Microsegmentation, a method to create secure, virtual connections in software-defined data centers (SDDCs), has already emerged as one of the primary reasons to embrace network virtualization (NV). But some vendors believe that East-West encryption of traffic inside the data center could be the next stop in data-center security.
For example, VMware says it is looking at encrypting East-West traffic inside the data center, adding another layer of security to the SDDC. Why is that important? Today, most firewalls operate on the perimeter of the data center – either guarding or encrypting data leaving the data center for the WAN. And some security products may encrypt data at rest inside the data center. But encrypting the traffic in motion between servers inside the data center – known in the business as the East-West traffic – is not something that’s typically done.
East-West Encryption Eyed
Tom Corn, senior vice president of security products for VMware, says this distributed network encryption capability would in effect thwart hackers that managed to get past any of the traditional North-South defenses IT organizations typically have in place today. Instead of being able to move laterally across a data center environment once they bypassed a firewall, Corn says hackers would be confronted with a multitude of encrypted data traveling across a microsegmented network that they would need access to encryption keys to actually be able to see. Most security firewalls are application firewalls, so they only protect the app running on a specific set of VMs, not all the data moving east-west across the data center, says Corn.
East-West traffic refers to activity between servers or networks inside a data center, rather than the data and applications that traverse networks to the outside world. It’s had a major effect on how IT and networking equipment is designed because now it can comprise as much as 70% of all data center traffic, according to some studies. It’s a security issue because many security tools including virtual private networks (VPNs) and firewalls, address traffic on the “perimeter,” that is, as it leaves or enters an enterprise network or data center, rather than looking at what’s happening inside, in communications between servers or VMs. This is the next frontier for security.
“We think NV creates an opportunity to do IT security a lot better,” says Corn. He adds that IT security potential afforded by NV doesn’t stop there. Because the virtual switch on which NV is based can see up into the guest operating systems, it’s possible to compare the current state of a run time environment on that guest operating system with the actual state originally defined by the IT department. Any anomalies between the two states would signal that the run time environment had been compromised, says Corn.
Securing the East-West Route
In general, IT organizations report that microsegmentation of East-West network traffic enabled by NV is already paying security dividends. That means that adding East-West encryption could provide further benefits.
For example, as part of a general effort to reduce risks, West Bend Mutual Insurance is already employing microsegementation using an NV overlay based on NSX software from VMware. Brandon Hahn, a solution architect for West Bend, says providing each application with its own firewall not only winds up being more secure, it’s a lot less expensive to operate.
“The NSX business case wound up being a factor of ten less expensive than physical network security,” says Hahn.
In a similar vein, Brian Irwin, technical program manager for Washington Federal, reports that as part of a project to replace a mainframe the bank found that virtual network security is about 60 percent less expensive to implement.
“It’s also a whole lot easier to interact with,” say Irwin.
While adoption of NV is still in its infancy, organizations that have employed it are finding that the IT security posture of their organization is getting transformed. Naturally, many of them will still need to rely on physical security to provide a defense-in-depth architecture, But deploying application firewalls on top of an NV overlay means that any time a hacker gets around those perimeter defenses it’s not necessarily a catastrophic event. Once inside the data center that attacker is going to encounter all kinds of additional firewall and encryption technologies that will make compromising the IT environment extremely challenging.
Obviously, there’s never going to be anything such as absolute security. But the one thing that is for certain is that IT organizations can make it a whole lot harder to compromise their security by employing NV overlays to shield their most strategic corporate assets inside the data center starting today.