//mega nav ctas

SDN Brings Micro-segmentation and Granular Policy to Secure the Data Center

Posted On: February 18, 2016

Topic: IT Hardware

With a software designed data center (SDDC), the service delivery is decoupled from the physical infrastructure, enabling endless configurations of compute, storage and network capacity that are easily created programmatically without the need to modify or even physically touch the hardware.

An SDDC provides unprecedented benefits to an organization. The increased agility allows rapid infrastructure deployment and repurposing to enable the organization to balance and prioritize workloads for best performance and optimized efficiency. The improved efficiency of a software-defined network (SDN) enables faster time to market for new applications, along with increased utilization and a more favorable ROI for infrastructure expenditures.

In addition, SDN helps enable more advanced security and protection from threats than possible with hardware alone. Traditional network architectures use perimeter protection such as firewalls or intrusion detection and prevention platforms and devices because they assumed that threats always came from outside the network and from unrecognized devices or addresses.

Why Micro-segmentation is Necessary

Today’s network environment has moved well beyond the basic assumption that threats arise only from traffic originating outside the organization, known as North-South traffic. Modern networks must be capable of managing traffic from inside and outside the organization, from both known and unknown devices and IP addresses.

East-West traffic, that is traffic that crosses from device to device inside the data center has historically been considered safe. Once traffic has been granted access to the network, it is no longer subject to rigorous scrutiny by existing security measures.

Today, people access the network from personal devices and remote locations. With cloud solutions and BYOD policies, it is no longer possible to easily segregate trusted from untrusted traffic. By the time the network administrator is aware of the lost device, the damage may have already been done. The traditional network security maxim--“trust, but verify”—no longer provides adequate protection.

A Zero Trust Solution

The new network reality requires a “zero-trust” architecture, which can be summed up as “never trust; always verify”. Traditional network security is based on the idea of a trusted inner network and an untrusted outer network, but with the new model, all traffic is untrusted. Even once or formerly trusted sources are verified as potential threat sources, regardless of their internal or external origin. With this new model, IT departments are under the gun as they must still deliver the ease of access and top performance expected for critical applications.

This balancing act requires a least-privilege strategy coupled with strict access control. Traditional hardware-based security measures quickly become overwhelmed by throughput demands and the difficulty in reconfiguration. SDN-enabled data center micro-segmentation is quickly becoming one of the key solutions to provide the enhanced security necessary within today's data center.

Benefits of Micro-Segmentation and SDN

Automated provisioning and simple move, add or change configuration enable SDN to overcome the traditional drawbacks of hardware segmentation. The ease of configuration allows increasingly fine levels of segmentation and helps enforce security policies at every entry point. In addition, if workloads are removed, the equipment is easily reassigned programmatically and the former segmentation is removed along with the workload.

The result is that traffic must prove it is trustworthy at every entry point, and it cannot easily move across workloads as it could with former methods that assumed continued trust once inside the firewall. With SDN, micro-segmentation is easily managed for both security and policy compliance, and performance is assured with the use of multiple parallelized switching cores.