Green IT has gone mainstream. The past
year has seen corporations such as Citigroup establishing their
environmental credentials by openinggreen datacentres. But how do the
separate disciplines of green IT and information security come
together? Robin Arnfield reports
Some of the predominant characteristics of green IT include
consolidation and
cloud computing. Companies can consolidate different functions
onto single physical boxes, driven by the need to save on hardware,
respond to blended information security threats and conserve energy
by slashing power usage and cooling requirements. Generic operating
systems can be run together on a single hardware server, while
information security functions can be consolidated into a single
physical appliance.
Taken to its logical conclusion, this abstraction of the logical
resource from the physical can lead to companies outsourcing their
software functions altogether and using applications in a
software-as-a-service model by renting them from cloud computing
companies. This can drastically reduce power consumption at a local
site, while reaping the efficiencies of virtualisation at a
central, larger site.
Virtualisation
Thanks to its much-publicised ability to consolidate the
physical resources needed to run software, virtualisation has
become the poster child of green IT. Why use 10 servers running at
15% CPU utilisation, where two running at 65% will do the same
job?
But some worry that
virtualisation brings its own information security challenges.
"Virtualisation has a huge impact on security", says
Brian
O'Higgins, chief technology officer at Canadian virtual server and
application security vendor Third Brigade. "For example, the
server images that you get from virtualisation suddenly become
mobile, like laptops. So you need to have strong security to
protect each server image."
There is also concern that conventional information security
controls cannot spot malicious traffic passing between virtual
machines (VMs). "In a virtual environment, if you infect one
virtual server or one operating system, you risk infecting all the
other systems and servers running in that environment," says Doug
Cooke, manager, system engineers at anti-virus firm McAfee's
Canadian office. "There's no documentary evidence that actual
threats have got through all the operating systems in a virtual
environment, but 'white-hat' groups have proved it's possible."
"A few firewall products have been ported to the VMware
environment and they deploy taps, so they are starting to see
traffic between the VMs, but they can't block it", O'Higgins says.
"So these controls are not particularly effective. After all, you
want firewalls to block certain traffic, not just look at it. The
approach Third Brigade uses is host security, so that each
individual VM is protected, and malicious traffic between VMs can
be detected and blocked."
Simple measures
Consolidation isn't restricted just to generic operating
systems, however. Information security vendors have been squeezing
more functions into a single box while driving down power
consumption.
"
Unified threat management (UTM) devices are very popular, and
they are very power-efficient", says
David
Senf, an analyst at research firm IDC Canada. "This is one of
the fastest growing sectors in the IT security market."
"As UTM appliances can perform multiple security functions such
as firewall, spam / web filtering, IPS/IDS, and gateway anti-virus,
firms can reduce the number of disparate security systems on their
networks", says
Chris McKie, a spokesperson for UTM vendor WatchGuard, adding
that it reduces power consumption by 3-400%. "With one UTM box, a
datacentre can eliminate three or four stand-alone appliances.
Factor this in, and you realise major gains in energy
reduction."
Tamir Hardof, North
American group manager, product marketing, and solutions engineer
at Check Point Software Technologies, says the Israeli UTM
vendor's move to green IT is a marketing issue, rather than a
technological one. "We're preparing an information pack to tell our
clients how Check Point can help with their green IT efforts", he
says. "Until two years ago, we were a software firm, so we're only
now starting to look at green IT issues for our own hardware."
Check Point specifies the maximum power consumption for its
hardware, Hardof says. "Other IT security vendors may not do that.
They may provide a medium figure or a low power consumption figure
to look good."
Sunnyvale, California-based UTM vendor Fortinet offers a
power-consumption spreadsheet called FortiGreen. "We want our sales
force to be able to explain the non-direct benefits (for example
power savings) of using our systems," says
Anthony James, Fortinet's vice-president of products.
FortiGreen allows clients to estimate the potential annual
energy savings of a UTM-based network security topology compared to
a traditional architecture with multiple infosecurity devices at
each site. "You tell FortiGreen the number of UTM boxes in the
branch offices, and the totals at the head office and the regional
offices," James says. "The branch devices can have fewer security
functions than the regional office devices, which will in turn have
less than the head office boxes."
