I feel sorry for security IT admins these days. The enterprise network used to be relatively easy to protect; crunchy on the outside, chewy and soft in the middle. Protect the perimeters, and you were safe. Now that boundaries have disappeared, threats have evolved, and BYOD (Bring Your Own Device) has become a reality, where should enterprises focus their security efforts?
I say the data center. Of course I subscribe to the notion of defense-in-depth, but if there is one place security should never be neglected, it’s where all your important servers and data reside.
In principle, data center security is pretty straightforward. It’s ensuring secure application access by authorized users to approved applications. You have to do that while preventing threats and complying with regulatory requirements. Of course, you must also ensure that you do not impact performance or productivity; more on that later. I want to go back to the secure application enablement challenge.
Ensuring secure application access by authorized users to approved applications should be simple right? After all, you know what applications are running in your data center, and you know who your users are. Well, in theory you do, but your enterprise is probably made up of geeky application developers who are not only supporting off-the-shelf enterprise applications, but also developing home-grown custom apps that are using a variety of different ports. You’re either opening every port on your legacy firewall, or incurring the wrath of your app developers by taking too long to enable the right policy on the right firewall, the right VLAN, the right access.
How many data center legacy firewall ACLs are modified every day just to keep up with application adds, moves and changes? How long does it typically take to enable an application? And what about the “user” aspect of secure application enablement. Remember the X-Files mantra, “Trust No One”?
Forrester Research's Zero Trust Model advocates that we apply it to networks today. Not “Trust but verify”, but “Do not trust, always verify”. This means you need to identify users or groups of users accessing applications. Based on the usage of the applications, you also need to segment parts of the data center to reduce the scope of vulnerability (i.e. the development apps should be separate from the production apps; the PCI servers should be segmented from the rest of the network and accessible only to the finance users).
Let’s add more complexities to the DC security problem. As I indicated earlier, the first mission of the data
center is to serve applications. Any network security infrastructure that interferes with this primary mission cannot be placed in the data center. Network security infrastructure should be flexible enough to accommodate high-performance AND security. It should also be flexible enough to accommodate changes in the nature of network security controls or policy (for example, adding content scanning or threat prevention), without having to add more devices, or re-design the network. It should be
flexible enough to integrate with the networking infrastructure, no matter what types of design (traditional data centers, next-generation Ethernet fabric designs, virtualized data center).
Phew, so what have we got now? A long long list of data center security requirements. How do we address this at Palo Alto Networks? I invite you to attend one of our worldwide Data Center Summits. We are kicking off this multi-city tour in Dallas, Texas on Feb 21st.
We have an excellent agenda planned. This data center tour is an all-day exploration of data center security designs and considerations with Forrester Research (for North America venues) and IDC (for Europe and Asia venues), and our data center partner Brocade. We’ll provide details of how we align with Forrester’s Zero Trust Model and
deliver data center security with no compromises. Additionally, we will show how Palo Alto Networks’ next-generation firewalls integrate into next-generation data centers powered by Brocade VCS Fabric Technology. This promises to be an interesting seminar. Don’t forget to register soon, spots are filling up. I hope to see you there!