Cloud // Infrastructure as a Service
Commentary
6/2/2014
01:35 PM
Martin Casado & Tom Corn
Martin Casado & Tom Corn
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Why 'Goldilocks Zone' Of Data Center Security Makes Sense

VMware's networking CTO Martin Casado and security strategist Tom Corn make their case for using virtualization to embed security controls into the very fabric of the data center.

Security has become a top issue for executives, board members, and leaders in both the public and private sector. Growth in security spending has outpaced overall IT spending. It would seem the only things outpacing security spending are security losses. We must rethink our approach.

The needed breakthrough might not be a new box or control, but rather an architectural shift that can vastly improve the efficacy of our controls. At the recent Interop show in Las Vegas, we offered up our vision for what we believe represents the future of data center security. We call the concept the Goldilocks Zone -- using virtualization to embed security controls into the very fabric of the data center.

What is the Goldilocks Zone?
The term Goldilocks Zone was originally coined to describe a planetary location that exhibits characteristics that must be simultaneously present for a planet to support life. We borrowed it to describe the location for security controls that simultaneously provides context and isolation -- key characteristics required to create a secure information infrastructure.

[Want more from Casado on hypervisor-based security? See VMware Touts Virtualization For Datacenter Security.]

When it comes to instrumenting IT infrastructure with security controls, IT historically had two choices: the network or the host. With those two choices, IT was forced to make a tradeoff between context (visibility into the application layer) and isolation (protection of the control itself).

If IT places controls in the network, there is isolation, but we lack context. Visibility is limited to telemetry such as ports and protocols. These were never good proxies for applications, but in modern IT architectures such as the cloud, where workloads are mobile, these physical identifiers become even worse. Next-generation firewalls emerged precisely because of this issue.

If IT places controls on the host, we get context about the application, processes, files, and users -- but lack meaningful isolation. If the endpoint is compromised, so will be the control. In both cases we lack ubiquity, a horizontal enforcement layer that places control everywhere.

Virtualization and the broader infrastructure of the software-defined data center provide a unique opportunity to get it all -- isolation, context, and a horizontal layer that provides near-ubiquitous coverage. Through virtualization, organizations can insert security in a location that provides end-to-end coverage, isolation, and the full context of application, user, and data. Moreover, the team can use the infrastructure to respond better to threats in the event of an attack. 

The importance of ubiquity
The traditional data center security architecture remains perimeter-centric, with the majority of data center security investment spent on the north-south boundary. Why? Because putting security inside the data center turns out to be extremely difficult. On the perimeter you have a few egress points. Inside the datacenter, you have a complex web of data paths. The more controls you use, the more complex a distributed policy problem you have. The fewer controls you use, the more choke points you create.

Inside the Goldilocks Zone, however, we get unparalleled ubiquity. In a software-defined data center, virtualization is at the nexus of computing,

Tom Corn is vice president of security strategy at VMware. Martin Casado, VMware CTO of networking, has worked as a specialist in network security for US intelligence agencies.

Martin Casado is Chief Technology Officer for Networking at VMware. He is the former co-founder and CTO of Nicira, which VMware acquired in 2012. He received  his PhD from Stanford University in 2007, where his dissertation work led to the creation of the ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
6/16/2014 | 3:24:53 PM
Let's pursue the 'not too hot, not too cold' security zone
The notion of a "Goldilocks zone" that's not too hot, not too cold and isn't stuck on the perimeter of the enterprise is worthy of more discussion. I think it's too easy to dimiss the idea of hypervisor-based security as simply another by VMware in its own interest. If it's a strong vantage point -- which it is -- then it's in everyone's interest to see how security could function there.
Multicloud Infrastructure & Application Management
Multicloud Infrastructure & Application Management
Enterprise cloud adoption has evolved to the point where hybrid public/private cloud designs and use of multiple providers is common. Who among us has mastered provisioning resources in different clouds; allocating the right resources to each application; assigning applications to the "best" cloud provider based on performance or reliability requirements.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.