CHALLENGES 0% Criminals know that large enterprise data
What are the biggest challenges your
organization has encountered in centers contain valuable information. This
Security 45%
utilizing private/hybrid cloud? has given rise to more frequent and highly
Performance 29%
targeted attacks on that valuable data.
Lack of staff expertise 25%
When perimeter or even smaller zone-
Managing multiple cloud services/platforms 24%
Compliance 23%
based security is used, an attacker only
Operational complexity 23% needs to defeat a few “walls of security”
Managing costs 20% before they are freely able to move and
Lack of standards 16% search for additional targets. Simply put,
integrating new hardware and software 14% the perimeter-based approach to security
VM sprawl 12% is outdated and can’t prevent lateral move-
Governance 11% ment of a cyber-attack. Not only does
Vendor lock-in 5% perimeter security fail to stop advanced
Decreased application visibility 1% threats that spread from one system to
25% another, but it can’t easily adapt to protect
today’s dynamic IT environments. Orga-
nizations need a way to protect applica-
tions and prevent the propagation of
network threats while ensuring the ability
to deploy, migrate, and manage applica-
tions at the speed businesses demand.
45%
50%
5
SOLUTION:
Microsegmentation
Reduces Risk Making microsegmentation application-
centric further streamlines security opera-
tions by enabling the ability to define
high-level policies without needing details
about the underlying infrastructure or
network identifiers. Policy focuses on
application tiers or groups and what
types of communication are allowed.
This is an important distinction as it
separates the policy and groups from
more dynamic network identifiers like IP
addresses. This significantly reduces the
complexity typically involved in policy
management. The responsibility for under-
standing the infrastructure or network
Microsegmentation, sometimes called connectivity is removed from the human
east-west firewalling, is the concept of policy writers and left to the virtualiza-
creating granular network policies between tion platform, which always knows the
“ The increasingly dynamic applications and services. Implementation information needed to automatically
nature of data center work- of microsegmentation is a key part of a update the policy accordingly.
loads makes traditional defense-in-depth strategy against modern
segmentation strategies data center threats by providing the next Ideally, policy writers should incorporate
complex, if not impossible, layer of defense beyond traditional peri- application-level security policy without
to apply. Further, the shift meter firewalls. Microsegmentation essen- any changes to the existing network con-
to microservices architec- tially reduces the security perimeter to figuration, keeping things simple and
tures for applications has a fence around each service or virtual allowing admins and architects to focus
also increased the amount machine. The fence can permit only on the business or application require-
of east-west traffic and necessary communication between appli- ments, not the network infrastructure.
further complicated the cation tiers or other logical boundaries, Eliminating the reliance or impact on the
ability of traditional fixed thus making it very difficult for cyber existing physical network also eliminates
firewalls to provide this threats to spread laterally from one the need to change or rearchitect the
segmentation.” system to another. Therefore, compro- physical design. As a result, the time
– Gartner – Hype Cycle for
mising one tiny perimeter doesn’t auto- required to implement security policy
Threat-Facing Technologies, 2018 matically expose any other targets. dramatically shortens.
6
CHALLENGE:
7
SOLUTION:
“ Visibility is important to Take the mystery out of network policy Comprehensive visibility eliminates the
creating a strong security creation. Allow policy owners to visualize guesswork out of policy writing. Creating
posture. Investing in visibi- the discreet interactions between different policies for the allowed traffic becomes a
lity and discovery solutions entities inside the application, enabling simple, repeatable process. It ensures that
is an opportunity to reduce them to understand exactly how each the appropriate policies are applied and
cybersecurity risks. However, part of an application communicates with reduces errors that could impact applica-
more than half of all respon- the others. Anyone should be able to tion availability or security. The automatic
dents (55 percent) say their look at the visualization and understand discovery of communications between
organizations are not pur- what VMs and services are involved in VMs and visualization of application traffic
chasing such solutions. delivering an application and what physi- and relationships reduce the need for
Further, the lack of visibility cal infrastructure is used to run those application domain knowledge. Policy
into sensitive data, applica- servers. With this understanding, policy writers can create policies automatically
tions and platforms is why writers can be sure they’re implementing based on real-time visualization of com-
many companies are con- the best policies for those applications munications between applications and
cerned about the security and services. VMs without extensive application domain
of both public and private knowledge. Finally, visibility facilitates
clouds.” troubleshooting and incident response
– Ponemon, Separating the Truths as IT organizations can see the root cause
from the Myths in Cybersecurity, 2018 of performance and availability issues.
