Securing a unified infrastructure

In July’s feature we looked at the recent trend of vendors offering pre-integrated packages of infrastructure, combining servers, storage, networking in the one physical box. This month, Andrew Collins wonders how these integrated boxes fit into a security strategy.

For those who weren’t with us in the July issue, a quick recap. For the last 20-odd years, IT departments have built their own IT infrastructure from the ground up, purchasing the best networks, storage and servers and integrating these layers themselves. But now, equipment vendors are hoping to lure customers away from that best-of-breed, layered-component model, offering pre-integrated bundles of infrastructure that combine the crucial infrastructure layers in single units.

According to the analysts, the unified infrastructure concept could lead to real-world benefits for organisations. Since your IT crew no longer has to dedicate time and energy to integrating all these infrastructure layers, they can move on to other, more constructive activities.

So it seems this new model may have operational benefits. But what of security? It’s a crucial question for the many IT departments so used to hardening each layer of infrastructure in house, as they deploy it.

According to the vendors, the security outcomes of unified infrastructure follow the same theme as the operational outcomes: simplicity.

Jacqueline McNamara, a Regional Sales Director at unified infrastructure vendor HP TippingPoint, says that a typical infrastructure security strategy involves a series of firewalls, network devices, antivirus on desktops, server-based protection and so on - a particularly complex and difficult-to-manage environment.

This leads to all sorts of misconfigurations that could ultimately result in security breaches. Unified infrastructure offers an alternative to this security mess, McNamara says, as it offers security architectures that are easily managed, and allows policies to be enforced across infrastructure much more easily.

James Turner, analyst at IBRS, says that unified infrastructure presents vendors with the opportunity to improve overall security, through two main avenues. Firstly, by creating a ‘stack system’ (his term for pre-integrated unified infrastructure), vendors can reduce complexity, which he calls “the enemy of security”.

“The more complexity there is, the harder it is to actually understand relationships and interdependencies, and the easier it is to then start finding the gaps and exploiting them,” he says.

Secondly, if the vendors go beyond simple pre-configuring and actually engineer each aspect of these stacks to work seamlessly with the stacks on either side, he says, “the data or instructions that are being passed in between them all flow smoothly, as God intended them to”.

Turner also says that there’s an opportunity to enforce the concept of least privilege - the idea that people or things should have access only to the things they need to do their job, and nothing more, which avoids intentional or accidental security breaches.

“It’s a really amazing opportunity to start enforcing that, very, very stringently, from the layer you’re presenting to the end user, right down to the hardware,” he says.

But the key thing to note here is Turner’s use of the word “opportunity”.

“That’s quite conscious, because I’m aware we’ve got no guarantees!” he laughs.

Whether or not a vendor ultimately capitalises on these opportunities depends on a few crucial factors, including pressure to get the product to market, and whether or not the vendor aims to “make a sale rather than actually deliver engineering excellence”, Turner says. “That’s when problems start cropping in.”

What’s new

The vendors maintain that this philosophy of pre-integrating infrastructure actually improves security.

According to HP’s McNamara, securing traditional data centre infrastructure requires multiple engineers versed in the use of multiple reporting and management tools - one tool for each device in the data centre. This is something HP aims to change.

“You shouldn’t need to understand how to configure a firewall, and a network device, and an IPS, from various different vendors, and deploy an SIEM (security information and event management) product, to be able to understand a threat to your network and to take action and fix it,” she says.

HP’s latest unified infrastructure feature is what the company calls a “single pane of glass management” tool, which collates analytics from multiple devices and allows technicians to make changes across multiple devices from the one interface. McNamara says the goal is “to be able to ultimately enforce policies via a single change”.

“Where a change to avoid a particular type of threat might normally involve reconfiguring a few routers, doing a change to a network access control list on some routers, and maybe fixing some switches ... and then you’d have to go to the IPS and fix all those, you can now do that with a single pane of glass,” she says.

VMware, a member of the unified infrastructure team VCE Alliance (alongside Cisco and EMC), also touts security improvements under an integrated model.

Michael Warrilow, Senior Product Marketing Manager at VMware, says the team’s Vblock unified infrastructure product has the benefits of joint development, validation and testing from the three members of the alliance. This joint work has resulted in a series of reference architectures that are available to customers, so they can deploy the technology as securely as possible and shore up any holes in their implementations.

“Basically, they represent detailed design documents, architectures, blueprints and guidelines on how to configure and operate their technologies, including the UCS (unifying computer system) technology, the Vmax environment, and the Clariion, as part of a Vblock. It saves the customer having to have multiple engineers dedicated to that task,” Warrilow says.

A matter of trust

IBRS’s Turner says that this unified infrastructure model requires a lot of trust from customers.

“There’s going to be quite a lot of trust in the vendor, that they’ve done [security] properly, and you’re going to find out reasonably swiftly if they have or they haven’t,” he says.

VMware’s Warrilow agrees that there’s an element of trust involved: he says that Vblock customers may put themselves at greater risk if they don’t trust the VCE vendors. After years of deploying, integrating and securing disparate infrastructure layers themselves, many IT teams might find it hard to put faith in their vendor’s security efforts, he reckons.

“The risk they’ve got is reinventing the wheel. Obviously the customer is always right, as the old saying goes, but the risk is thinking that ‘this isn’t reference architecture, this isn’t best practice, this isn’t going to work for me, and I’ll just go and do it myself from scratch’,” he says.

This one-man-army mindset - rejecting the work of the vendors - could actually cause security headaches, Warrilow believes.

He goes on to say that trust is a two-way street.

“The VCE needs to continue to demonstrate that we are secure, that our reference architectures and best practices are appropriate, and to continue to give quality guidance. But at the end of the day, the customer needs to trust us as well,” he says.

But according to Robert Pregnell, Channel Regional Product Manager, Security Business Unit at Symantec, this trust can backfire. He stresses that these unified infrastructure systems are primarily focused on simplifying infrastructure management - not making your environments more secure.

“There’s no focus on security. In what I can see, from what they’ve been doing in recent years, in all of the three mainstream players I’ve seen in this space, there’s very little, if any, discussion of security in their efforts,” Pregnell says.

As such, he warns of placing too much trust in the security of these unified infrastructure systems, despite how much easier they might make managing infrastructure issues like storage, networks, disk I/O bottlenecks and so on.

“That’s an area where [IT teams] have historically been spending a majority of their cycle, and now that they can spend a lot less of those cycles on the infrastructure itself, don’t be misled into thinking that those dashboards and all of that good stuff is going to be doing security for you,” he says.

According to Pregnell, even if any security is offered in these platforms, it will predominantly focus on securing the infrastructure itself, not on securing the flow of data moving through and out of the data centre - a critical element of any security strategy.

However, he does say that unified infrastructure could have indirect benefits on security, since IT administrators won’t have to spend so much time making infrastructure layers work together.

“The customer can now get back to the important part of making it more secure. So while the vendors aren’t necessarily going to be doing that for them, it opens up the way for the customer to be spending a lot more important time doing it properly,” he says.