The Early Adopter’s Guide to Securing the Software-Defined Data Center

With Gartner estimating that more than 85% of data center workloads are now virtualized, it’s clear that the age of the software defined data center (SDDC) is upon us. The next steps in the evolution toward SDDC will be moving other traditionally hardware-bound functions like networking and storage into a full “as-a-service” model, so that applications and workloads can be flexibly provisioned and resourced in both private and public cloud environments.

There are many IT and business advantages to infrastructure virtualization, including:

• More flexible and fluid allocation of existing resources
• Faster deployment of new resources
• Lower failure rates
• Higher availability
• Hardware and processing workloads can be managed independently

Given these benefits, it’s not surprising that one study predicts the SDDC market will grow at a compound annual rate of 28.8% over the next four years to surpass $77 billion in 2020.

However, SDDC also introduces some new complexities, particularly in the area of security. One of the few advantages of the old hardware-constrained model was that breaches could be more easily confined to physical servers. That isn’t the case with virtual infrastructure. Intruders may be more difficult to detect and may also be able to do more damage by traversing virtual machines (VMs) once inside the firewall.

That isn’t a reason to ignore the many benefits of a fully virtualized architecture, however. By designing security into the migration process, IT organizations can actually improve their defenses.

One of the reasons companies struggle with security today is that they’ve applied tools and technologies in a patchwork fashion over time as computers have become more connected and new threats have emerged. SDDC is an opportunity to rethink your approach to the data center. By baking security into the process, you can make your entire infrastructure more resilient.

Take Advantage of Automation

The SDDC is characterized by a high degree of automation because many tasks that were once performed manually in hardware have moved to software. Automation is useful for security as well. New security technologies are designed specifically for the unique characteristics of highly virtualized environments, such as large amounts of cross-VM traffic. Security pros can use automation to provision these tools according to the unique characteristics of each situation, rather than throwing them like a blanket over every asset in the data center.

For example, policy-driven automation can be used to provision specific security profiles for each application or virtual machine, with those protections traveling with the VM as it moves between on-premise and public cloud infrastructure.

The SDDC also permits more fine-grained tracking of activity across the network. A new breed of security analytics technology can gather system and network activity logs and analyze them to spot anomalies and suspicious patterns. Advanced threat intelligence shared between connected systems can provide all parties with better information about emerging threats. These capabilities not only give IT better visibility into the environment but also the capacity to more easily spot vulnerabilities that originate inside the organization, such as zombie servers and unauthorized use of cloud services.

As you proceed down the path toward SDDC, keep these best practices in mind:

• Adopt new security technologies designed specifically for virtualized environments, such as policy-based orchestration and intrusion detection systems designed to monitor “east-west” traffic between VMs.
• Choose low-risk pilots and sandboxed applications at first to become familiar with the tools and environment.
• Apply micro-segmentation, which subdivides the data center into logical elements that can each be managed with their own security policies. This helps to limit intruders from moving laterally within the infrastructure.
• Double down on existing practices such as policy implementation and control, monitoring, and patch management. Virtualized infrastructure makes patching easier because machines can be taken off-line temporarily without disrupting operations.
• Adopt tools that provide visibility into all tiers of the local network as well as any cloud infrastructure you may use.
• Most experts agree that breaches are inevitable, so have a strategy for quickly detecting, isolating and containing intruders.
• Use two-stage authentication and encryption with highly sensitive data.
• Subscribe to sources like the Open Networking Foundation to stay abreast of new developments in security for software-defined networks.

The software-defined data center opens new horizons in flexibility and scalability. Think security from the outset and your entire operation will be better off for it.

For more on this topic, download our new white paper, Three Key Considerations in Securing the Software-Defined Data Center.