8
CHALLENGE:
IT organizations must contend with an compliance efforts can seem to be in writers should have the ability to do just
ever-growing list of regulatory compli- opposition to business goals or the that—and no more. A common practice
ance and standards, including the Health desire to reduce spending and increase to address the need for this type of seg-
Insurance Portability and Accountability efficiency and profits. mentation is to create dedicated islands
Act (HIPAA), the Sarbanes-Oxley Act of infrastructure for specific areas of
(SOX), the European Union’s General Policy writers are challenged to imple- compliance. This segmentation can
Data Protection Regulation (GDPR), ment controls where compliance require- reduce the scope of security controls,
and the Payment Card Industry Data ments dictate in the least complex and but it does not help contain costs or
Security Standard (PCI-DSS). Failure to most efficient manner. Combined with reduce management overhead. Modern
comply with the necessary standards the complexity of many modern applica- on-premises infrastructure can be archi-
and regulatory compliance requirements tions, this can become a tough problem tected to achieve similar economies
can result in steep fines, legal actions, to solve. For example, if a standard dic- of scale to public cloud offerings; the
or business interruptions from govern- tates implementing controls for produc- introduction of physical segmentation
ment audits. To further complicate tion systems that contain customer removes those benefits.
matters, the expense of mandated data but do not need to be applied to
security practices from regulatory test/development servers, then policy
9
SOLUTION:
Simplify Compliance
The key here is to move from physical
or infrastructure-based controls to using
application or VM level polices based
on software controls.
IT Services 35%
10
CHALLENGE:
“ Organizations can’t handle in- IT has moved from the back office to structure, applications, networking, and
creased complexity with manual being key to many companies’ competi- security. In many cases networking and
processes. The nature of tech- tive strategies. Businesses need to move security have been left out of the auto-
nology, particularly software- fast to be competitive. That means IT mation effort and must fall back to slow,
enabled technology, means must move faster. The dynamic nature of manual tasks. Manual intervention to make
that increased scalability and today’s applications further complicates changes to security policy or configura-
flexibility naturally lead to matters. Modern applications need to tion of physical devices brings an other-
greater complexity. It becomes scale up or down based on business wise automated application deployment
exceedingly easy to spin up needs and potentially burst out into (provision VMs, attach storage, deploy
system instances in the cloud, public cloud infrastructures should application software, connect networking,
for example, when you can demand exceed local capacity. Cloud etc.) to a crawl.
do so through a few API calls computing and virtualization have
versus racking and stacking helped to some extent by enabling the The manual process of configuring net-
physical hardware. While tech- automation of many common tasks. work switch ports or applying static
nology scales, though, the security policies creates a bottleneck
ability to manage it through Application owners can provision new every time there’s a change in the environ-
manual processes doesn’t.” VMs and services at the click of a but- ment and has a higher potential for error.
– Forrester, Reduce Risk And ton. But while automation streamlines IT can’t afford to have networking and
Improve Security Through operations both on-premises and in the security be a bottleneck. They too must
Infrastructure Automation
cloud, it must extend across all disci- be automated and become a checkbox
plines of data center operations: infra- as opposed to a roadblock.
11
SOLUTION:
Automate Networking
and Security Operations
12
CHALLENGE:
Datacenter Complexity
Leads to Policy Complexity
WHAT’S DRIVING IT INFRASTRUCTURE CHANGE basic functional or departmental seg-
What three factors are driving the most change in your organization’s IT infrastructure environment?
mentation made up an easily defined
55%
Growth of storage/data set of perimeters that could be protected
by physical network devices. This method
33% Need to integrate with cloud service of implementing physical security devices
30% Need for easier systems management to create protective fences around large
groups of IT assets is no longer effective
28% Need to support new business initiatives
or practical in this environment. It would
22% Increased uptime/reliability dictate the use of many more devices
20% Need for improved resource allocation
with complex configurations. Although
it may be possible to achieve, it would
20% Faster deployment of new service and applications
be financially untenable.
17% Desire to consolidate infrastructure
13% Managing traditional network policies
Improved application performance
is an extremely complex task because
12% Availability of new technologies the large number of rules significantly
0 10 20 30 40 50 60
increases the possibility of misconfigu-
ration. Additionally, due to rules being
Note: Maximum of three responses allowed.
Data: Interop ITX Survey of 200 cloud computing users who use or plan to use IaaS, December 2017 written at the network address layer, the
policies can quickly become incompre-
hensible.
