Data centers are increasingly moving to hyper-converged infrastructure to reduce costs and streamline maintenance. According to IDC, the HCI market grew 68 percent year over year: from $597 million in the third quarter of 2016 to $1 billion in the third quarter of last year.
One of the benefits of HCI compared to, say, public cloud infrastructure, is that data center admins have more control over security and compliance in their environment.
But there are also security disadvantages of moving to hyper-converged infrastructure, experts warn.
"As is often the case when we move rapidly towards new IT setups, security is an afterthought," said Gabriel Gumbs, VP of product strategy at the cybersecurity company STEALTHbits Technologies. “Existing security tools were not designed with HCI in mind."
As a result, there are gaps.
To start with, any transition is an opportunity for people to make mistakes.
"Security policy misconfigurations will be an easy target for attackers," said Gumbs.
In addition, with hyper-converged infrastructure, access and administration move up the technology stack. Security controls will have to make the move as well.
For example, data centers with hyper-converged environments need to be able to monitor file activity, Gumbs said.
"Understanding how data is being used in these converged environments is more important than it has ever been," he said.
Existing security tools may not be able to detect or prevent malicious activity in the new environments, agreed Garth Whitacre, field solutions manager, security and risk management at SHI International, a New Jersey-based technology provider.
"Even more fundamentally, the dynamic nature of these environments means that the infrastructure itself is often ephemeral in nature, making forensics of activity and even sensitive information difficult," he added.
Meanwhile, hyper-converged infrastructure vendors are focused on other areas, such as ease of deployment and automation.
"As with any shift or change in the IT data center environment, security tools will generally be a step or two behind," he said.
In particular, security tools will also need to become more flexible, programmable, and easily automated, said Ketan Shah, VP of products at Fortanix, an encryption solutions startup.
"Traditional security tools are typically designed for single threat vectors – either network, or compute, or storage," he said.
That’s not particularly efficient and can negate some of the benefits of moving to HCI.
"The solution must be flexible to adapt to changes and growth that HCI enables," Shah said.
The standardization of infrastructure that comes with HCI also leaves enterprises more vulnerable to zero-day and lateral attacks, he said.
"With HCI, a single root compromise could impact all systems, and sometimes we see these compromises go unnoticed until several months after the breach," said Asher de Metz, security consulting senior manager at Sungard Availability Services.
To make sure that a move to HCI doesn't leave security behind, de Metz recommends that companies keep an eye on their overall objectives and align security strategy and tools to support that.
"Companies that rely on tools for security without fully baking an overarching strategy for securing their HCI run the risk of being hacked," he said.
"The tools are not the important factor when trying to apply an effective security posture," said Scott MacKenzie, CEO at Cloud Carib, a data center operator and managed services provider based in the Bahamas. "The critical factor is policy development and management controls relating to the required policy monitoring and compliance."
Then, when choosing an HCI technology, security teams should be involved early on to help identify risks and possible gaps, said SHI's Whitacre.