Industry Trends

Security in a Virtual World

By Jonas Tichenor | February 10, 2015

Many organizations are moving to virtualized and cloud-based infrastructure. The potential benefits are well-proven, but security is just as important as in physical and on-premises environments.

In early 2014, Gartner reported that over 50% of all server workloads had been virtualized and predicted that the vast majority would be virtualized by next year. At the same time, Ovum expects that 80% of enterprises around the world will be using Infrastructure as a Service (IaaS) in a variety of capacities by 2016. I could cite statistics and anecdotes ad nauseum, but the bottom line is clear: businesses are virtualizing servers, desktops, network functions, and more, while the cloud (whether public, private, or hybrid) is quickly becoming the dominant platform for enterprises both big and small.

None of this should be surprising. Virtualization delivers efficiency and agility while the cloud, regardless of how it is deployed or consumed, provides a scalable, flexible platform for everything from software deployments to web-scale storage. It’s a win-win all around, right?

Almost...While organizations almost universally deploy firewalls and other network security measures in their own data centers, it’s easy to take a less rigorous approach to security in environments where self-service, rapid provisioning, and quick deployments are the norm. In fact, as more components of the data center become “software-defined” with orchestration platforms rapidly shifting resources and virtual network infrastructure to accommodate demand, maintaining robust security is increasingly challenging.

2014 has already gone down as the “Year of the Breach” - security is front and center in the minds of both consumers and businesses. But how do we reconcile our need for dramatically improved approaches to security with the breakneck speed of innovation around cloud services and virtualization? More concretely, how do you secure a hybrid cloud environment with software and services deployed across on-premises private clouds, hosted private clouds, and public IaaS?

The goal of most modern cloud architectures is to make these hybrid environments transparent to users and software. That’s the holy grail of virtualization - no matter where compute resources actually reside, abstract the software from the hardware and simply use what you need to get the job done. But from a network and application security perspective, do you really want to hand the proverbial keys to the castle to any hacker who manages to breach this flattened, seamlessly connected computing framework?

The short answer is “of course not”. The longer answer involves the same sort of layered, multifaceted approach to security that represents best practice in physical data centers (or any on-premises computing for smaller organizations that don’t have the need for a dedicated data center). Endpoints still need protection, preferably with hooks into centralized security measures with advanced threat intelligence. Cloud providers need to ensure that their data centers have appropriate perimeter protection in the form of either physical or virtual next-generation firewalls while private, on-premises installations also require advanced threat protection.

Connections between clouds require secure VPNs or other encrypted connections that still support the throughput necessary to maintain high-speed, transparent data flow. Applications, databases, mail servers, etc., require purpose-built protection, just as they would in physical environments. Network security appliances should be centrally manageable and connected with threat intelligence networks. However, the beauty of virtual environments is that many of these appliances can be, well, virtualized. In the example below, a distributed enterprise uses a variety of virtual appliances to replicate the sorts of protections that physical devices might provide on a traditional WAN/LAN and on-premises data center.

All of the devices in the schematic above with a “-VM” suffix are virtual appliances.

The other advantage of this approach, assuming that your virtual appliances support it, is integration with orchestration platforms in software-defined networks and data centers and with virtual networking functions in the hypervisors running your virtual environment. This integration means that rapid changes in routing tables or virtual infrastructure, for example, don’t leave security holes open in application or network firewall appliances.

The key takeaway here is that we’re all racing towards a virtualized, as-a-service world. We just need to make sure that race involves top-notch security protections, even if we aren’t plugging firewalls into racks like we did in the old days.

To hear about Fortinet’s powerful new VMWare virtual appliances and our deepening integration with the VMWare ecosystem, check out the video below and read last week’s announcement. For our complete line of virtual security appliances, click here.

Join the Discussion