Application-aware Microsegmentation for Data Center Consolidation

Application-aware Microsegmentation for Data Center Consolidation

When undertaking Data Center Consolidation or Refresh projects, we hear CIOs and IT Operators telling us the same things over and over.  The old way of running IT Operations is no longer cost-efficient in competitive industries.  Static, hardware-first architectures and siloed applications have gotten us out of the Information Dark Ages, but they simply can’t operate with the dynamism required by today’s digital businesses.  

The new world is one where software, not hardware, forms the basis of data center architectures.  Applications are no longer built using dedicated servers organized like building blocks into monolithic architectures with relatively simple interactions.  Instead, the data center has become a big ball of APIs stitching together microservices with network, compute, and storage all operating like utilities just waiting to be called on - similar to the water faucet in your kitchen or the lights in your office… at least that’s the promise.

The fact is that most organizations fall somewhere in between archaic and autopia (a word I just concocted, describing a utopian state of automation. Incidentally, also a Disney attraction as Google informs me!)  Okay, so maybe the word isn’t technically mine but that doesn’t change the fact that many organizations are moving quickly towards this state by undertaking consolidation or refresh projects and deploying new technologies, typically inline with hardware refresh cycles.

There exist myriad companies out there, some of them quite large, offering solutions covering their part of the network-storage-compute “stack,” and much of it is really impressive.  Where that hasn’t been the case though is in the security part of the equation - why is security a laggard here?  

The answer to that question lies in the fact that a similarly impressive security solution (to the network-storage-compute stack) hasn’t been readily available. Traditional vendors are still trying to shoehorn their ASIC-based hardware offerings into ill-performing clunky single-instance virtual machine versions that do very little to provide security with any sort of agility or speed.  Most of the startups in the space are saying “throw my agent (or whatever cute word they’re using to convince you it’s not an agent) on your workload and let it manage IPTables or Windows Firewall for you.”  In my best “Office Space” Lumbergh rendition:  “Yeah... Payroll runs on that fragile custom version of AIX on those old boxes in the corner.  Yep, they’re powered on.  The LEDs burned out in 2008.  If you could go ahead and not install anything on them that’d be great… mmkay?”

At vArmour, we take a different approach.  We feel that security should be proactive and “built-in” for the network infrastructure via dynamic, distributed software. Port 80 is the new transport.  Port 53 is frequently abused by bad actors.  If you can’t write and enforce stateful policies in the data center around the applications instead of the 5-tuple, what’s the point?  At vArmour, we have a strong point of view on Security:

  • Security needs to understand both the applications in your infrastructure and their interactions (and be able to define/control those interactions)
  • Security should be fully automated via integrations into configuration management and orchestration systems.  
  • Security should be in place and enforced in a location that’s immune to compromised workloads instead of being co-resident on the workloads themselves.
  • Security Policy should be created or updated dynamically at workload or application instantiation time, regardless of whether that workload is being spun up by a virtual machine manager or a Container scheduler.  
  • Policy should follow your workload as it’s promoted from Dev to Stage to Prod, without requiring any topology changes.  
  • Finally, your insertion strategy shouldn’t rely on closed or proprietary APIs or traffic steering gymnastics and should remain independent of the underlying hardware and software stack.

Data Center Consolidation or Refresh time is the perfect opportunity to cloudify your environment by leveraging new technologies that are cloud-native and hardware agnostic.  If you’re already taking a more software-centric approach with your Network (leveraging Cisco ACI or Arista EOS or similar) and with your Compute (employing vCenter, Nutanix Prism, or Kubernetes), then these solutions *must* be orchestrated. What are your plans for Security? Your Security solution has absolutely got to keep up. Consider a cloud-native, orchestrated, and automated security solution with layer 7 telemetry, like vArmour, that renders security seamless and dynamic across your data center. Would love to hear your thoughts, so feel free to email us to discuss at noappliances @ varmour.com

Related Posts