Network Security in the Software-Defined Data Center

Security within a software defined data center (SDDC) can take on many forms. There’s identity and access management to control users, OS security to safeguard the virtual server, and data security to protect information at rest and in motion. In this article, I'll examine network security within an SDDC architecture. Specifically, I'll review the concepts of micro-segmentation, visibility, extensible policy, and automation to illustrate the evolution of security when all infrastructure is virtualized.

First, let’s look at how enterprise IT security is changing to adapt to modern software-defined architectures. Security in the data center traditionally consists of individual, purpose-built appliances. Data is funneled through these appliances, which scan for malicious behavior. Other network devices such as routers and switches are configured individually to further harden the network.

The problem with this method, as many of you know, is that a single configuration mistake on one network device can wind up compromising the entire data center. With software-defined networking playing a key role in the SDDC, a major benefit is a unified controller that manages various aspects of the data center network, including security functions. This lets administrators focus on managing a single set of security policies that can then be pushed to all parts of the data center as opposed to configuring individual network appliances.

This also leads to a key network-specific security aspect of the SDDC: micro-segmentation. The beauty of SDN is that software, rather than hardware, is what controls network routing and policy. Because of this, the entire data center can be logically segmented in any number of ways. Micro-segmentation breaks up the data center network into logical parts. These segments can then be grouped together based on similar security policies.

software-security.jpg

Micro-segmentation performs the logical separation of various components and applications, while creation and grouping of policy controls network security within the data center. The SDN controller automatically pushes out specific rules based on the policies to network devices.

The single-pane-of-glass benefits enabled by SDN technologies also extend to network visibility. With intelligence residing in the SDN controller that pushes policy to network devices, it eases the burden when configuring monitoring and logging functions. In fact, SDDC architectures can break traditional security monitoring methods. Newer traffic visibility and data flow tools leverage virtualization to view the entire data center from end-to-end by default. This can enable easier management, faster troubleshooting and streamlined compliance reporting.

Network automation is a critical component when it comes to the rapid response of security issues in the data center. It’s one thing to be able to automate the process of issuing security alerts. It’s another to automate the remediation of security incidents using artificial intelligence and machine-to-machine automation. With an SDDC architecture, both are possible. From a network perspective, malicious activities can be automatically blocked or quarantined for additional scanning.

Additionally, you can track any breaches that occur on the network to see what data, applications or servers were impacted so they can be quickly separated from the rest of the data center for retrospective remediation purposes. Finally, any malicious behavior that could impact network functionality -- such as a denial-of-service attack -- can be handled by re-routing critical data across unaffected network links within the data center.

As you can see, software-defined technologies can significantly ease the deployment, management and troubleshooting of security events within a data center. Over the years, network security has grown increasingly complex to implement. SDDC security will help to eliminate many of those complexities by taking advantage of advancements in network functions virtualization, automation, artificial intelligence, and centralized management.