Story image

Consolidation: less isn't always more

01 Apr 2010

A lot of attention has been given to making sure virtual machines (VMs) are updated, manageable and protected. Now, with the introduction of virtual infrastructure and physical hardware pooling, a whole new set of challenges awaits us, many of which are only just becoming apparent. Security zoning is essential in the design of any system and, while often overlooked, it has long been a proven strategy. So how can something such as virtualisation affect how we zone our systems? Security zoning is based on the core concepts of classification and compartmentalisation. Both data and systems are classified into groups of differing sensitivity. Classified data is stored separately from general data. Critical and high-security systems are segmented from public systems. Accounts used to access high-security systems are never used on low-security systems. The required level of security determines the amount of compartmentalisation. The purpose is to prevent less secure or low-priority systems and data from compromising more sensitive systems and data. Virtualisation design will often focus on maximising the rate of consolidation to produce greater savings and lower running costs. When this is combined with the ability to pool physical hosts and storage devices, we begin to create security concerns. Now the domain controller is running on the same host as the print server and is stored on the same storage as the public web server. Suddenly all the security zones and segments become virtualised as well. Communication between VMs becomes largely invisible to traditional security systems, running outside the virtual environment, and a compromised host affects all of its VMs regardless of virtual segmentation. Physical access to hosts in a large environment based on secure racks becomes harder to regulate, as it is not apparent whether a particular server is hosting sensitive systems at any particular time. There is also the question of management. What point is there to virtual network segmentation and zoning when a handful of management workstations and user accounts are used to access them all? In order to provide higher levels of security we must look beyond consolidation to preserve our security zones. In lower-security environments, implementing virtual security and UTM appliances between our virtual network segments and machines will provide much-needed security and management of communications between VMs. In higher-security environments it is necessary to augment this further by providing separate hardware pools for each zone, to prevent VMs of different sensitivity from co-existing on the same host or storage device. Researchers have already highlighted some of the potential risks involved in large-scale hardware pooling with the internal mapping and prediction of VM placements within a high-profile public cloud. How do we, for example, manage the zoning of our systems from not just each other but also the systems of other entities hosted in a third party cloud? Clearly this is one of the biggest barriers to wider adoption of cloud-based systems and is a question to which cloud vendors have yet to provide a satisfactory answer. The key point to remember is that no system or platform is inherently secure, and virtualisation is no exception. Virtualisation provides us with a powerful platform on which to base our systems, but if we wish to secure them there is more to consider than rack space and cooling costs.

Microsoft appoints new commercial and partner business director
Bowden already has almost a decade of Microsoft relationship management experience under her belt, having joined the business in 2010.
Zoom’s new Rooms and Meetings features
Zoom has released information about the upcoming releases for its Rooms and Meeting offerings for 2019.
Aussie company set to democratise direct-to-orbit IoT access
Adelaide-based Myriota has released a developer toolkit that has been trialled and tested by a smart waste management platform.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.