Automating Advanced Security in the Software-Defined Data Center
Co-authored by Tom Corn, Senior Vice President of Security Products at VMware and Raja Patel, General Manager of Intel Security
Security is at a crossroads. Security spend is at an all time high, yet cyber attacks cost businesses as much as $400 billion a year. There is significant innovation in security yet east-west traffic which comprises about 80% of data center traffic and is the place where all breaches occur is not inspected. Once an adversary has made it past north-south defenses, the data center can become a wide open playground.
Simply moving existing, perimeter-based controls into the datacenter is enormously complex, and aligning these controls to what is being protected (critical applications and data) is challenging.
The root cause of this complexity is architectural in nature. In a traditional datacenter we have hundreds and sometimes thousands of multi-tiered applications and services, all sharing a common infrastructure. We have tools to segment the environment, but they tend to limit us to segmenting around physical attributes – like app servers versus web servers. In that environment, aligning security controls and policy to what is being protected (critical applications and sensitive data) is simply not feasible.
A Software-Defined Data Center (SDDC) approach addresses this problem and provides a fundamentally different approach to data center security. An SDDC provides the ability to segment the data center based on logical boundaries (applications or compliance scopes) and then aligns controls and policies to those logical boundaries. The SDDC can share state between controls, allowing controls to easily communicate with each other and work as a cohesive system. The SDDC can implement policy as it was intended, focusing on users, applications and data — ultimately creating a “least privilege” or zero trust environment that is easier to secure and harder to breach.
SDDCs delivers inherently better security with network, isolation and segmentation. SDDC architectures also enable granular segmentation or micro-segmentation for workload-level threat protection and provide automation of advanced security services including intrusion detection and prevention, deep file analysis and file reputation management, behavioral analysis, advanced threat defense and bot detection.
VMware NSX network virtualization and Intel Security have collaborated to enable data center customers to leverage NSX for dynamic insertion and orchestration of McAfee Network Security Platform (NSP) inside the data center. The integrated solution is based on bi-directional synchronization of context and intelligence between the NSX data center infrastructure and the Intel Network Security Platform which discovers and blocks sophisticated network threats using advanced techniques. Customers benefit by being able to fully leverage the SDDC architecture and Intel Security services without disruption to existing security tools and workflows.