Green IT has gone mainstream. The past year has seen corporations such as Citigroup establishing their environmental credentials by opening green datacentres. But how do the separate disciplines of green IT and information security come together? Robin Arnfield reports
Some of the predominant characteristics of green IT include consolidation and cloud computing. Companies can consolidate different functions onto single physical boxes, driven by the need to save on hardware, respond to blended information security threats and conserve energy by slashing power usage and cooling requirements. Generic operating systems can be run together on a single hardware server, while information security functions can be consolidated into a single physical appliance.
Taken to its logical conclusion, this abstraction of the logical resource from the physical can lead to companies outsourcing their software functions altogether and using applications in a software-as-a-service model by renting them from cloud computing companies. This can drastically reduce power consumption at a local site, while reaping the efficiencies of virtualisation at a central, larger site.
Thanks to its much-publicised ability to consolidate the physical resources needed to run software, virtualisation has become the poster child of green IT. Why use 10 servers running at 15% CPU utilisation, where two running at 65% will do the same job?
But some worry that virtualisation brings its own information security challenges. "Virtualisation has a huge impact on security", says Brian O'Higgins, chief technology officer at Canadian virtual server and application security vendor Third Brigade. "For example, the server images that you get from virtualisation suddenly become mobile, like laptops. So you need to have strong security to protect each server image."
There is also concern that conventional information security controls cannot spot malicious traffic passing between virtual machines (VMs). "In a virtual environment, if you infect one virtual server or one operating system, you risk infecting all the other systems and servers running in that environment," says Doug Cooke, manager, system engineers at anti-virus firm McAfee's Canadian office. "There's no documentary evidence that actual threats have got through all the operating systems in a virtual environment, but 'white-hat' groups have proved it's possible."
"A few firewall products have been ported to the VMware environment and they deploy taps, so they are starting to see traffic between the VMs, but they can't block it", O'Higgins says. "So these controls are not particularly effective. After all, you want firewalls to block certain traffic, not just look at it. The approach Third Brigade uses is host security, so that each individual VM is protected, and malicious traffic between VMs can be detected and blocked."
Consolidation isn't restricted just to generic operating systems, however. Information security vendors have been squeezing more functions into a single box while driving down power consumption. "Unified threat management (UTM) devices are very popular, and they are very power-efficient", says David Senf, an analyst at research firm IDC Canada. "This is one of the fastest growing sectors in the IT security market."
"As UTM appliances can perform multiple security functions such as firewall, spam / web filtering, IPS/IDS, and gateway anti-virus, firms can reduce the number of disparate security systems on their networks", says Chris McKie, a spokesperson for UTM vendor WatchGuard, adding that it reduces power consumption by 3-400%. "With one UTM box, a datacentre can eliminate three or four stand-alone appliances. Factor this in, and you realise major gains in energy reduction."
Tamir Hardof, North American group manager, product marketing, and solutions engineer at Check Point Software Technologies, says the Israeli UTM vendor's move to green IT is a marketing issue, rather than a technological one. "We're preparing an information pack to tell our clients how Check Point can help with their green IT efforts", he says. "Until two years ago, we were a software firm, so we're only now starting to look at green IT issues for our own hardware."
Check Point specifies the maximum power consumption for its hardware, Hardof says. "Other IT security vendors may not do that. They may provide a medium figure or a low power consumption figure to look good."
Sunnyvale, California-based UTM vendor Fortinet offers a power-consumption spreadsheet called FortiGreen. "We want our sales force to be able to explain the non-direct benefits (for example power savings) of using our systems," says Anthony James, Fortinet's vice-president of products.
FortiGreen allows clients to estimate the potential annual energy savings of a UTM-based network security topology compared to a traditional architecture with multiple infosecurity devices at each site. "You tell FortiGreen the number of UTM boxes in the branch offices, and the totals at the head office and the regional offices," James says. "The branch devices can have fewer security functions than the regional office devices, which will in turn have less than the head office boxes."
With 50 small-size FortiGate boxes at branch offices running firewall / VPN, 10 mid-sized boxes at regional offices running firewall / anti-virus / intrusion prevention, and one large box at head office running firewall / anti-virus / web filtering / intrusion prevention, the tool estimates average energy savings per year of £15 600 compared to the traditional scenario.
Cisco has started putting multiple virtual security functions onto its routers, says Fred Kost, director of marketing, Cisco Virtual Office (CVO). "We offer content screening on our ASR edge routers and content filtering, firewalls and intrusion prevention on our ISR boxes", he says. "Cisco's Adaptive Security Appliances include firewall, IPsec and SSL VPN security, and email screening. The ASR can also run multiple virtual firewalls for separate partitioned networks."
Check Point offers virtualisation on its VSX-1 security gateways, and on its VPN-1 gateway software, which can sit on a partner's box. "You can replace 250 gateway devices with our VPN-1 Power VSX software, which runs on a single box, and free up the space needed for six hardware racks", says Hardof.
The effort made to reduce the power consumption of servers and information security appliances doesn't eliminate the need to monitor and manage that energy use. Several initiatives are underway to measure and manage IT devices' power consumption, although information security appliances cannot yet be automatically powered down while their traffic flow is dormant.
The Portland, Oregon-based Distributed Management Task Force (DMTF) is behind the Systems Management Architecture for Server Hardware (Smash) initiative. "Smash has developed protocols for web-based remote management of power consumption on specific devices," Winston Bumpas, DMTF president, says. "The aim is to measure when, and how much, specific power is being consumed, and also to power down devices. Using the SMASH protocols, we have an alliance with The Green Grid, which is putting power meters in the datacentre."
Sreeram Krishnamachari, worldwide director of green IT initiatives at HP ProCurve, says his firm is involved in the IEEE's LLDP (Link Layer Discovery Protocol). This is a standard aiming to allow all the devices on a local network to advertise their capabilities and power consumption to a central management unit.
Krishnamachari says LLDP has the potential to be used to power down devices such as routers once they have been identified as unused, for example, because no traffic is going to them. It could also enable power very quickly to be restored to the device once it needs to be used. "Right now, LLDP does not support this level of automation, but it can be used to schedule power supplies to a device. For example, a VoIP phone can be scheduled to power down between 6pm and 6am", he says.
While cloud computing can take the green benefits of virtualisation to its ultimate logical conclusion, it can also introduce major accountability issues for data privacy. "One of the clouds that your data is stored on, may be in another country", says David Loukidis, information and privacy commissioner for British Columbia, Canada. "If the data is breached, whose law applies - your country's law, or that of the country where the data is being held?"
Eric Ashdown, global service line lead for security strategy and risk management at Accenture, says some cloud providers such as Salesforce.com state in their SLA (service level agreement) where they store clients' data, but others don't do so. "I foresee cloud providers that are not transparent being locked out of markets like the European Union, where there are clear laws about how data is stored and transmitted. What's happening in the EU is that firms are looking for intra-European cloud solutions to avoid breaking EU data privacy laws."
Ashdown adds that firms using a cloud provider must insist in their SLA that the provider undergo third-party security audits.
"If you store data on a third-party cloud, you could fall victim to a man-in-the-middle attack", says IDC's Senf. "It's vital to encrypt data sent to a cloud, and the provider must have an SLA specifying that they use good authentication."
The answer to man-in-the-middle is to use two-factor authentication in the form of hardware or software tokens, and to verify the IP address of PCs logging on to the cloud, says Matthew Gardiner, senior principal at CA.
There are clearly benefits for both the information security function and the broader IT department when it comes to using green technology. But apply it with care, and ensure that your power saving efforts don't compromise your data.
This article first appeared in Infosecurity magazine >>