Virtualization and “software defined” initiatives have shifted how we look at security controls. Let’s take a look at some of the factors to consider in designing security controls for a software defined data center (SDDC). To this end, Symantec has introduced a suite of data center security products:
- Symantec Data Center Security: Server, and
- Symantec Data Center Security: Server Advanced
Key Challenges:
Abstraction
Security has often leveraged or worked within “physical” boundaries, e.g. a single task server with fixed resources (CPU, memory, disk space). Administrators could easily associate a piece of hardware, in location X, with a particular set of applications or services. With abstraction and the advancement of virtualization comes the transition to logical thinking, where the Admin sees only the software view as defined by the virtual platform such as VMware. In a virtual data center, there’s near total reliance on the platform infrastructure to manage the underlying compute, storage and network resources which have been completely disassociated from hardware through software. While the platform software has the capacity to represent what had been “one” resource as potentially many (e.g. numerous guest virtual machines running on a single physical host), or many as one, security has lagged in adapting to this paradigm and enforcing policy where boundaries are dynamic and logical. Making security just another logical resource or service to the virtual infrastructure, and orchestrating security policy through this abstraction, is a goal. By leveraging new VMware NSX platform extensibility with Service Composer integration, Symantec brings security controls into the software defined era.
Shared Resources and Density
Maximizing virtual server consolidation across physical hosts to save CAPEX is one of the leading drivers behind virtualization. Yet with consolidation comes narrow resource margins, and the need to minimize any security tax or overhead on these limited resources in order to retain service levels. The resource “storm” event is a common use case, which results when intensive activities happen concurrently across guest virtual machines on a shared host- and traditional AV file system scanning has been a classic example. When on-demand scans occur simultaneously across virtual machines on a common host, the shared resource margins are strained and all virtual machines suffer. By moving security controls out of each guest virtual machine to the hypervisor as a single-instance, security virtual appliance (often referred to as “agentless”), Symantec optimizes for the shared infrastructure
Elasticity and Motion
Another key value proposition of virtualization has been the ability to quickly provision new virtual servers, and if necessary move them across physical hosts without disrupting service. New requests for IT services, or surges in demand, will trigger server provisioning events. Motion events may be executed automatically to avoid unplanned downtime (e.g. preserve availability on system failure) or manually in response to planned host maintenance. What’s important from a design perspective is recognizing that elasticity and motion are facilitated through the virtual infrastructure, and that security should be integrated into that process in order to preserve these key functions. Ideally, security should persist as a service to the infrastructure, always available and responsive to these changes. Security gains visibility into the infrastructure’s current state by inheriting this from the source- the platform itself. Without this, simple RACE conditions can arise where security could lag the real-world infrastructure, thus exposing virtual machines to unnecessary risk. By having security integrated into the platform, Symantec helps customers avoid service delays or misconfigured security, and reducing exposure to threats.
To solve the server security challenges, Symantec introduces Symantec Data Center Security: Server and Symantec Data Center Security: Server Advanced for the virtual data center.
Architecture Considerations:
Single System View
One can assume that 70% of servers are virtualized, with the remaining non-x86 Unix platforms and their business critical applications in transition. With this degree of virtualization, security must overcome abstraction in order to advance the promise of a software defined data center. Security Admin’s will leverage the “logical” view rather than viewing the environment in its physical context as “this virtual machine running on this host.” In VMware terms, this logical view might represent a Security Group or Virtual Data Center. This shift in perspective to a single system view, or a leveraged perspective that accounts for abstraction, is where Administrators will focus. Their concern is only that security policies are enforced, and not on how the underlying infrastructure achieves this. In the case of scanning files of a virtual server for malware, Administrators will be less concerned about what host SVA has scanned the files for a virtual machine, and more with the fact that files have been scanned. For example, a virtual machine could move across hosts during the enforcement of policy and rely on several SVA’s to achieve this. Being assured that the security service behaves as an abstracted single system across the physical boundaries and multiple SVAs engaged in executing the policy is all the Administrator needs to know. It is the burden of the security system to respond based on its design.
Deterministic
With adoption of IT-as-a-Service, the compute, storage, and network tiers are managed in discrete resource increments. Service catalogs will automatically assemble these abstracted resources per defined templates to create new services for production use. Security will similarly fit into this model, hence security controls need to be templated, and their impact on the infrastructure predictable- i.e. no surprise. In virtual data centers, these security controls may be instantiated as security virtual appliances (SVA), and these SVA’s will be consistent in their behavior, including use of resources and performance. Every SVA will in essence be a clone of its like-templated neighbor, enforcing the various policies unique to the population of virtual machines running within its control. And should an update be made available to the SVA’s, all SVA’s will advance the update synchronously, or none do.
Preservation of Elasticity and Motion
Security will not compromise or degrade the overriding operational promise of virtualization, i.e. elasticity, motion, HA, etc. As server workloads are brought into service or moved onto any piece of hardware, security will have instant awareness of these workloads, regardless of which host they run on or which SVA protects them. As virtual machines come online and move, these virtual machines will automatically appear within the responsible host SVA’s realm of protection without operator action, and there will be no disruption to security coverage as they continue to move across the infrastructure. In its simplest form, security as an available service will be persisted across the virtual infrastructure. And should any element of the infrastructure break down, the security service will continue to function. Rather than relying on the VM Admin to manually deploy a Security SVA as a separate provisioning step, the “security service” will automatically deploy through the NSX Service Composer integration to preserve continuity.
Summary:
The agility, reliability, and efficiencies extended to IT through a software defined data center are tangible. At Symantec, we are focused on helping organizations realize these “IT-as-a-Service” benefits and dramatically lowering operational costs – while assuring their corporate assets are protected. The Symantec Data Center Security: Suite of products will continue to deliver innovative solutions for the SDDC.
To reach Chip:
Email: Chip_Epps@symantec.com
Twitter: follow us @SymantecDC