Why 'Goldilocks Zone' Of Data Center Security Makes Sense - InformationWeek
Cloud // Infrastructure as a Service
01:35 PM
Martin Casado & Tom Corn
Martin Casado & Tom Corn
Connect Directly

Why 'Goldilocks Zone' Of Data Center Security Makes Sense

VMware's networking CTO Martin Casado and security strategist Tom Corn make their case for using virtualization to embed security controls into the very fabric of the data center.

Security has become a top issue for executives, board members, and leaders in both the public and private sector. Growth in security spending has outpaced overall IT spending. It would seem the only things outpacing security spending are security losses. We must rethink our approach.

The needed breakthrough might not be a new box or control, but rather an architectural shift that can vastly improve the efficacy of our controls. At the recent Interop show in Las Vegas, we offered up our vision for what we believe represents the future of data center security. We call the concept the Goldilocks Zone -- using virtualization to embed security controls into the very fabric of the data center.

What is the Goldilocks Zone?
The term Goldilocks Zone was originally coined to describe a planetary location that exhibits characteristics that must be simultaneously present for a planet to support life. We borrowed it to describe the location for security controls that simultaneously provides context and isolation -- key characteristics required to create a secure information infrastructure.

[Want more from Casado on hypervisor-based security? See VMware Touts Virtualization For Datacenter Security.]

When it comes to instrumenting IT infrastructure with security controls, IT historically had two choices: the network or the host. With those two choices, IT was forced to make a tradeoff between context (visibility into the application layer) and isolation (protection of the control itself).

If IT places controls in the network, there is isolation, but we lack context. Visibility is limited to telemetry such as ports and protocols. These were never good proxies for applications, but in modern IT architectures such as the cloud, where workloads are mobile, these physical identifiers become even worse. Next-generation firewalls emerged precisely because of this issue.

If IT places controls on the host, we get context about the application, processes, files, and users -- but lack meaningful isolation. If the endpoint is compromised, so will be the control. In both cases we lack ubiquity, a horizontal enforcement layer that places control everywhere.

Virtualization and the broader infrastructure of the software-defined data center provide a unique opportunity to get it all -- isolation, context, and a horizontal layer that provides near-ubiquitous coverage. Through virtualization, organizations can insert security in a location that provides end-to-end coverage, isolation, and the full context of application, user, and data. Moreover, the team can use the infrastructure to respond better to threats in the event of an attack. 

The importance of ubiquity
The traditional data center security architecture remains perimeter-centric, with the majority of data center security investment spent on the north-south boundary. Why? Because putting security inside the data center turns out to be extremely difficult. On the perimeter you have a few egress points. Inside the datacenter, you have a complex web of data paths. The more controls you use, the more complex a distributed policy problem you have. The fewer controls you use, the more choke points you create.

Inside the Goldilocks Zone, however, we get unparalleled ubiquity. In a software-defined data center, virtualization is at the nexus of computing,

Tom Corn is vice president of security strategy at VMware. Martin Casado, VMware CTO of networking, has worked as a specialist in network security for US intelligence agencies.

Martin Casado is Chief Technology Officer for Networking at VMware. He is the former co-founder and CTO of Nicira, which VMware acquired in 2012. He received  his PhD from Stanford University in 2007, where his dissertation work led to the creation of the ... View Full Bio
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
6/16/2014 | 3:24:53 PM
Let's pursue the 'not too hot, not too cold' security zone
The notion of a "Goldilocks zone" that's not too hot, not too cold and isn't stuck on the perimeter of the enterprise is worthy of more discussion. I think it's too easy to dimiss the idea of hypervisor-based security as simply another by VMware in its own interest. If it's a strong vantage point -- which it is -- then it's in everyone's interest to see how security could function there.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll