As networks make the transition to software, so must the security used to protect them, they must transition away from physical security to virtual security. Security is the leading virtualized network function that both enterprises and service providers are looking to incorporate into their environments.
Using a traditional security appliance to protect a virtualized data center or cloud environment is like trying to put a square peg in a round hole. Virtualized security solutions are better able to match the fluidity, scale, and cost-efficiencies of the virtualized network resources they are charged with protecting.
They keep things simple: Traffic doesn’t have to be rerouted from within the virtual infrastructure to an outside control point, nor does a complex web of VLANs need to be set up, managed, and maintained. Instead, virtualized security functions can be quickly implemented wherever they are needed – for example, as an application directly on a bare metal hypervisor or as a hosted service on a virtual machine (VM).
As a result, virtualized security is able to offer security advantages that traditional, perimeter-based, physical appliances simply can’t match. It is these advantages that are driving many of the security virtualization trends we are seeing in the market today.
Deploying Ubiquitous, Cost-Effective Security
Security is supposed to be ubiquitous, but most organizations can’t afford to deploy and manage an appliance everywhere. By deploying security in a virtualized environment, as software or as network functions virtualization(NFV), the operator can move quickly to deploy services (e.g., intrusion detection, antivirus) and controls (e.g., firewalling) anywhere in the network – all you need is to spin up a VM.
This gives organizations a valuable tool to help combat the increasing threats they face, without dramatically increasing their spending. Fifty-nine percent of IT pros say their companies aren’t investing enough in security. That’s why customers are pushing vendors to virtualize their security solutions. Daniel Kennedy, research director for information security at 451, has said that “security technologies designed to work in traditional IT stacks will undergo changes or fall by the wayside to vendors willing to adapt their capabilities.”
Micro-Segmentation – Control at the Workload Level
Bringing security into the heart of the network and enabling protection at the workload level is only possible with virtualized security solutions. Micro-segmentation enables organizations to apply controls within the virtual fabric itself, wrapping granular security policies around an individual workload (or group of workloads).
With the ability to embed controls throughout the network, micro-segmentation offers organizations a tool that can help identify and prevent threats moving laterally through the network – it can add east-west protection to the traditional north-south security model. Once detected, a threat can be contained and quarantined, within the micro-segment, to prevent propagation. This level of granular control and added security has become one of the biggest selling points for virtualized security solutions.
VMware saysNSX’s ability to distribute enforcement to every hypervisor has driven more than half of NSX’s sales – with customers, such as Fulton County Schools, crediting NSX’s micro-segmentation capabilities for improving the security of their environments through virtual security.
Other security and networking vendors are moving to the virtual front as well. For example, Cisco touts its micro-segmentation support for VMware VDS, Microsoft Hyper-V virtual switch, and bare-metal applications as one of the key capabilities that has helped drive more than 1,000 customers to adopt its Application Centric Infrastructure (ACI).
In addition, virtualized security solutions, such as vArmour, enable organizations to maintain security levels between and across data centers and multi-cloud environments. vArmour wraps controls around each workload, and they follow those workloads anywhere.
Virtual Security – Eliminating Blind Spots – Unprecedented Visibility
Being able to deploy controls on each workload (via inline micro-segmentation policies) enables the subsequent benefit of unparalleled visibility. Virtualization security tools can be used to close the loopholes inherent in managing private and hybrid cloud environments, providing visibility into heterogeneous deployments that traditional, perimeter-based security appliances lack.
For example, the HyTrust Cloud Control can be deployed on the management plane, as a transparent proxy, to monitor, log, and provide policy-based authorization of all administrative activity. This gives organizations, such as McKesson, visibility into administrator activity that was previously untraceable, enabling them to better manage access with granular, role-based controls that reduce risks and support compliance requirements.
Virtual Security – Providing Programmatic Policy Enforcement – Consistent Security
Software simplifies the programmability of network functions. With virtual security solutions, pre-approved security policies can be applied programmatically to support consistent security, regardless of where workloads are located. In a dynamic environment, where topologies change and workloads are constantly spun up, down, or moved, the security must remain constant.
This is particularly true for heavily regulated industries that require organizations to demonstrate consistent enforcement of security controls and policies. For example, Catbird offers a fully automated policy orchestration solution that customers, such as Jefferson Radiology, can use to deliver automated audit and policy enforcement to help them meet their regulatory requirements and prove ongoing compliance.
Virtualized security solutions can enable organizations to define policies, based on the inherent characteristics of a workload – which can include its type (Web, video, database, etc.), use (development, production, etc.), or sensitivity (personally identifiable information, medical records, financial statements, etc.). Thus appropriate controls can be automatically applied to any workload, anywhere, as soon as it connects.
What Does the Future Hold for Virtual Security?
More of everything is coming for virtualized security. It is not a passing fad – rather, it is the way forward for security capabilities, practices, and policies.
We can expect the market to continue to mature and improve the ease with which software security functions can be deployed throughout the network. We will likely see more controls and micro-segmentation use cases added to better mitigate the risks posed by attacks inside the network. Programmability, orchestration, automation, and even machine learning will also start to be more of a focus going forward, as customers look to leverage these intelligent, “self-service” capabilities within their security infrastructures.
Ultimately, the promise of virtualized security is to provide the utmost in security, operational efficiency, and regulatory compliance. The future will determine if (and how well) it can deliver.