East-west traffic has always been a second-class citizen when it comes to security. It’s time to stop the discrimination!

We live in a world where cyber security threats are omni-present and omni-potent. A month does not go by without yet another malicious attack and breach of sensitive data. For the organizations affected, credibility is lost and brand is devalued. The above- and below-the-surface costs to recover from these attacks can range from millions to billions of dollars. Unless acted upon, this situation is expected to worsen; exposing millions more to increasingly sophisticated cyber attacks. As a result, for many organizations such as financial services and healthcare, the adoption of cloud is dampened due to paranoia around data losses and leaks.

Whether you’re maintaining an on-premise data center or using a public cloud facility, the need to protect your applications and data from a growing number of imminent threats is critical.

Perimeter defense offers a deeply flawed sense of security 

Data center operators and cloud service providers make huge investments protecting their infrastructure against external attacks on the north-south traffic entering and exiting their networks. But few pay attention to threats facing the east-west traffic that flows within their data centers.

According to Cisco’s Global Cloud Index, east-west traffic will represent 85 percent of total data center traffic by 2021, and north-south traffic will account for the remaining 15 percent of traffic associated with data centers. This is due to several factors, among them:

  1. The implementation of microservices-based architecture and container technology. Applications are decomposed into entities such as microservices or containers. These entities are instantiated across servers interconnected by fast and low latency links.
  2. The shift from hyper-converged to composable disaggregated infrastructure (CDI). With CDI, storage is effectively disaggregated from compute, enabled by modern storage protocols such as NVMe and NVMe over Fabrics.
  3. The proliferation of distributed AI/ML workloads. Large scale datasets and computation needs are driving the need to pool resources across racks.

In concert with the growth in network I/O, threats targeting east-west traffic are also mounting. Therefore, when it comes to securing data center infrastructure, it is no longer acceptable to favor north-south over east-west traffic.

A robust, security solution for modern data centers must involve protecting all traffic against various security vectors such as access control, authentication, data confidentiality, integrity, availability etc.

To secure the perimeter of the data center, organizations commonly use physical security appliances which implement functions such as L4-L7 firewalls, intrusion detection and prevention, DDoS mitigation, proxy engines etc. to prevent unauthorized content from infiltrating and exfiltrating the data centers. Beyond the perimeter of the data center, security solutions need to embrace and adapt to the dynamic nature of workloads and the evolving infrastructure inside the data center. Antiquated approaches such as the traditional appliance model or static policies will no longer work.

Clearly, there is no single silver bullet that can address these diverse requirements.

The Security Blueprint

Here is Fungible’s view of a holistic security blueprint that can meet the demands of next generation data centers:

  • Root of trust: Any firmware or software code running on compute, networking or storage systems needs to be authenticated and authorized before it is allowed to run. To achieve this, security mechanisms such as immutable keys must be implemented in hardware root of trust.
  • Secure services: Static access control policies that are tied to physical infrastructure are no longer sufficient in today’s microservices and container-based architecture. Policy management needs to be application-based. Fine-grained policies need to be dynamically applied to individual workloads, VMs, containers etc. leveraging micro-segmentation techniques. To support this effectively, the compute, storage, networking and security controllers in the infrastructure must be well integrated.
  • Secure communication and data-in-motion: Security protocols such as IPSec or SSL/TLS are used to secure data movement over an insecure underlay network by authenticating and encrypting the data. Improvements in the protocols e.g. larger key sizes have resulted in the exponential growth of computation requirements. To improve performance-cost efficiencies, hardware accelerated solutions are needed. Another approach would be to mitigate the need for these security protocols by ensuring that the data center fabric itself is secure.
  • Secure data-at-rest: Protecting data stored in persistent storage is viewed as table stakes today. A secure data center must ensure data isolation and preservation of privacy amongst various users. To achieve this, robust authentication and encryption services must be in place.
  • Visibility: Real-time and fine-grain visibility into data center operations enable threats to be prevented or neutralized quickly. To support a real-time view of usage and enforcement of policies, security solutions must provide programmable and configurable tap points to enable the gathering of statistics and telemetry.

Fungible’s Data Processing Unit (DPU) Offers Pervasive Security for Next Generation Data Centers

The Fungible architecture for data center security is centered around Fungible’s Data Processing Unit (DPU). The DPU is designed to offer uncompromising and comprehensive programmable hardware-based security processing, supporting complete offload and inline acceleration of security services at line rates.

Although security is never absolute, a thoughtful holistic approach to security reduces risks manyfold. The era of deploying just security appliances at network gateway points is over. Organizations looking for a Fort Knox-level security solution to shield their most sensitive data and assets can depend on Fungible’s Data Processing Unit to offer a holistic solution that may well come close to the elusive silver bullet.

Watch this space for an upcoming video and whitepaper on this topic!