Data Center Operators Take the Lead with Software-Defined Segmentation
Microsegmentation solutions can be a market differentiator, helping data centers limit damage in a breach.
December 31, 2019
By Todd Bice
Todd Bice
For operators of multitenant data centers, the segmentation (or isolation, separation) of computing environments isn’t just important, it’s fundamental to their operating model. If done right, service providers will experience lower costs, operational efficiencies and reduced risk. Additionally, with cutting-edge, software-defined segmentation technology (microsegmentation), there’s an opportunity to drive more core data center services while becoming stickier with customers and establishing new services capabilities and revenue streams. It seems too good to be true . . . but it is. Here’s how.
Let’s start with the essential segmentation requirements, which are often operationally difficult and expensive to achieve. Looking into data center providers’ operational networks, here are a few scenarios where segmentation is needed and, if achieved efficiently, can significantly reduce costs while improving security for themselves and their customers:
Segmentation within a service provider’s own operational network is foundational. They have their own internal applications and various operational technologies (OT) like DCIM, BMS systems, etc., that require a good level of separation to limit the impact of a breach. Additionally, data center operational networks typically have many hard-to-patch systems (especially OT) which introduces the risk of lateral movements if not properly segmented, which could negatively impact operations while also putting all their customers’ businesses at risk.
A service provider’s own infrastructure must be separated from customer environments. A service provider also needs the flexibility to share certain resources while preventing access to others. As an example, create secure connectivity between customer-facing networks such as the DMZ where the customer portal is located, and which needs secure access to data from operational networks (i.e., reading the power status) and from enterprise networks (i.e., reading the billing information).
Lastly, a service provider needs to prevent “cross-contamination” between their client’s respective environments, whether accidental or nefarious. That includes preventing successful breaches or malware infections from spreading from one client’s environment to others.
The Pitfalls of Conventional Approaches
The question is how to achieve segmentation most effectively, efficiently and economically. Historically, operators have relied on traditional firewalling or VLANs to separate environments within a multitenant architecture. Implementing and maintaining such measures, however, is arduous, highly manual, time-consuming and costly. Moreover, these techniques are by no means airtight and can leave a substantial amount of attack surface exposed. The efficacy of solutions designed for perimeter defense is particularly problematic within the data center, especially since most of these environments include a variety of virtual machines, hypervisors, containers, and even cloud components, and new workloads dynamically spin up and down automatically.
Internal firewalls are expensive to acquire and complex to set up. They also interfere with the normal flow of traffic, altering patterns and creating circuitous “hairpins” that ultimately impede systems performance. As the industry is learning, firewalls aren’t intended for segmentation within the data center.
One of the most painful challenges when trying to introduce segmentation to an existing, running production environment is that traditional methods require downtime of an application. Downtime for a business-critical application is costly, can only happen at specific-time windows, and oftentimes isn’t possible at all.
An additional challenge worth noting is that creating any internal segmentation requires good knowledge of east-west application dependencies. This insight is usually nonexistent. Without a simple way to map application dependencies it is extremely hard to separate a brownfield environment and it is also very risky.
The Modern Approach
For all these reasons, operators of shared environments are taking a closer look at …
… modern techniques, including micro-segmentation. With the right tools and a little thoughtful planning, micro-segmentation can be implemented more quickly and easily than the aforementioned methods and is easier to manage and maintain as well.
With a software-defined approach, there’s no need for networking changes or for any VLANs to be created, which results in significant operational savings. It also doesn’t require any application downtime or changes due to a migration to a new VLAN. These time savings and efficiencies translate to significantly lower costs over the deployment life cycle.
Additionally, a key advantage of some micro-segmentation solutions is that they’re infrastructure-independent and work seamlessly across environments. This means that the same tool provides segmentation across any infrastructure: bare metal, virtualized, PaaS, cloud, containers, etc. All under one pane of glass and with a singular workflow. This results in significant operational freedom where security standards can be achieved without any constraints on the underlying infrastructure choice.
Lastly, the best software-defined segmentation solutions will include integrated visibility that helps identify the segment boundaries and application dependencies. This results in an efficient process and eliminates operational errors when creating policies. It also makes it possible to apply policies in a dynamic fashion, so that as new workloads are spun up or down, they’re attributed to the correct policy automatically. This saves considerable resources by eliminating the need for manual moves, additions or changes.
Beyond Improved Operational Efficiencies and Better Security
Customers struggle to implement and maintain a strong level of segmentation within their applications (hosted or on-prem). This introduces an important opportunity for data center operators to leverage their internal segmentation expertise, tools and operational model to extend segmentation (as-a-service), discretely per customer across all of their assets, within one tool and a single pane of glass. This not only results in additional services revenue potential, but also creates a stronger dependency on the operator, resulting in longer relationships and higher profits.
Furthermore, with the ability to extend security policies to customer premises with the right methodology, tooling and processes, the operator will be able to gain access and visibility to the nonhosted applications. That access can enable and accelerate the secure migration of other customer assets to the hosted data center, thus contributing to the core data center business.
The Right Solution
To deliver on these benefits, service providers should consider a modern, software-defined segmentation solution that meets several essential criteria. It must 1) include comprehensive and granular visibility into all applications running across environments and the ability to map all the dataflows among them; 2) be infrastructure-agnostic; 3) include flexibility to properly label assets for policy creation and automatically modify labels as workloads auto-scale to simplify efficient deployment and management; 4) be DevOps-friendly with the ability for policies to follow their respective applications and perform consistently among multiple environments; and 5) allow for an automated and simplified operational model for policy creation, management and enforcement.
Todd Bice is senior director of channels at Guardicore, where he focuses on the channel strategy and go-to-market execution for the company’s cloud security platform. He has established alignment with strategic partners including services-oriented VARs, MSSPs, cloud transformation providers and global systems integrators. Bice brings more than 18 years of successful revenue performance and business growth in the IT space to his role with expertise in managed services, data center, security software and managed security business models. Follow Bice on LinkedIn or @Guardicore on Twitter.
You May Also Like