Virtualisation is widely accepted to be the most effective way to improve efficiency and reduce running costs in the data centre. But the issues of security and compliance within a virtualised environment continue to make many enterprise IT managers nervous about the technology.
It is for this reason that a new breed of software-defined security solution is emerging, that aims to give IT networking and security staff in regulated software-defined data centres the control and assurance they need to pass their audits confidently.
The difference between traditional network security and software-defined security is to do with the way the network is architected. In a regular data centre, the network consists of a physical wire, and there is usually a box that sits on the wire and checks for malware and vulnerabilities.
The problem is that, in a virtual environment, all of the traffic is carried over the backplane of the server itself, so not much is happening on the physical network any more. Unless there is security sniffing around inside the server, it is very hard to know what is actually going on.
One company that is working to combat this problem within VMware virtual environments is Catbird. The company recently launched version 5.5 of its vSecurity software-defined security solution, and announced the establishment of its European HQ in the UK.
Catbird vSecurity works by putting a virtual machine appliance inside the virtual host, which acts as the eyes and the ears of the network. This appliance sends data back to a control centre, which tracks the assets and detects any anomalous conditions.
This includes vulnerability monitoring, intrusion detection, network segmentation, policy establishment and enforcement, access control and firewalling (integrated with VMware vCloud Networking and Security), as well as control orchestration to monitor and enforce controls for compliance with PCI, FISMA, NIST and HIPAA.
If any asset is found to have violated compliance policies, then it is automatically quarantined or isolated so that it does not affect any of the other virtual machines.
Another reason that traditional physical security does not work in a virtual environment is because virtual machines are frequently moved between physical severs. In order to ensure compliance and security, organisations therefore need to know when each VM is spun up, where it goes, and what it does when it gets there.
“When you virtualise your security, and when you bake it into the infrastructure itself, you can actually individually fingerprint your assets and know what policy they're supposed to be adhering to, so if they move from London to Leeds it doesn't matter, because the policy tracks them,” said Tamar Newberger, vice president of marketing at Catbird.
“The way that Catbird works is like an elastic policy envelope that you deposit your assets into. You can have an envelope for PCI assets, an envelope for HIPAA, an envelope for your own corporate governance, and those envelopes can stretch, so as long as you're in an envelope you will have to adhere to the policies that are affiliated with that envelope.”
Catbird believes that virtualisation represents an opportunity for enterprises to do security right for the first time. Unlike with regular security devices, where anybody can go and buy a WiFi router and put it in their office without the IT department's knowledge, virtualisation provides a perfect inventory of all the assets on the network.
“You can't protect something that you can't detect in the first place, and once you're detecting everything, that is a huge step towards making sure it's doing what you want it to do,” said Newberger.
James Edwards, EMEA product marketing manager at VMware, said that VMware relies heavily on companies like Catbird to deliver on its vision of the software-defined data centre by decoupling the security from the physical networking.
“We have spent the last three or four years building up a framework of compliance for regulatory compliance issues and mandates – PCI, Sarbanes-Oxley – and we can't deliver that kind of capability without the integration work that we've done with Catbird, so it's a partnership that's really needed for the marketplace,” he said.
Edwards added that a lot of customers do not realise that when they shut down a virtual machine, the data on that machine is still spinning around somewhere in a virtual data centre. The virtual machines therefore need to be controlled by a policy that ensures that data is secure and isolated when the VM is dormant or in standby mode.
Catbird and VMware have together published a lengthy guide on how to achieve PCI compliance in virtualised infrastructure, explaining what controls are in VMware, what controls are in Catbird, and what controls are in the other members of the ecosystem that Catbird and VMware do not address.
By giving control back to the IT department, VMware hopes to replicate the capex and opex benefits of server virtualisation, which saw the computing being abstracted away from physical hardware.
“With Catbird's help we can actually deliver these security mechanisms which are effectively better than physical, because they are automated, because they are agile, because they are streamlined and quick,” said Edwards.