ACG Research

ACG Research
We focus on the Why before the What

Friday, April 22, 2011

Why Virtualized Data Center Security? The $36 Million Dollar Answer

In my previous column Data Center Security: Only as Strong or Safe as the Weakest Link I discussed the seriousness of security in relation to data centers. Yesterday’s news emphasizes that security is serious business: A 26 year-old computer hacker pleaded guilty on Thursday to stealing hundreds of thousands of credit card numbers, causing losses of more than $36 million. Rogelio Hackett, of Lithonia, Georgia, stole 675,000 credit card numbers by hacking into business computer networks, downloading credit card databases or purchasing them on the Internet. He also admitted that he sold credit card information and counterfeit cards to acquire gift cards and merchandise.

This breach is not unusual; although the amount of data lost to cyber attacks dropped significantly in 2010, even as the number of breaches jumped, confirmed cases of compromised data in 2010 rose to 761 from 141 in 2009.[1] And with the proliferation of new data and end-user packaged services such as managed security, compliance and cloud, SPs are under increased pressure to ensure that their data centers have network architecture, systems and robust policies in place to guard against hacking and malware. With network services delivered by multiple data centers and application servers (or more frequently by third parties with applications hosted in remote data centers across the Internet), each layer within the data center must have security protocols that guard against potential breaches.

One safeguard that SPs can employ is system virtualization, which can effectively address and improve data center security. In a virtualized data center LANs, storage area networks, and servers are virtualized so that a single physical network or system element can run multiple logical elements. In a layered security model, security boundaries are controlled so that trusted network components are separated from unreliable components. IT personnel may designate multiple boundaries and multiple layers of protection assigned to systems. By managing network elements and systems within and outside of the boundaries differently managers provide an added level of security. The importance of the system or component and how vulnerable it is determines where it falls within or outside of a boundary and how deeply it will be embedded. Additionally, the layered security architecture is correlated to the virtualization architecture that is implemented in the data center. This is done by mapping virtual networks at layer 2 and layer 3 to virtual storage networks and virtual servers. This model not only improves scalability and reduces OpEx related to energy, but it also improves data center security by isolating components of the network and system infrastructure and mapping the virtualization and security defenses in the network to the virtualization models deployed across the entire data center.

Securing data centers is not simple and requires stringent security design at every layer, which must complement the logical design and systems requirements in the data center. SPs must be able to quickly identify and respond to evolving threats, protect their critical assets, and enforce their business policies. Not having these requirements in place could end up costing a service provider millions, $36 million to be exact.

[1] Data Breach Investigations Report

Ray Mota

Wednesday, April 20, 2011

Ethernet QoS: Trust, But Always Verify

Unlike legacy Frame Relay and later ATM, Ethernet initially lacked the quality of service (QoS) guarantees that business customers had grown accustomed to. Not surprisingly, enterprises and even wholesale carrier customers were reluctant to adopt Ethernet services. By creating mechanisms that separate different QoS service levels via virtual LANs: “best-effort”, priority data, and a stringent QoS class, service providers can offer various service level agreements (SLAs) to meet enterprise or wholesale carrier customer requirements. Of course, service providers have to provide consistent Ethernet QoS whether the service is running over their own network or a third-party provider partner. While service providers have more direct control of Ethernet QoS when it runs on their own network, it becomes even more challenging when they have to leverage a third-parties’ facilities to meet a customer’s needs that reside outside their network footprint.

Download this eBook to learn about approaches, challenges and opportunities in achieving consistent Ethernet service QoS. Ethernet QoS: Trust, But Always Verify - FierceTelecom

Ray Mota

Saturday, April 9, 2011

Data Center Security: Only as Strong or Safe as the Weakest Link

Although a government shutdown was averted, had it happened, cyber security and providing impregnable networks for the CIA, FBI and other U.S. government agencies with limited staffing and resources could have been severely compromised and had huge consequences and repercussions for these and other departments — not unlike security issues faced by enterprises. Data centers, whether government or enterprise owned, are key targets for criminals trying to hijack, steal or destroy critical and confidential information.

Enterprises and service providers must be able to quickly identify and respond to evolving threats, protect critical assets, and enforce their business policies. They need to understand that when they consider security they cannot only look at it as a point solution but as an end-to-end solution. Why? Because your security system is only as strong or safe as the weakest link in a network or infrastructure and having the appropriate security tools and controls ensures that firewalls and servers are not breached and systems are not at risk.

The security requirements vary somewhat when you consider the differences between enterprises and service providers. Enterprises are very critical about their networks and the importance of their infrastructure in relation to their business initiative. Essentially, they either manage their own network or have a partnership and coordinate their infrastructure/network security with a group of trusted managed service providers.

Service providers, on the other hand, must understand that just as with enterprises, applications are driving their networks. However, the key difference is that service providers are dealing with either hundreds or thousands of unrelated networks that require traffic flow isolation and each necessitate impenetrable security — both potentially costly requirements.

What must enterprises and service providers do to address the goals of (1) maintaining and upgrading the integrity of their network security while simultaneously (2) offering more services and expanding their market and (3) reigning in their OpEx?

To address their market share and retain their competitiveness, service providers must increase their content and applications, which demand more complex infrastructure requirements. Since all service providers are moving to IP because of the flexibility and potential cost saving (driven by convergence), security must be impregnable because IP increases security risk. Additionally, service providers need to maximize the value of each service they deliver either through multiplay or some manage service offering, both of which also have security requirements.

When it comes to service and security, the bottom line is that SPs need to, at a minimum, implement scalable, high-performance, reliable, and inviolable networks; manage multiple remote connections; and monitor and address potential security issues from many sources without degrading the customers’ experience. The challenge becomes one of juggling and balancing security and performance without compromising either.