Unified infrastructure in a box: How does security fit in?
Tuesday, 17 August, 2010
In July's feature we looked at the recent trend of vendors offering pre-integrated packages of infrastructure, combining servers, storage and networking in the one physical box. This month Andrew Collins wonders how these integrated boxes fit into a security strategy.
For those who weren't with us in the July issue, a quick recap. For the last 20-odd years, IT departments have built their own IT infrastructure from the ground up, purchasing the best networks, storage and servers and integrating these layers themselves. But now, equipment vendors are hoping to lure customers away from that best-of-breed, layered-component model, offering pre-integrated bundles of infrastructure that combine the crucial infrastructure layers in single units.
According to the analysts, the unified infrastructure concept could lead to real-world benefits for organisations. Since your IT crew no longer has to dedicate time and energy to integrating all these infrastructure layers, they can move on to other, more constructive activities.
So it seems this new model may have operational benefits. But what of security? It's a crucial question for the many IT departments so used to hardening each layer of infrastructure in-house, as they deploy it.
According to the vendors, the security outcomes of unified infrastructure follow the same theme as the operational outcomes: simplicity.
Jacqueline McNamara, a Regional Sales Director at unified infrastructure vendor HP TippingPoint, says that a typical infrastructure security strategy involves a series of firewalls, network devices, antivirus on desktops, server-based protection and so on - a particularly complex and difficult-to-manage environment.
This leads to all sorts of misconfigurations that could ultimately result in security breaches. Unified infrastructure offers an alternative to this security mess, McNamara says, as it offers security architectures that are easily managed, and allows policies to be enforced across infrastructure much more easily.
James Turner, analyst at IBRS, says that unified infrastructure presents vendors with the opportunity to improve overall security, through two main avenues. Firstly, by creating a “stack system” (his term for pre-integrated unified infrastructure), vendors can reduce complexity, which he calls “the enemy of security”.
“The more complexity there is, the harder it is to actually understand relationships and interdependencies, and the easier is to then start finding the gaps and exploiting them,” he says.
Secondly, if the vendors go beyond simple preconfiguring and actually engineer each aspect of these stacks to work seamlessly with the stacks on either side, he says, “the data or instructions that are being passed in between them all flow smoothly, as God intended them to”.
Turner also says that there's an opportunity to enforce the concept of least privilege - the idea that people or things should have access only to the things they need to do their job, and nothing more, so as to avoid intentional or accidental security breaches.
“It's a really amazing opportunity to start enforcing that, very, very stringently, from the layer you're presenting to the end user, right down to the hardware,” he says.
But the key thing to note here is Turner's use of the word “opportunity”.
“That's quite conscious, because I'm aware we've got no guarantees!" he laughs.
Whether or not a vendor ultimately capitalises on these opportunities depends on a few crucial factors, including pressure to get the product to market, and whether or not the vendor aims to "make a sale rather than actually deliver engineering excellence", Turner says. “That's when problems start cropping in.”
The vendors maintain that this philosophy of pre-integrating infrastructure actually improves security.
According to HP's McNamara, securing traditional data centre infrastructure requires multiple engineers versed in the use of multiple reporting and management tools - one tool for each device in the data centre. This is something HP aims to change.
“You shouldn't need to understand how to configure a firewall, and a network device, and an IPS, from various different vendors, and deploy an SIEM product, to be able to understand a threat to your network and to take action and fix it,” she says.
HP's latest unified infrastructure feature is what the company calls a “single pane of glass management” tool, which collates analytics from multiple devices and allows technicians to make changes across multiple devices from the one interface. McNamara says the goal is “to be able to ultimately enforce policies via a single change”.
“Where a change to avoid a particular type of threat might normally involve reconfiguring a few routers, doing a change to a network access control list on some routers, and maybe fixing some switches ... and then you'd have to go to the IPS and fix all those, you can now do that with a single pane of glass,” she says.
VMware, a member of the unified infrastructure team VCE Alliance (alongside Cisco and EMC) also touts security improvements under an integrated model.
Michael Warrilow, senior product marketing manager at VMware, says the team's Vblock unified infrastructure product has the benefits of joint development, validation and testing from the three members of the alliance. This joint work has resulted in a series of reference architectures that are available to customers, so they can deploy the technology as securely as possible, and shore up any holes in their implementations.
“Basically they represent detailed design documents, architectures, blueprints and guidelines, on how to configure and operate their technologies, including the UCS technology, the Vmax environment, and the Clariion, as part of a Vblock. It saves the customer having to have multiple engineers dedicated to that task,” Warrilow says.
*Andrew Collins is a freelance writer.
Data centres account for nearly 4% of Australia's energy consumption. How do we take charge...
As Australia bets on technology for its net-zero ambitions, data centres are set to take centre...
Voltage converter, voltage divider, linear stabiliser — which one should you choose?