The Genesis of Project Ice Cream to Deliver Cloud-Scale Security

The Genesis of Project Ice Cream to Deliver Cloud-Scale Security

Clouds are based on speed, scale and economics, which are the antithesis of legacy security systems. In fact, these factors can be challenging to any true security functions, which need to maintain state, process content deeply, and identify threats in huge volumes of data. Our newest architecture delivers on speed, scale and economics without compromising on security - you can see the numbers in our infographic.

At vArmour, we began with security that could be dynamically instantiated in software through APIs. We felt that basic ‘packet filter’ based controls would never be sufficient and that the data produced by a distributed security system could be used to profile application behaviour, identify anomalies, and detect threats in an unprecedented manner.

Once you can demonstrate those capabilities, however, the next question becomes “how do I realize this value across my entire multi-cloud?” If you can wrap your entire data center and cloud infrastructure in a consistent set of powerful controls aligned with unprecedented visibility and threat detection, then you unleash the power of cloud – where your applications can move and scale, without constraints related to security deficiencies in a given environment.

Twelve months ago, we realized that our customers needed the vArmour DSS Distributed Security System to scale to meet their emerging data center pod designs, which provided unprecedented resource density and ability to scale rapidly. It is also clear that the security platform needs to scale in terms of performance, remaining consistent with the IO throughput and latency common in modern data centers, while processing traffic at Layer 7 and maintaining the state necessary to be secure while supporting workload and application portability. Our journey to evolve to a new architecture was code named, "Project Ice Cream."

Download full infographic to see all the numbers.

Fortunately, the fundamentals of our architecture were solid – based upon proven Distributed Systems principles – and we just needed to consider how to optimize our components at cloud-scale, in terms of data plane performance, control plane scale out, and management plane throughput. And this is what we achieved:

Performance. Data plane throughput of a single Distributed System of 9Tbps (a typical benchmark and can be higher depending on traffic mix).

Coverage. Logical workload scaling to protect 100,000 VMs on 1,000 hosts (again, these boundaries are somewhat artificial, providing us with a convenient limit against which to test while supporting the requirements for a single data center pod size). In order to scale protection beyond a single system, you can further deploy multiple fabrics, using our functionally complete APIs to replicate policy as required.

Scale. A threat analytics platform, driven by incredible traffic logging performance using an optimized wire protocol and clustered log collectors, is able to scale out to millions of log messages per second, providing high fidelity visibility across the entire multi-cloud.

Availability. Extreme system robustness at scale. This is derived through clean separation of data, control and management plane functions in scalable distributed systems architecture.

Simplicity. The simplicity associated with deploying advanced security within a single system, without the need to chain specialist security appliances into an SDN data plane. A single configuration, one set of declarative policies, all highly automated and simplified for the operator. This simplicity both improves operational effectiveness and transforms the economics associated with operating multi-cloud environments.

Integrated. The ability to consume logs, detect anomalies and threats, and allow the security analyst to quickly analyze the situation and quarantine compromised workloads immediately, with a single click. The richest and most scalable deep visibility within the multi-cloud provides insight and analytics at the workload, application, user, and data layers.

At vArmour, we are incredibly proud of our new architecture from Project Ice Cream. We believe that it will transform the way that data centers and clouds are secured – matching the scale, performance, simplicity and economics of the cloud itself.

See how Project Ice Cream delivers on cloud-scale attributes for security “by the numbers” in our new infographic and read the official press release.

P.S. And any 'security solution' that doesn’t maintain state or process interactions deeply (for instance, those that use superficial tools such as Windows packet filtering libraries), cannot really provide anything but superficial security controls. But that's a story for another day...