Tim Liu is Chief Technology Officer for Hillstone Networks.
To ensure security, traditional networks are usually divided into “security zones,” where groups of assets such as servers or desktops are put on different network subnets or segments. Security policies and inspections are then performed over the traffic between these security zones. The security zones can be set up as needed for departmental boundaries (e.g. R&D, finance), functions (e.g. web servers vs. databases), or for security requirements (e.g. DMZ). This physical segmentation creates regions where breaching in a specific security zone will not quickly spread elsewhere and has been the basis of security enforcement before today’s cloud age.
As we already know, virtualization blurs the physical boundaries between applications and workloads. These boundaries are becoming virtual as well. And since the virtual machines in the clouds are dynamic, these boundaries are also dynamic and can change as new VMs are created, moved or terminated. For a long time now, companies have been looking for a technology that can provide the same level of granularity for security control in the cloud, to be able to control effectively the east-west traffic in today’s virtualized data centers.
Microsegmentation is now that technology. It uses software technology to create and maintain security boundaries between virtual machines. The virtual machines can reside on the same or different servers, or can be grouped as needed into logical segments, each isolated from each other. Access control can be applied and security inspections can be performed between these segments.
Together with network virtualization, microsegmentation offers businesses an easy migration from their physical network into the cloud, by maintaining the same logical network and security functions. In addition, microsegmentation brings about a new level of manageability into data center, allows for increasing visibility into the east-west traffic and interaction between VMs.
Microsegmentation, however, is not a panacea for security problems in the cloud. For example, it does not address the security of virtualization platforms or cloud orchestration. But it does offer a very important step forward for security in the data center.
There are several ways different solutions implement microsegmentation. Some are offered on top of Software Defined Storage (SDN) solutions, others are implemented in the endpoint VMs through workload agents. Businesses – when choosing such a solution – need to take a look at the requirements of a virtualized data center, and that any microsegmentation technology they choose, need to be able to deliver on several fronts:
- The nicrosegmentation technology needs to offer the same level of elasticity that the data center provides, handling both the change in the size of the physical infrastructure, as well as the change of workloads that run on the infrastructure. It needs to support the dynamic nature of the virtualized workload, and provide security for a VM throughout its life cycle. It also needs to offer required performance and latency for demanding applications.
- The microsegmentation solution needs to work with a diverse set of hardware and software environments. There is an advantage to using a microsegmentation technology that is decoupled from the virtualization technology, in that the solution it provides can be independent of, and in addition to, any security features that the virtualization layer supports.
- In order to provide on-demand security in the virtualized environment, it is imperative for the microsegmentation solution to support changes to security functionalities without changing the infrastructure. The traffic between a source and destination can be subject to different security functions through service chaining, as dictated by security policies. Services can be added and removed from the chain without reconfiguration of workloads and VMs that contains them.
- The microsegmentation solution needs to integrate well with cloud orchestration and avoid intrusive changes to the cloud infrastructure. The solution should strive for zero disruption to existing applications during initial installation and subsequent updates.
In summary, microsegmentation offers a powerful way to add security control to east-west traffic inside virtualized data centers. Its segmentations of virtualized infrastructure offers a familiar architecture where traditional security practices can be applied. The technology will facilitate cloud acceptance and help transition of more legacy IT onto the cloud.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.