Virtualization and cloud have both really taken off, with both seeing wide-ranging adoption across enterprises and other organizations, including the public sector. That said, the introduction of the hypervisor into the data center has brought with it considerable change and the need to adapt basic security and operational approaches to this new reality. As you roll out that shiny new SDDC, here are some things to keep in mind.
- All Your Eggs in One Basket
In the past you would have risk evenly distributed. Every app had its own server, some more than one, there were file servers, application servers, web servers, and the list goes on, each living on its own piece of iron, taking up space, using power, and dissipating heat. Now much of that infrastructure is virtualized and the hyper administrator has, by default, the keys to the kingdom, which means that if that person makes a clerical error, or alternatively becomes disgruntled and decides to vandalize your data center, you could have a real problem.
- NSX Brings the Silos Down
Similarly, VMware’s NSX is virtualizing the network in the same way vSphere virtualized servers. This is great news and brings significant savings, flexibility, and agility that virtualization brought to the server over to the network. The not-so-good news, however, reminds me of the old Reese’s Peanut Butter Cup ads, for example, where a happily oblivious person eating chocolate collides with another happily oblivious person eating peanut butter, resulting in cross contamination of the two foods which turns out to be a synergistic win rather than a vexing destruction. The challenge with NSX is to keep the network team separate from the servers, and to keep the server team distant from the network. Both groups typically know enough to be very dangerous when turned loose in the wrong place.
- Encryption – No Excuse Not To
When you look at the relative cost of encryption versus the very large costs associated with potential breaches, there is no excuse not to encrypt. In the past, performance was sometimes said to be a barrier to adoption, but with the near universal availability of CPU hardware extensions, such as AES-NI, performance is no longer impacted in any meaningful way. Additionally, encryption is a safety net for compliance, such as HIPAA. If you lose unencrypted patient records, you are looking at a big fine; if you lose encrypted patient records, the assumption is that the encryption is unbreakable so you are safe-harbored and need not worry about fines and penalties.
- Encryption – There’s More to It Than Just Encryption
Let’s face it, there are many ways to do encryption, some of which happen to be free. Operationally in a modern SDDC, you are going to have to put some consideration into how you manage your encryption keys. With certain compliance standards, like PCI-DSS requiring key rotation, you have to figure out how to swap those keys in and out. In an ideal world, you would deploy encryption with integrated key management, preferably the type that allows for easy key rotation with no down time.
- Data Sovereignty
With the coming of the SDDC – and with it vMotion and other types of workflows moving from one physical host to another – we have seen the decoupling of data from any one particular physical host or CPU. In many cases this is not a problem; in fact that is the whole idea of virtualization in the first place. Recently the fall of the US/EU Safe Harbor framework created chaos and uncertainty but it did make one thing clear: those running cloud or virtual DCs with data from other nations may want to investigate ways they can implement and enforce policies controlling the physical location of data in their networks. Solutions leveraging Intel’s TXT can help, effectively giving the SDDC operator the authority to tie, boot, and run a virtual machine to a hardware tag in a particular Xeon CPU. Want German data to stay in Germany? This is one way to ensure that it does.
While it is certain that the coming of cloud and virtualization have changed the cybersecurity landscape, they have also left many principles unchanged. For example, the human layer remains one of the most vulnerable. Too many users are all too willing to give up passwords or grant access. It’s true that human social engineering is not impacted by virtualization, nor is phishing, whaling, or other targeted attacks. Many best practices remain the same – patch your systems, use good passwords, and be particularly careful about user credentials on SaaS/PaaS/IaaS systems, especially with regards to shutting off access after a user leaves the organization.
Finding the right way to virtualize securely is tough but HyTrust can help you deal with these challenges. Support for 2FA, ensuring users are who they say they are, Two Factor Authorization, ensuring users are allowed to do what they claim, and a number of other tools are helping organizations grow their virtual networks, SDDCs, SDNs and more with security in mind. And while security really is best when baked into the design from the start, it is never too late to work on enhancing the security posture of any given network. For more information on how HyTrust can help you with any stage of virtualization or cloud security, download this whitepaper or any of these complimentary resources.