There is growing evidence that the data center is driving toward a more software-centric security model that will be core to network functions virtualization (NFV) and software-defined networking (SDN) technology. This new model means that security performance in NFV will be key.
The cloud has shifted the focus of IT to the data center, where a zero-trust stateful security can provide enhanced security for east-west traffic within the data center. Why do we know this? The three largest cloud providers (Amazon, Google, Microsoft) now account for as much as 35% of all data center equipment purchases, according to Dell Oro Group research. The threats are inside the cloud now, no longer outside. The largest cloud data centers are now focusing on intra-data center security, rather than perimeter security.
If the bulk of the equipment is moving to the cloud, that means the security must be inside the cloud. This requires a focus on the so-called east-west traffic that is changing hands in the data center at the virtualization layer.
As UBS Analyst Brent Thill recently remarked in a research note, this is resulting in “appliance fatigue” as end-users look at software and virtualization-based security solutions rather than specific security hardware appliances.
This will have big implications for both hardware and software strategies for NFV and SDN. It means that NFV and SDN infrastructure will have security embedded inside of it, and it also means that the hardware platforms used to deliver theses services have to be equipped to handle the increased processing needs to handle virtualized security functions.
As our contributor Michael Vizard recently wrote about in “NV Gains Momentum for a Secure DMZ,” both NFV and SDN technologies are being used to build a secure “demilitarized zone” inside the data center. As the article details, now every virtual machine inside a data center has its own virtual firewall, in addition to the physical firewalls that defend the perimeter.
Think of this as some sort of security microcosm, where as we go from cellular to molecular level, there is the need to drive security deep into the data center, so that it becomes deeply embedded in a system that is analyzing the activity of every packet and application traversing the network.
The central nature of the SDN paradigm make this a better security model, in general. Rather than managing security policies on individual devices or proprietary hardware system, a centralized SDN controller could analyze and supervise security across an entire data center.
Pursuing a zero-trust, stateful security model – in which all applications are monitored in real-time — can provide enhanced security for east-west traffic within the data center, implemented closest to VMs and containers. It provides the following advantages:
- Automated provisioning
- Easily move/add/change policy for workloads in VMs and containers
- Distributed enforcement at every virtual interface
- In-kernel, scale-out firewalling performance through distribution
- Used with every hypervisor and baked into platform
Is there a downside? Of course. All of this activity requires real-time monitoring and examination of IP and network packet traffic. This can come with a heavy CPU price, requiring a specialized hardware approach.
How will the industry respond? As I have written before, there will be a heavy focus on the hardware performance of NFV platforms, especially in the NFV space, where service providers moving toward the cloud model will need to consider this new security architecture. The top NFV hardware products will need to show the capability to handle the processing-intensive need of security applications.
On the security front, this means less specialized security appliances and more subscription-based software products, with a heavy focus on their analytics capabilities and the ability to integrate with virtualization platforms.