Story image

Consolidation: less isn't always more

01 Apr 2010

A lot of attention has been given to making sure virtual machines (VMs) are updated, manageable and protected. Now, with the introduction of virtual infrastructure and physical hardware pooling, a whole new set of challenges awaits us, many of which are only just becoming apparent. Security zoning is essential in the design of any system and, while often overlooked, it has long been a proven strategy. So how can something such as virtualisation affect how we zone our systems? Security zoning is based on the core concepts of classification and compartmentalisation. Both data and systems are classified into groups of differing sensitivity. Classified data is stored separately from general data. Critical and high-security systems are segmented from public systems. Accounts used to access high-security systems are never used on low-security systems. The required level of security determines the amount of compartmentalisation. The purpose is to prevent less secure or low-priority systems and data from compromising more sensitive systems and data. Virtualisation design will often focus on maximising the rate of consolidation to produce greater savings and lower running costs. When this is combined with the ability to pool physical hosts and storage devices, we begin to create security concerns. Now the domain controller is running on the same host as the print server and is stored on the same storage as the public web server. Suddenly all the security zones and segments become virtualised as well. Communication between VMs becomes largely invisible to traditional security systems, running outside the virtual environment, and a compromised host affects all of its VMs regardless of virtual segmentation. Physical access to hosts in a large environment based on secure racks becomes harder to regulate, as it is not apparent whether a particular server is hosting sensitive systems at any particular time. There is also the question of management. What point is there to virtual network segmentation and zoning when a handful of management workstations and user accounts are used to access them all? In order to provide higher levels of security we must look beyond consolidation to preserve our security zones. In lower-security environments, implementing virtual security and UTM appliances between our virtual network segments and machines will provide much-needed security and management of communications between VMs. In higher-security environments it is necessary to augment this further by providing separate hardware pools for each zone, to prevent VMs of different sensitivity from co-existing on the same host or storage device. Researchers have already highlighted some of the potential risks involved in large-scale hardware pooling with the internal mapping and prediction of VM placements within a high-profile public cloud. How do we, for example, manage the zoning of our systems from not just each other but also the systems of other entities hosted in a third party cloud? Clearly this is one of the biggest barriers to wider adoption of cloud-based systems and is a question to which cloud vendors have yet to provide a satisfactory answer. The key point to remember is that no system or platform is inherently secure, and virtualisation is no exception. Virtualisation provides us with a powerful platform on which to base our systems, but if we wish to secure them there is more to consider than rack space and cooling costs.

Protecting data centres from fire – your options
Chubb's Pierre Thorne discusses the countless potential implications of a data centre outage, and how to avoid them.
Opinion: How SD-WAN changes the game for 5G networks
5G/SD-WAN mobile edge computing and network slicing will enable and drive innovative NFV services, according to Kelly Ahuja, CEO, Versa Networks
TYAN unveils new inference-optimised GPU platforms with NVIDIA T4 accelerators
“TYAN servers with NVIDIA T4 GPUs are designed to excel at all accelerated workloads, including machine learning, deep learning, and virtual desktops.”
AMD delivers data center grunt for Google's new game streaming platform
'By combining our gaming DNA and data center technology leadership with a long-standing commitment to open platforms, AMD provides unique technologies and expertise to enable world-class cloud gaming experiences."
Inspur announces AI edge computing server with NVIDIA GPUs
“The dynamic nature and rapid expansion of AI workloads require an adaptive and optimised set of hardware, software and services for developers to utilise as they build their own solutions."
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
HPE launches 'right mix' hybrid cloud assessment tool
HPE has launched an ‘industry-first assessment software’ to help businesses work out the right mix of hybrid cloud for their needs.
ADLINK and Charles announce multi-access pole-mounted edge AI solution
The new solution is a compact low profile pole or wall mountable unit based on an integration of ADLINK’s latest AI Edge Server MECS-7210 and Charles’ SC102 Micro Edge Enclosure.