Reclaiming The Network Perimeter

Cloud computing and virtualization have drastically changed enterprise IT over the past several years, yet security components and architectures have largely remained the same. The concept of traditional perimeter security -- a valid architecture in the past -- is now ineffective in many areas.

Today's network infrastructures and sensitive corporate data have multiple points of entry. Some of these are owned and controlled by the enterprise. Service providers manage others. The ability to control end-to-end security is next to impossible using today's security tools.

Two schools of thought are emerging to address this issue. One recommends moving perimeter security all the way back to the virtual machine level, where policies and data flows are monitored and enforced, all under the control of a centralized management system. Alternatively, some vendors are developing ways to provide complete transparency and pass control of network security back to cloud customers. So which solution is right for you?

Before virtualization and cloud computing became mainstream, IT security was a much easier task. The firewall acted as the sole traffic cop by allowing Internet users access only to a defined set of services that lived on a segmented demilitarized zone, or the externally facing network. This protected internal resources by blocking virtually anything from an untrusted Internet from getting into the corporate network. The company privately leased or owned its WAN links and managed all remote data and servers in house. And, most importantly, it stored its data either locally on servers or on dedicated backend storage networks.

But once virtualization and cloud computing took off, suddenly you had network components that were managed by a third party. Additionally, data could be stored in-house, in the cloud, or virtually anywhere else you wanted it. These advancements were great for utility and redundancy, but they caused all kinds of data security problems.

One solution to the IT security perimeter problem is simply to move the perimeter back to the virtual machine level. A company called vArmour -- a startup that recently came out of stealth mode -- is looking to do just that by hardening what is visible in the cloud. For IaaS offerings, the virtual machine becomes the new perimeter; it's the first visible line of defense that the customer can manage. Placing probes on each VM allows data flows to be monitored and flagged or denied if suspicious behavior is detected. This methodology lets your service provider continue to manage and secure the infrastructure as it sees fit, while ensuring your data and applications are protected.

A different approach is to hand control of infrastructure security back to the customer. This is essentially the concept that Cisco's InterCloud and VMware's NSX architectures are seeking to accomplish. Imagine a day when security postures from your private data center can be copied and pushed out to any number of hybrid cloud providers. There will be no more duplicating rules and recreating the wheel from a security perspective. Best of all, you'll actually get to see and control your cloud infrastructure just as if it were your privately owned equipment.

The bottom line is that both solutions attack the problem of an eroding security perimeter that virtualization and cloud computing have chipped away at over the past decade. IT security can't be decoupled from the underlying network infrastructure, but it could be pushed back or reclaimed using one of these competing architectures.