Will your virtual data traffic take the detour around your firewalls?

(c)iStock.com/wildpixel

We’re soon going to need a new descriptor going forward when we refer to the “data centre”. This rings true because network virtualisation across private and public environments means the locations of compute and storage resources to facilitate “on-demand” networking do not sit statically in what could be considered a typical data centre anymore. Virtual workloads now dart around like bees in a field of clover. It’s no longer a question of “if” but “when” all of this will affect your network.

Cisco estimates cloud platforms will process 86% of workloads by 2019, whileRightScale reports 95% of businesses use on average three public clouds and three private clouds. These dynamic pools of computing and storage resources are making traditional data centres like fax machines; you still likely have one, but hardly anyone uses it and what they are using it for is highly specialised.

Since the introduction of the first virtual machines, server admins have benefited from a more dynamic compute model that also helped lower costs associated with equipment, power, cooling and maintenance.  Data centre administrators are now able to apply the concept of virtualisation to the network, which had become the bottleneck to dynamic, application-centric infrastructure. As a result, network admins and application developers are able to utilise the pools of compute, storage and now networking to rapidly provision new applications or expand existing ones on demand.

This changeover to virtual infrastructure has a profound effect on cybersecurity. In old-school data centres, the majority of data travelled north from servers to the firewall and south from the firewall to servers. However in virtual and software-defined networks, up to 80 percent of traffic travels east and west among virtualised applications and various network sectors. This traffic now goes virtually (pun intended) uninspected by the very security foundation that was deployed to protect it.

This trend could prove disastrous for businesses that utilise virtualised networks. If a threat were to get introduced into this new environment – and there are no shortages of techniques the bad guys are employing to infiltrate today’s data centre networks – the threat could then run unimpeded to spread and infect much of the infrastructure without anything to stop it.

Virtual workloads now dart around like bees in a field of clover – it’s no longer a question of ‘if’ but ‘when’ this will affect your network

What’s more, mobile apps, cloud apps and partner apps all connect services to users outside data centres through pathways not scanned by traditional security controls. All it takes is a single malware compromise on a minor web service and the entire network is at risk.

To keep virtual public and private clouds secure, a good rule of thumb is to segment your network and applications like we’ve done in our physical networks. This is called micro-segmentation in the software-defined world, which allows virtualised elements to be logically grouped together and establishes rules for how these groups can communicate with one another. This level of segmentation is also critical for getting control of cloud-based workflows traveling in new directions due to cloud platforms and domains.

However, micro-segmentation by itself is only part of the solution. To combat threats that get introduced into the virtual network, businesses also need advanced threat prevention security that works alongside micro-segmentation to actually inspect all traffic, keeping the bad stuff out and ensuring only what is desired gets through.

Advanced threat prevention security in virtualised environments, like any pooled networking resource, needs to be centrally orchestrated and provisioned so it can follow apps and workflows as they are created, grow and move. Also, the security should be intelligent enough to understand how all assets and elements are classified to ensure the proper security actions can be applied, regardless of where an asset is at any given time.

This requires a new security model that consolidates threat information across traditional gateway as well as within the virtualised space and provides consistent policy management, protections, logging and reporting wherever your data goes. By adopting these principles, organisations can start adapting the same level of protections safeguarding their physical networks now into their virtual networks.

When you figure out what to call the new networking, don’t forget to consider which directions your data travels and how to re-think your security strategy to keep data and resources protected.