With 50 small-size FortiGate boxes at branch offices running
firewall / VPN, 10 mid-sized boxes at regional offices running
firewall / anti-virus / intrusion prevention, and one large box at
head office running firewall / anti-virus / web filtering /
intrusion prevention, the tool estimates average energy savings per
year of £15 600 compared to the traditional scenario.
Routers
Cisco has started putting multiple virtual security functions
onto its routers, says Fred Kost, director of marketing, Cisco
Virtual Office (CVO). "We offer content screening on our ASR edge
routers and content filtering, firewalls and intrusion prevention
on our ISR boxes", he says. "Cisco's Adaptive Security Appliances
include firewall, IPsec and SSL VPN security, and email screening.
The ASR can also run multiple virtual firewalls for separate
partitioned networks."
Check Point offers virtualisation on its VSX-1 security
gateways, and on its VPN-1 gateway software, which can sit on a
partner's box. "You can replace 250 gateway devices with our VPN-1
Power VSX software, which runs on a single box, and free up the
space needed for six hardware racks", says Hardof.
Power management
The effort made to reduce the power consumption of servers and
information security appliances
doesn't eliminate the need to monitor and manage that energy
use. Several initiatives are underway to measure and manage IT
devices' power consumption, although information security
appliances cannot yet be automatically powered down while their
traffic flow is dormant.
The Portland, Oregon-based Distributed Management Task Force
(DMTF) is behind the Systems Management Architecture for Server
Hardware (Smash) initiative. "Smash has developed protocols for
web-based remote management of power consumption on specific
devices," Winston
Bumpas, DMTF president, says. "The aim is to measure when, and
how much, specific power is being consumed, and also to power down
devices. Using the SMASH protocols, we have an alliance with The
Green Grid, which is putting power meters in the datacentre."
Sreeram Krishnamachari, worldwide director of green IT
initiatives at HP ProCurve, says his firm is involved in the IEEE's
LLDP (Link Layer Discovery Protocol). This is a standard aiming to
allow all the devices on a local network to advertise their
capabilities and power consumption to a central management
unit.
Krishnamachari says LLDP has the potential to be used to power
down devices such as routers once they have been identified as
unused, for example, because no traffic is going to them. It could
also enable power very quickly to be restored to the device once it
needs to be used. "Right now, LLDP does not support this level of
automation, but it can be used to schedule power supplies to a
device. For example, a VoIP phone can be scheduled to power down
between 6pm and 6am", he says.
Cloud computing
While cloud computing can take the green benefits of
virtualisation to its ultimate logical conclusion, it can also
introduce major accountability issues for data privacy. "One of the
clouds that your data is stored on,
may be in another country", says David Loukidis, information
and privacy commissioner for British Columbia, Canada. "If the data
is breached, whose law applies - your country's law, or that of the
country where the data is being held?"
Eric Ashdown, global service line lead for security strategy
and risk management at Accenture, says some cloud providers such as
Salesforce.com state in their SLA (service level agreement) where
they store clients' data, but others don't do so. "I foresee cloud
providers that are not transparent being locked out of markets like
the European Union, where there are clear laws about how data is
stored and transmitted. What's happening in the EU is that firms
are looking for intra-European cloud solutions to avoid breaking EU
data privacy laws."
Ashdown adds that firms using a cloud provider must insist in
their SLA that the provider undergo third-party security
audits.
"If you store data on a third-party cloud, you could fall victim
to a man-in-the-middle attack", says IDC's Senf. "It's vital to
encrypt data sent to a cloud, and the provider must have an SLA
specifying that they use good authentication."
The answer to man-in-the-middle is to use two-factor
authentication in the form of hardware or software tokens, and to
verify the IP address of PCs logging on to the cloud, says
Matthew Gardiner,
senior principal at CA.
There are clearly benefits for both the information security
function and the broader IT department when it comes to using green
technology. But apply it with care, and ensure that your power
saving efforts don't compromise your data.
This article first appeared in
Infosecurity magazine >>