Traditional security is overkill in next-gen datacentres: Cisco
By Benjamin Cher July 28, 2015
- Most data traffic now moves within the datacentre
- More granularity and less overkill needed to secure next-gen datacentres
THE increasingly popularity of the ‘as-a-service’ model, from Infrastructure-as-a-Service (IaaS) to Software-as-a-service (SaaS), has led to a new dynamic: Most data traffic now moves laterally within a datacentre, rather than in and out of it.
Thus the usual perimeter defence policy may now be a case of overkill.
“People were habitually putting these really beefy boxes [hardware] in their datacentres, but are slowly getting away from that,” said Munawar Hossain, director of product management for datacentre security and content security at Cisco Systems Inc.
“It’s increasingly becoming virtualised, since [you need] to keep up with that workload in the datacentre as well,” he told Digital News Asia (DNA) in Singapore.
Software-defined networking (SDN) has redefined the way datacentre resources are viewed. Coupled with ‘as-a-Service’ subscription models and cloud-based applications, this has made datacentres integral to business operations.
And as we move on to the next generation, the perimeter defences of traditional datacentres are not as relevant as before, Munawar (pic) argued.
“Previously, we were fortifying the edge of the datacentre – now the workloads are out there and we actually have to fortify users [who are] accessing the services elsewhere,” he said.
“So the perimeter becomes somewhat inverted,” he added.
The cloud and application-centric infrastructure [where the application is integrated into the infrastructure] are also picking up.
“Those are concepts that were very foreign two years ago, but we’re increasingly seeing people getting used to them and are adopting them in the same way,” said Munawar.
“It’s also got a cost-relevance as well. People are asking, ‘Am I going to spend 20 million dollars upgrading my datacentre, or do I just shift the capex (capital expenditure) spending to opex (operational expenditure) spending, do stuff in the cloud and not overprovision?’ ” he added.
Set phasers to (over)kill
Granularity is the name of the game now in securing the next generation datacentre. With virtualisation and workloads being sent to the cloud instead of, the usual firewall and IPS (intrusion prevention system) inspection for traffic within the datacentre is a case of overkill, according to Munawar.
“In this new framework, if security is deployed the right way, it can potentially be more effective than the traditional way,” he said.
Instead of screening every packet moving within the datacentre, granularity allows enterprises to set conditions. This way, applications within a datacentre might not need to be constantly screened, which would be drain on computing resources.
Granularity also helps in endpoint security, being able to define conditions for limited or VPN (virtual private network) access into the datacentre based on purpose or transport conditions.
“For example, if I was accessing my corporate directory it goes over the VPN tunnel – while my YouTube traffic doesn’t,” said Munawar.
According to Stephen Dane (pic), Asia Pacific managing director of Cisco’s Global Security Sales Organisation, the security policy that businesses can apply is really important when it comes to mobile devices because one can be quite granular.
“Which users can get access to which applications on what devices at certain times – you can be quite specific and allow access for users on a laptop connected on the network using this application but a mobile user on a WiFi network can’t get access to that application,” he added.
Munawar quipped, “It’s like sort of like protecting the endpoint, protecting the transport, and protecting the access.”
Granularity, coupled with visibility into the server, will continue to drive security for the next-generation datacentre, the two Cisco executives believe.
Vendors themselves are finding that they have to be able to play ball with each other.
“Previously, we sort of depended on only our solutions to provide security across our networks, but we’re increasingly aware that customers are not doing this ‘one-vendor thing’,” said Munawar.
“In order to augment our capabilities, we needed to play well with third-party solutions – and in some cases, competitors’ solutions,” he added.
Live long and prosper
But while datacentres shift to the next generation, there remains a hybrid environment where security might fall through the cracks.
“A lot of people are pushing out workloads to the IaaS for example, but they’re not really considering the security aspects of that,” said Munawar.
“A lot of IaaS vendors are touting embedded security, so obviously it’s not the same type of firewall or IPS inspection,” he added.
While enterprises get accustomed to the concepts and capabilities of the next-generation datacentre, security might get a boost from just the basics, he argued.
“We have people using virtualised instances of these things in an IaaS environment – the pendulum hasn’t swung all the way in the other direction yet, it’s somewhere in the middle right now,” Munawar said.
“As people become more accustomed to doing it, you find that once they apply the security it will likely be more comprehensive than what they were doing before the shift,” he declared.
Open standards, co-creation to drive networks: Juniper chief
Security needs to focus beyond networking layer: Oracle
Basic security products don't cut it anymore: IDC
A 'fluid' way to cool high-density data centres
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.