Why 'Goldilocks Zone' Of Data Center Security Makes Sense
VMware's networking CTO Martin Casado and security strategist Tom Corn make their case for using virtualization to embed security controls into the very fabric of the data center.
Security has become a top issue for executives, board members, and leaders in both the public and private sector. Growth in security spending has outpaced overall IT spending. It would seem the only things outpacing security spending are security losses. We must rethink our approach.
The needed breakthrough might not be a new box or control, but rather an architectural shift that can vastly improve the efficacy of our controls. At the recent Interop show in Las Vegas, we offered up our vision for what we believe represents the future of data center security. We call the concept the Goldilocks Zone -- using virtualization to embed security controls into the very fabric of the data center.
What is the Goldilocks Zone? The term Goldilocks Zone was originally coined to describe a planetary location that exhibits characteristics that must be simultaneously present for a planet to support life. We borrowed it to describe the location for security controls that simultaneously provides context and isolation -- key characteristics required to create a secure information infrastructure.
When it comes to instrumenting IT infrastructure with security controls, IT historically had two choices: the network or the host. With those two choices, IT was forced to make a tradeoff between context (visibility into the application layer) and isolation (protection of the control itself).
If IT places controls in the network, there is isolation, but we lack context. Visibility is limited to telemetry such as ports and protocols. These were never good proxies for applications, but in modern IT architectures such as the cloud, where workloads are mobile, these physical identifiers become even worse. Next-generation firewalls emerged precisely because of this issue.
If IT places controls on the host, we get context about the application, processes, files, and users -- but lack meaningful isolation. If the endpoint is compromised, so will be the control. In both cases we lack ubiquity, a horizontal enforcement layer that places control everywhere.
Virtualization and the broader infrastructure of the software-defined data center provide a unique opportunity to get it all -- isolation, context, and a horizontal layer that provides near-ubiquitous coverage. Through virtualization, organizations can insert security in a location that provides end-to-end coverage, isolation, and the full context of application, user, and data. Moreover, the team can use the infrastructure to respond better to threats in the event of an attack.
The importance of ubiquity The traditional data center security architecture remains perimeter-centric, with the majority of data center security investment spent on the north-south boundary. Why? Because putting security inside the data center turns out to be extremely difficult. On the perimeter you have a few egress points. Inside the datacenter, you have a complex web of data paths. The more controls you use, the more complex a distributed policy problem you have. The fewer controls you use, the more choke points you create.
Inside the Goldilocks Zone, however, we get unparalleled ubiquity. In a software-defined data center, virtualization is at the nexus of computing,
Tom Corn is vice president of security strategy at VMware. Martin Casado, VMware CTO of networking, has worked as a specialist in network security for US intelligence agencies.
Martin Casado is Chief Technology Officer for Networking at VMware. He is the former co-founder and CTO of Nicira, which VMware acquired in 2012. He received his PhD from Stanford University in 2007, where his dissertation work led to the creation of the ... View Full Bio
Multicloud Infrastructure & Application ManagementEnterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.