Will Your Virtual Data Traffic Take The Detour Around Your Firewalls?

By Yoav Shay Daniely, Principal Product Manager, Cloud Security, Check Point Software

We’re soon going to need a new descriptor going forward when we refer to the data center. This rings true because network virtualization across private and public environments means the locations of compute and storage resources to facilitate on-demand networking do not sit statically in what could be considered a typical data center anymore. Virtual workloads now dart around like bees in a field of clover. It’s no longer a question or if but when all of this will affect your network.

Cisco estimates cloud platforms will process 86 percent of workloads by 2019. RightScale reports 95 percent of businesses use on average three public clouds and three private clouds. These dynamic pools of computing and storage resources are making traditional data centers like fax machines; you still likely have one, but hardly anyone uses it and what they are using it for is highly specialized.

Since the introduction of the first virtual machines, server admins have benefited from a more dynamic compute model that also helped lower costs associated with equipment, power, cooling, and maintenance. Data center administrators are now able to apply the concept of virtualization to the network, which had become the bottleneck to dynamic, application-centric infrastructure. As a result, network admins and application developers are able to utilize the pools of compute, storage and now networking to rapidly provision new applications or expand existing ones on demand.

This changeover to virtual infrastructure has a profound effect on cybersecurity. In old-school data centers, the majority of data traveled north from servers to the firewall and south from the firewall to servers. However in virtual and software-defined networks, up to 80 percent of traffic travels east and west among virtualized applications and various network sectors. This traffic now goes virtually (pun intended) uninspected by the very security foundation that was deployed to protect it.

This trend could prove disastrous for businesses that utilize virtualized networks. If a threat were to get introduced into this new environment — and there are no shortages of techniques the bad guys are employing to infiltrate today’s data center networks — the threat could then run unimpeded to spread and infect much of the infrastructure without anything to stop it. What’s more, mobile apps, cloud apps and partner apps all connect services to users outside data centers through pathways not scanned by traditional security controls. All it takes is a single malware compromise on a minor web service and the entire network is at risk.

To keep virtual public and private clouds secure, a good rule of thumb is to segment your network and applications like we’ve done in our physical networks. This is called micro-segmentation in the software-defined world, which allows virtualized elements to be logically grouped together and establishes rules for how these groups can communicate with one another. This level of segmentation is also critical for getting control of cloud-based workflows traveling in new directions due to cloud platforms and domains.

However, micro-segmentation by itself is only part of the solution. To combat threats that get introduced into the virtual network, businesses also need advanced threat prevention security that works alongside micro-segmentation to actually inspect all traffic, keeping the bad stuff out and ensuring only what is desired gets through.

Advanced threat prevention security in virtualized environments, like any pooled networking resource, needs to be centrally orchestrated and provisioned so it can follow apps and workflows as they are created, grow and move. Also, the security should be intelligent enough to understand how all assets and elements are classified to ensure the proper security actions can be applied, regardless of where an asset is at any given time.

This requires a new security model that consolidates threat information across traditional gateway as well as within the virtualized space and provides consistent policy management, protections, logging and reporting wherever your data goes. By adopting these principles, organizations can start adapting the same level of protections safeguarding their physical networks now into their virtual networks.

When you figure out what to call the new networking, don’t forget to consider which directions your data travels and how to re-think your security strategy to keep data and resources protected.

Yoav Shay Daniely leads Check Point’s Product Management team for Data Center and Cloud Security. With over 19 years of experience in networking, security and telecom, Yoav has lead teams emphasizing customer centricity and technical innovation. Prior to Check Point, Yoav worked for 9 years at Flash Networks, leading the product management team on their main product line of mobile internet services gateway