Story image

Consolidation: less isn't always more

01 Apr 10

A lot of attention has been given to making sure virtual machines (VMs) are updated, manageable and protected. Now, with the introduction of virtual infrastructure and physical hardware pooling, a whole new set of challenges awaits us, many of which are only just becoming apparent. Security zoning is essential in the design of any system and, while often overlooked, it has long been a proven strategy. So how can something such as virtualisation affect how we zone our systems?

Security zoning is based on the core concepts of classification and compartmentalisation. Both data and systems are classified into groups of differing sensitivity. Classified data is stored separately from general data. Critical and high-security systems are segmented from public systems. Accounts used to access high-security systems are never used on low-security systems. The required level of security determines the amount of compartmentalisation. The purpose is to prevent less secure or low-priority systems and data from compromising more sensitive systems and data.

Virtualisation design will often focus on maximising the rate of consolidation to produce greater savings and lower running costs. When this is combined with the ability to pool physical hosts and storage devices, we begin to create security concerns. Now the domain controller is running on the same host as the print server and is stored on the same storage as the public web server. Suddenly all the security zones and segments become virtualised as well. Communication between VMs becomes largely invisible to traditional security systems, running outside the virtual environment, and a compromised host affects all of its VMs regardless of virtual segmentation.

Physical access to hosts in a large environment based on secure racks becomes harder to regulate, as it is not apparent whether a particular server is hosting sensitive systems at any particular time. There is also the question of management. What point is there to virtual network segmentation and zoning when a handful of management workstations and user accounts are used to access them all?

In order to provide higher levels of security we must look beyond consolidation to preserve our security zones. In lower-security environments, implementing virtual security and UTM appliances between our virtual network segments and machines will provide much-needed security and management of communications between VMs. In higher-security environments it is necessary to augment this further by providing separate hardware pools for each zone, to prevent VMs of different sensitivity from co-existing on the same host or storage device.

Researchers have already highlighted some of the potential risks involved in large-scale hardware pooling with the internal mapping and prediction of VM placements within a high-profile public cloud. How do we, for example, manage the zoning of our systems from not just each other but also the systems of other entities hosted in a third party cloud? Clearly this is one of the biggest barriers to wider adoption of cloud-based systems and is a question to which cloud vendors have yet to provide a satisfactory answer.

The key point to remember is that no system or platform is inherently secure, and virtualisation is no exception. Virtualisation provides us with a powerful platform on which to base our systems, but if we wish to secure them there is more to consider than rack space and cooling costs.

Opinion: Critical data centre operations is just like F1
Schneider's David Gentry believes critical data centre operations share many parallels to a formula 1 race car team.
MulteFire announces industrial IoT network specification
The specification aims to deliver robust wireless network capabilities for Industrial IoT and enterprises.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Schneider Electric's bets for the 2019 data centre industry
From IT and telco merging to the renaissance of liquid cooling, here are the company's top predictions for the year ahead.
China to usurp Europe in becoming AI research world leader
A new study has found China is outpacing Europe and the US in terms of AI research output and growth.
Google says ‘circular economy’ needed for data centres
Google's Sustainability Officer believes major changes are critical in data centres to emulate the cyclical life of nature.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.