Securing the Cloud

Embedded Security for Hyper-Converged Infrastructure
Simple, distributed, application-aware security
Reducing risk in a converged world

Enterprise IT has moved away from siloed servers, storage, information, and processes and is embracing hyper-converged, virtualized, and cloud-based technologies for agility, speed, cost-savings, simplified management, and elastic, scale-out architectures. Hyper-convergence is fundamentally transforming data center infrastructures by combining servers, storage, virtualization and management components into one integrated, distributed platform that is easy to deploy and operate. Essentially, IT has an “enterprise cloud in a box” where IT can deploy applications in a single shared resource pool that is easily automated, provisioned, and treated as a service.

However, there are a few security considerations with a flat resource pool of infrastructure resources: 1. an open attack surface for an adversary to compromise a low business impact service and then easily move to a high value service, and 2. different workloads and applications on the same shared infrastructure have different trust and security requirements based on criticality, sensitivity or regulated nature of the underlying data, which undermines the very nature of an integrated system.

The vArmour Solution

vArmour DSS provides a distributed platform that easily integrates as a guest virtual machine and builds security as another service that can be orchestrated along with the infrastructure without the use of agents or complex SDNs. By placing security controls directly next to the assets being protected, vArmour provides a holistic view of the application traffic moving across the network that is needed to better understand the application behaviors and dependencies for effective policy construction.

Figure: Before, assets commingled on same shared infrastructure. After, assets can have different security policies, enabling greater security and compliance.
Application-aware, stateful policies embedded into infrastructure

vArmour DSS enables administrators to micro-segment each workload through application-aware policies, thereby isolating them from other workloads in the shared resource pool. This partitioning of the infrastructure into disparate pools drastically reduces the exposed threat surface by restricting communication between applications using Layer 7 stateful controls. Likewise, administrators can define allowed access to specific applications, services and workflows and deny other behaviors outside of those definitions.

Simple, automated policy creation

With security embedded into the compute and hyper-converged infrastructure, vArmour DSS can be automated as part of the DevOps process. As new workloads are provisioned on hyper-converged platforms, vArmour DSS removes the need to write new security policies manually at the point of creation, so security can match the speed of on-demand compute and storage resources. Traditional network segmentation solutions that are based on hardware-bound zones of firewalls or vlans, create static non-elastic silos with no automation in highly dynamic data centers.

Logical segmentation of mixed workloads

Organizations can commingle assets with different security requirements on the same shared tenancy - whether by data state (test/dev/prod), application tier (web/application/database), or any way that aligns to their business. With application context, vArmour DSS allows customers to easily isolate systems and move workloads between functional states, such as they move from the development or test status into production. There is no need to rely on hardware-bound zones as the primary policy construct for workload separation.

Meet compliance and regulatory demands

Organizations with compliance and governance-bound applications can separate regulated versus nonregulated workloads to meet standards (such as PCI, HIPAA, FFIEC, GDPR, FINRA, and others) on same shared infrastructure. vArmour integrates with Nutanix Enterprise Cloud Platform and HPE Hyper Converged platforms to provide a secure cloud system to meet the requirements of highly classified environments.

  • Move faster with a simpler, scale-out virtual infrastructure to deploy, manage and secure for the most demanding business-critical applications
  • Increase utilization by consolidating all workloads on the same infrastructure without impacting performance or sacrificing security
  • Radically reduce costs with lower capital and operational costs by up to 70%