In this interview with Ravi Varanasi, general manager of cloud security solutions at Intel Corporation, Varanasi discusses IT infrastructure best practices for designing and building software-defined data center (SDDC) that provide a foundation for virtualizing with confidence, incorporate the flexibility needed to respond to future business needs, and support the needs of partner organizations such as the security and risk and compliance teams.
Varanasi highlights specific solutions from Intel and their business partner, HyTrust, that teams can use to expand their SDDC-based virtualization initiatives and get out in front of some of the risks inherent in managing private and hybrid cloud environments.
Varanasi: Yes. Enterprises are deploying new cloud architectures including hybrid clouds to support business growth and get more out of their data. Speeding up the ways virtualized services are delivered and consumed is the next step. All of this requires a significant amount of cross functional planning and coordination to minimize risks.
IT Infrastructure leaders need strategies for building the virtual data center from the ground up while making sure that their investment gets maximum mileage. And that means flexibility. The virtualization stack – hardware, orchestration, and virtualization software – needs to have the inherent ability to flex in order to support the needs of a growing business, fluctuations in customer demand, and changing security and regulatory requirements.
Investing in SDDC by using the right hardware and cloud security orchestration solutions help provide the control and visibility within hybrid cloud environments to improve security and compliance.
What considerations need to be given to new security and compliance technologies in a virtualized environment and the SDDC?
Varanasi: As I just mentioned, in planning for such demanding infrastructure requirements, infrastructure leaders need to deliver in the near term and simultaneously plan for the long term. They are often limited to annual planning cycles, which means that they don’t always have the ability to change course once the year is underway. This underscores the need for flexibility.
That said, considerations regarding ways to assess new security and compliance technologies to support the SDDC include:
- Understanding the costs of adding new services and technologies to the infrastructure, such as containers, and ensuring the flexibility to modify or swap-out services,
- Investing in highly-available, proven technologies with the ability to support longer horizon plans and provide long term benefits with out complexity,
- Supporting the needs of critical business partners including operations, security, and risk and compliance – factoring in how the infrastructure team can minimize security gaps, put access controls in place, support audit requirements, protect PII – the list goes on.
What are some of the key features and characteristics of the new security and compliance architectures that can be built into a next generation SDDC?
Varanasi: Data is global, everyone has to adhere to regulations and technology helps make that possible. Having the right compliance controls in place is critical when you build new architectures using new technology platforms to support all of this data. Key characteristics of modern security and compliance architectures include:
- Supporting the increasing demand for virtualized mission critical services while preventing costly mistakes due to administrator error,
- Enabling the virtualization stack to flex/adjust to changing international data policies,
- Maintaining compliance controls as you adopt new technology platforms within a hybrid cloud.
Is it possible to secure your SDDC for changing technology, business, and regulatory landscapes?
Varanasi: One way organizations can plan for the future is by implementing data sovereignty controls. Large, global organizations are often subject to data privacy laws and Safe Harbor policies that require them to protect and in some cases, guarantee data sovereignty. Laws and policies governing data are frequently updated and modified. This is especially true regarding changes to long established Safe Harbor policies for securing data originating in the EU. For companies implementing SDDCs, compliance with Safe Harbor can be complicated by the general portability of virtual machines and the need to safeguarded them.
Companies like Intel and HyTrust can partner with IT infrastructure teams to help them choose technologies – software and hardware – that provide data sovereignty controls that both protect data by ensuring a virtual machine (VM) will only run in a specific geography and help the virtualization stack flex to changing international data policies.
In a virtualized SDDC environment, are there specific steps that IT Infrastructure leaders can take to build-in software and hardware data sovereignty controls?
Varanasi: Companies like HyTrust, that provide cloud security orchestration solutions, give organizations the flexibility they need to respond to changing data sovereignty requirements allowing them to tightly define where VMs are allowed to run – including in specific geographies.
For example, HyTrust and Intel Cloud Integrity Technology using Trusted Execution Technology can be used to create tag-based policies that restrict VM usage to within a specified geographic boundary based on hardware root of trust.
What are steps you can take to build in flexibility in the SDDC to maintain critical controls while preventing configuration mistakes that can impact service delivery or cause compliance issues?
Varanasi: Expanding virtualization to cover a greater number of mission critical services across lines of business increases the number of cooks in the kitchen and the risk that a configuration error will result in service disruption or will run afoul of compliance requirements.
Putting best practices in place like secondary authorization and role-based access controls helps operations, security, and risk and compliance teams ensure only authorized administrators interact with mission critical services, that the changes made don’t run afoul of compliance policies and that everything is logged for auditing and troubleshooting.
Tell us about some of the moves customers have recently taken to build a more flexible security and compliance architecture for next generation security in the SDDC.
Varanasi: In a real life example, one company, HyTrust, is working to partner with a large media company that is expanding virtualization beyond compute to networking. What was once a clear line of control between the security and networking teams in physical environments has the potential to become blurred in a SDDC because role-based access might not be baked in.
To implement and maintain clear lines of control between security and networking teams companies can use the HyTrust Access Control for VMware NSX capability, to ensure that once security pushes rules to the network operations center, operations can’t make changes, which keeps these rules from being accidentally or purposefully altered.