The simple data center and application increase the complexity, including
design that could be documented with virtualization, containers, cloud com- As the momentum toward hybrid and
a few diagrams and a spreadsheet dis- puting, etc. All this complexity impacts multi-cloud operations continues, this
solved long ago. Data centers are now efficiency, costs, service availability problem of complexity compounds.
becoming more complex as the number and reliability, and of course, security. Admins are burdened with wrangling
of contributing factors increases. Com- policies across the public cloud, hosted
plexity is driven both by business trends, The scope of IT was traditionally de- private cloud, on-premises data center,
such as mobile computing and big data fined by assets sitting in a data center. etc., all highly prone to mistakes that
analytics, as well as IT trends that further Those physical walls along with some lead to network vulnerabilities.
13
SOLUTION:
Leverage Virtualization
and Categorization to
Reduce Policy Complexity
COMPLEXITY OF BUSINESS
AND IT OPERATIONS IS A
SIGNIFICANT SECURITY RISK
Policy needs to be simple. Policy is made This app-centric method provides a simple
83%
claim too much complexity
complex by the need to enumerate the
network identifiers of application com-
ponents. Ideally, being able to abstract
and intuitive policy model ideal for virtua-
lization teams and application owners.
Networking complexities are removed
those components will greatly simplify the from the policy language, reducing the
policy language. This abstraction turns the need for application domain knowledge.
policy from network centric to application Instead, policies are mapped via applica-
78%
centric to focus not on the dynamic net- tion type, isolation zone, or other cate-
work, but on the more static definition gories that become the building blocks
site rapid growth of data assets of what an application needs to function. of security policies. Once policies are
Consider all the IP addresses and infra- defined, application and enforcement
structure details that would no longer can be managed by tagging VMs or
clutter policy definition. Policies become services to be included. The simple
76%
integration of 3rd parties
legible with less need for updates due to
network or location changes. Virtualization
allows much of this network information
process of adding or removing the tags
to include or exclude a VM from policy
greatly simplifies application and daily
into internal networks
and applications to be populated dynamically, streamlining IT administrative tasks.
network policy to only require details for
permitted or allowed communication
Ponemon Institute, The Need for a New IT
between application components or
Security Architecture: Global Study, 2017 external entities.
14
Conclusion
In many ways, the modern data center has The solution has been known for some time now: microsegmentation.
outgrown the traditional perimeter fire- Microsegmentation moves security from the perimeter to VM or application
wall, thus increasing the risk of a security granular controls that limit DC communication to what is minimally required
breach. Security controls must evolve for applications to operate. In a microsegmented environment, malware spread
to work within today’s IT environment— is greatly reduced if not completely blocked.
an environment that’s characterized by
rapid growth, change, and complexity. What has prevented widespread use of micro segmentation has been the com-
Organizations need security controls plexity and cost of implementation. Modern applications are complex; they span
that provide granular protection behind multiple servers, leveraging microservices and even cloud-based shared services.
traditional perimeter security to prevent The overhead of understanding, enumerating, and maintaining policy for 1000s of
the spread of threats and protect IT end points proved too complex for most to entertain. With modern virtualization
assets wherever they go. and the level of context and visibility available now makes successful implemen-
tation of a microsegmentation strategy possible.
With the huge increase in high value
data stored in enterprise data centers, App-centric security from Nutanix Flow is the answer.
security attacks have become more • Increase Application Security via Microsegmentation
sophisticated. Recent breaches covered • Isolate Environments without physical network complexity
in the media show how small vulnerabilities • Ensure Regulatory Compliance
have been used as a point of entry, and • Easily integrate additional network functions from 3rd parties
then the sophisticated malware spreads
throughout the datacenter. Part of this Nutanix Flow simplifies network and policy management with a focus towards
situation can be blamed on a legacy applications, enabling applications and environments to be governed independent
perimeter-based design. In the legacy of the physical infrastructure. Fully integrated into the Nutanix platform, Flow
design, segmentation is done at a macro delivers powerful networking and microsegmentation functionality with an intui-
scale that typically ends at the datacenter, tive policy creation and management interface that allows IT teams to easily visua-
which means that once those defenses lize and secure the most complex enterprise applications. To learn more about
are defeated, the malware is free to Nutanix Flow or view a live, personalized demo with a solution consultant, visit
spread. https://www.nutanix.com/products/flow/.
15
About Nutanix
Nutanix is a global leader in cloud software and hyperconverged infrastructure solutions, making infrastructure invisible so that
IT can focus on the applications and services that power their business. Companies around the world use Nutanix Enterprise
Cloud OS software to bring one-click application management and mobility across public, private and distributed edge clouds
so they can run any application at any scale with a dramatically lower total cost of ownership. The result is organizations that
can rapidly deliver a high-performance IT environment on demand, giving application owners a true cloud-like experience.
© 2018 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all product and service names mentioned herein
are registered trademarks or trademarks of Nutanix, Inc., in the United States and other countries. All other brand names
mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s).