Many companies are implementing a business strategy focused on “agility” - ensuring they can respond to changes in their markets and deploy new applications rapidly. In the data center, this means breaking up the various application silos and introducing virtualization in the network, storage and computing resources.
Data center managers are using automated provisioning tools to deploy applications on demand or to increase or decrease the pool of servers available to an application. As a result, the location of any application in the data center may change without warning.
By contrast, we hear much less about security virtualization than we do about storage, compute or network virtualization. Many of the traditional security defenses - such as firewalls, VPNs and IDS/IPS - rely on a fixed association between IP addresses.
A firewall, for example, may be configured to allow access to a back-end database only from an authorized application server. Inside the firewall this will be represented by a rule containing the IP addresses of the database server and the application server.
This type of static association makes a lot of sense in a world where resources are static, but is an entirely orthogonal model to the next-generation flexible data center. If the application has been automatically relocated to a different server and has a different IP address, the firewall will remain unaware and will break the connection with the database.
If data center managers deploy security devices without considering the implications for their data center strategy they may find that each security device deployed takes them one step further away from the next-generation data center. Flexibility in the data center through virtualization is a critical competitive advantage which should not be sacrificed because of security. Instead, data center managers should work very closely with security managers to help them understand the goals of the next-generation data center strategy, ensuring that any security purchases will be synergistic and not a setback.
How do security devices move beyond the network-centric model, which ties them to the infrastructure? The answer lies in a rapidly emerging trend: identity-centric security. In identity-centric security systems, the primary identifier used to make security policy decisions is the identity of the user, device or application, independent of any network address or system location. This represents a first step towards security virtualization - moving security up the protocol stack and abstracting the underlying network details. As data center technologies keep advancing towards virtualization, security vendors must pay attention and adapt to such an environment. After all, thwarting your data center strategy and sacrificing your company’s competitiveness because of security is like throwing the baby out with the bath water.