Eight steps to protect data centers in the distributed computing age
IT is no secret that information security cannot keep up with the development speed of business and IT. Data Centers are becoming increasingly dynamic to adapt to rapid application changes and various deployments across private and public clouds. However, due to firewall or other peripheral devices such as blocking points, security is still relatively static, which makes data in the data center vulnerable to attacks.
In addition, the security policy is bound to network parameters such as IP addresses, ports, subnets, and regions. Therefore, security is highly manual, error-prone, and lacks visibility, making it impossible to flexibly cope with changes in cloud migration or applications and environments. Enterprises should consider the following measures to ensure security and better adapt to the needs of rapidly changing computing environments:
1. Anticipate workload changes, increases, and moves
In many enterprises, deploying new applications, changing existing applications, or migrating applications to cloud computing requires a great deal of effort from the security team, because it requires modifying many systems, from firewall and VLAN configuration to cloud security system. Enterprises need to build security around application workloads (their attributes, environments, and relationships), rather than around the underlying infrastructure. This Adaptive Security Policy can be automatically configured based on application changes (such as enabling new workloads, application migration, or environment changes.
2. Review Application interactions
Enterprises generally lack visibility into the East-West traffic between application workloads in data centers and public cloud environments. They need a graphical view of multi-tier applications to understand the traffic between workloads. This application topology attempts to provide a complete view, including North-South and East-West interactions and connection requests from unauthorized external entities. Even better, if the application topology is interactive, the security team can learn more about the specific workload and its relationship with other workloads. This helps the security team design accurate security policies based on application requirements.
3. Assume that the attack is inevitable.
Most of the time, enterprises purchase and deploy powerful peripheral defense, and then think that the work load in the peripheral network is safe. However, in most data leaks, attackers break into the perimeter and intrude into the server, output the data to other vulnerable systems, and finally take away sensitive data. Enterprises must ensure the security of their data centers. They can lock the interaction between workloads to the approved communication path to prevent unauthorized connection requests.
Network Attacks are rare because one server or endpoint is under attack. Even if an attacker attacks a single workload, the data center security policy can prevent attacks from being extended to other systems. The reduction of such attacks also contributes to system recovery, because a single workload is completely isolated from the big environment.
4. Make your application deployment oriented to the future
Security teams often worry about lack of Network Control in cloud deployment. Most data center security strategies rely on networks, which means that the security of applications in a private data center is very different from that of applications in cloud computing. That is to say, enterprises need to test and maintain security policies. Enterprises must select a security strategy that can be consistent across private data centers and public clouds. After all, the expected application behavior and security requirements will not change because of its running location.
5. Select security technologies independent of infrastructure
The security designed for a specific computing environment is not applicable to the current dynamic computing environment. In the current environment, we can enable virtual servers anywhere as needed, the application can also be deployed and changed as needed. It is important to develop background-aware security policies (+ focus on the online world) to protect application workloads without relying on the underlying network or computing environment. In addition, because of the heterogeneous nature of the data center (including bare metal servers, virtual servers and even Linux containers), the security strategy independent of the computing environment is easier to deploy, maintain, and error-free.
6. Eliminate the use of internal firewalls and traffic guidance
For traffic-oriented security that relies on congestion points or peripheral devices, security policies are bound to IP addresses, ports, subnets, VLANs, or security areas. This will generate a static security mode and require manual changes to the security rules each time the application changes or new workloads are introduced. This will lead to an explosion of firewall rules and increase the chance of human errors.
Enterprises should decouple security from the underlying network parameters by taking advantage of the dynamic nature of the workload, so that security policies will not be affected when changes occur. In a background-aware system, security policies can be identified using natural language syntax (rather than IP addresses. In addition, the ability to implement policies at the workload level can provide more fine-grained control over administrators.
7. Use simple On-Demand dynamic data encryption to protect interaction between distributed heterogeneous applications
In a distributed computing environment (that is, application workloads need to communicate across public and private networks), dynamic data encryption is necessary. IPsec connectivity can be used to encrypt the communication between application workloads.
However, although IPsec provides permanent and application-independent encrypted connections between nodes, it is also difficult to establish and maintain. An Adaptive Security Solution Provides policy-driven IPsec without additional software or hardware. This allows the security administrator to set On-Demand dynamic data encryption between application workloads running anywhere.
8. Develop strategies to integrate security and development and operation practices
The development and operation practices are combined with flexible development practices and IT operations to accelerate the release and change of applications. However, the static security architecture prevents enterprises from taking advantage of the potential advantages of continuous application delivery. Adaptive Security Architecture can integrate automation and orchestration tools to launch security changes as part of the continuous delivery process. This allows the security and development and operation team to build security to the application at the very beginning, and keep it to the end of the application.
Your security policy should reflect the dynamic and distributed nature of current infrastructure and applications. These steps can help you design self-adaptive practices to improve your security status.