Operating a consistent security infrastructure will help to ensure that all systems are secured, from laptops, netbooks and smartphones to the data centre and to the cloud. But, data centre managers often take security -- and the way that it’s deployed -- for granted. In this tip, virtualisation expert Hamish Macarthur identifies all the elements of the IT systems architecture that must be secured and explains how to secure them.
The scope of systems architecture security
The traditional paradigm of firewalls and reacting to malware attacks is no longer appropriate. It’s time to update your old-fashioned mind-sets to certain ways of thinking:
- Assuming the systems and networks have not been breached is naive. Today’s objectives must be to detect attacks immediately and remedy the situation as quickly as possible. Virtualisation and cloud services increase the need for a comprehensive and responsive enterprise security strategy. Security must be fully virtual-enabled with a consistent platform to contain costs and a consistent approach across physical, virtual and cloud platforms.
- Placing traditional physical server security practices onto virtual servers will lead to poor performance because the same tasks are being executed within each virtual machine. One security platform, working with the hypervisor, can support multiple virtual machines and reduce processing overheads.
Elements of the systems architecture that need to be secured include:
- physical servers and endpoints including access devices such as desktops, laptops, mobile devices, smartphones and tablets
- server virtualisation (hypervisors) creating virtual machines to support each application
- virtual desktop infrastructure (VDI) using virtual machines to deliver consistent user experiences
- cloud computing that enables on-demand access to shared computing resources in private, public or hybrid clouds
Threats emerge from outside and within each and every organisation. As the system infrastructure evolves to support the needs of all users and business units, security procedures must be flexible and trusted to address the changes.
Handling the threats to systems security
A new approach to security will help virtualisation administrators address the concerns of physical, virtual and cloud platforms.
Systems must be aware of the virtualised environments and be self-defending in external cloud environments. At the same time, new security approaches must optimise platform performance. As the data centre evolves, businesses need security solutions that span across physical, virtual and cloud platforms while also addressing their unique threats.
The ring fence of a firewall can be breached. A multitude of applications exist within the data centre operating on physical or virtual servers or within the cloud. In some cases, applications can be provisioned to operate within a virtual environment but can be executed on a physical server if there is a system failure.
Similarly, applications could operate within a virtual machine (VM) within a defined data centre or within the cloud, depending on agreed service levels. In such cases, users must be fully confident that the security procedures are consistent, wherever the application is executed.
Security as a process
Security must move with the users, applications and the workload on the system infrastructure. For example, if an application within a virtual environment can operate on a number of physical servers (shared by different and varying applications), then the security policies applied to that application must be the same, wherever it runs.
Policies and practices must address the instant provisioning offered by virtualisation and the cloud. Establishing clear policies for each new virtual instance ensures compliance to accepted security standards for all and avoids unnecessary downtime because of infection or security breaches. It also improves service delivery to the business.
Here’s an example of what needs to be included with integrated security across physical, virtual, and cloud servers:
- firewall and antivirus protection against both known and zero-day attacks;
- collection and analysis of operating system events and application logs for suspicious behavior;
- support for patching applications operating in virtual machines; and
- encryption and file integrity monitoring.
Collectively, this protection must create self-defending servers for physical servers, on-site virtual machines, or virtual machines travelling into cloud environments.
Data centre managers must also consider the hypervisor. All applications operate on top of the hypervisor, including all the security systems. For example, Intel encourages its software partners to harness the security features of its Trusted Execution Technology to ensure the hypervisor and firmware are not compromised.
Data encryption for private and public clouds should be automated as a best practice. When using policy-based key management, encryption enables data to stay secure, protecting against unapproved users.
And encrypted data can be mobile, moving with the application in both private and public cloud implementations. Encryption protects against data loss or inappropriate access. When data is moved in the private or public cloud, any residual data should be digitally shredded. However, in the event that residual data remains after data is moved, the encrypted data is secure from inappropriate use.
Threat mitigation is provided as a cloud service from companies such as IBM, Symantec and Trend Micro. These systems are aware of malware distribution at the earliest possible stage and can be applied to customer installations. Included are intrusion detection practices and the analyses of system logs to determine inappropriate system behaviour and to prevent security threats undermining data and system operations. Analysing data patterns to trap new and fast-moving vulnerabilities is best provided by the experts. This offers the opportunity to be proactive in detecting new risks rather than deploying a reactive strategy, responding to malware after it has infected the systems.
With systems at different stages in their lifecycle, there is often a legacy of many security regimes, which creates risks as well as maintenance expenses. Multiple versions of security systems at different levels of release levels, each associated with specific applications can lead to misunderstandings, inconsistent feature sets and different mitigation practices. Therefore, it is important to look to harness these Web-based services to monitor and analyse traffic. An email security service is another example of cloud security services, but they’re specific to email traffic, supporting remote as well as office-based users.
Equally important to containing costs is to establish a common management console. This enables the security systems to be rationalised so that IT can manage the endpoint, data centre and cloud systems in a unified way.
When harnessing cloud solutions or a cloud infrastructure, evaluating the security practices and how they interface with other systems is a key requirement. Just accepting that a cloud provider provides the necessary levels of security is not adequate. For example, the security mechanism may be focused on encrypting the links and data flows to and from the cloud but not comprehensive enough in event logging or runs a full physical server image for each virtual instance with its resulting overhead.
Understand security solutions to protect systems architecture
Security solutions that are designed to protect the extended enterprise, from endpoints through the server and storage architecture including the cloud, must become the bedrock of security solutions. They must be fully virtual machine aware and integrated with popular virtualisation platforms. Securing against platform-specific threats, they must operate to optimise performance.
The best solutions deliver integrated security. For example, an integrated server security product will include anti-malware tools, encryption, event logging, secure system patching and upgrading, data loss prevention and verification of the integrity of all information in files and databases.
To simplify management processes, an integrated solution with one management console should address the unique aspects of physical servers, desktops, laptops, tablets, smartphones and other endpoints, virtualisation and the cloud.
To-date there is not one product that addresses all of these issues. Thus, it is necessary to consider security advisers and service providers to assist in bringing the various components into a holistic operational solution. EMC, IBM, Symantec and Trend Micro, amongst others, offer the capability to meet these challenging requirements.
Help from security professionals
No matter what phase a business is in on its journey to the cloud, it needs a security solution that will protect it today and as its data centre and endpoints evolve in the future. System complexity is increasing and businesses need security they can trust. This often entails the engagement of professional services, so look to a provider that has data centre, endpoint and cloud delivery options to support systems as needs change. This will avoid costly retraining, allow for long-term planning and lead to the foundation of a secure systems architecture for the long term.
Hamish Macarthur is the founder of Macarthur Stroud International, a research and consulting organisation specialising in the technology markets.