Holistic Approach to Security

To learn more, visit: https://www.fungible.com/ Follow us on Twitter: https://twitter.com/fungible_inc Follow us on LinkedIn: https://www.linkedin.com/company/fungible-inc./ #datacenter #technology #cloud #network #data #datacentric #datacenterarchitecture #datacentricsw #softwarearchitecture #fungible_inc Security teams working on data centers around the globe are constantly struggling to cope with more frequent, more sophisticated attacks on their most valuable asset - data! For decades, organizations around the globe have focused on fortifying the perimeter of data centers. Physical security appliances which implement functions such as L4 to L7 firewalls, intrusion detection and prevention, DDoS mitigation, proxy engines etc. are commonly used to protect against all manner of threats. With so much money and effort spent on perimeter protections, it is not implausible to assume that data center security is well taken care of. But, is it? Data is in a constant state of motion. Specifically, the volume of data movement within the data center, known as east-west traffic, has increased many folds over the last decade. Studies have shown that 85% of the data center traffic is now represented by east-west traffic, and north-south traffic accounts only for the remaining 15%. With this evolution of traffic patterns in the data center infrastructure, how data centers are secured needs to change as well. It’s no longer good enough to just protect the perimeter. Let us take a look at the current data center security solutions: Current data security solutions are focused on the perimeter of the data center. Data security are provided by various security appliance to secure the north-south traffic. Modern workloads are now designed around microservices, Virtual Machines, containers etc. All these points or entities need to be secured. Current solutions are mostly x86 based today, but security services are very compute intensive. With the increase in the volume of data movement, current security solutions are struggling to cope. So, what do we need to secure the data center? Is there a better way to ensure robust security across every platform that is across compute, storage, networking? Let us start with having the most fundamental layer of a “Root of trust” for your infrastructure. Any firmware or software code running on compute, networking or storage systems needs to be authenticated and authorized before it is allowed to run. This is done by ensuring security mechanisms such as immutable keys which are implemented in hardware in root of trust. Next is to secure your services. Static access control policies that are tied to physical infrastructure are no longer sufficient in today’s microservices and container-based infrastructure. The industry is moving to application-based policy management which leverages micro-segmentation approaches and dynamically applies finer-grained policies to individual workloads, VMs, containers etc. There is a need to bind security policies with the micro-services rather than just physical nodes or applications. Third is to secure the data. Data can be divided into data-in-motion and data-at-rest. For data-in-motion, security protocols like IPSec or SSL/TLS are used to authenticate & encrypt data to ensure secure communication over the network. Increase in key sizes results in exponential growth in need for computation. Protecting data-at-rest stored in persistent storage is viewed as table stakes today. A robust, secure data center must ensure data isolation and preservation of privacy amongst various users. Last but not least is real-time visibility: Security solutions should provide programmable & configurable tap points to enable the gathering of statistics & telemetry so that data center operators have a real-time view of usage & enforcement of policies. The Fungible architecture for data center security is centered around Fungible’s Data Processing Unit (DPU). The DPU provides uncompromising and comprehensive programmable hardware-based security processing, supporting complete offload and inline acceleration of security services at line rates and at no added cost. Here is Fungible’s view of a security blueprint that can meet the demands of next-generation data centers: Provide a secure design with a hardware root of trust. Provide fine-grained access control policies. Provide a secure communication channel. Provide protection for data in motion and data at rest. Provide real-time and fine-grain visibility into the data center for threat prevention.