Partner Perspectives //

bitdefender

2/23/2017
09:00 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

How to Secure Hyperconverged Infrastructures & Why It Is Different

The next-generation datacenter requires new security practices, but that doesn't mean everything we learned about datacenter security becomes obsolete.

Securing traditional datacenters used to be all about installing perimeter defenses, such as firewalls, to keep threats away from internal networks. While that was enough a decade ago, today’s next-generation datacenters are prone to advanced attacks from malware and hackers aiming to infiltrate and remain undetected for as long as possible.

Network segmentation using firewalls to protect data and users from cross-contamination can be extremely complicated in large infrastructures and environments. Any form of micro-segmentation increases in complexity as more endpoints are added to a network. Plus, this would require hardware that is not application-aware, and eventually create bottlenecks and performance problems as the network becomes more complicated.

Hyperconverged infrastructures (HCI) that describe software defined datacenters (SDDC) cannot rely on legacy security methods. They need a security model that’s just as flexible as the infrastructure it’s built on. The difference in securing traditional multi-dimensional infrastructures versus converged architectures is that the latter needs a more policy-based approach, intertwining security with applications. Instead of applying a network-based security model, hyperconverged infrastructures require application-based security policies that allow computing instances to communicate with each other, across network segments.

Application-based policies in hyperconverged infrastructures can help reduce complexity and allow security to focus on workloads instead of managing ports, virtual networks and access control lists. Individual computing instances, such as servers, users and workloads, can have security policies that describe their behavior throughout their entire lifecycle. With homogenous software configured for networking, storage and computing running equally across an entire cluster, it’s vital to always know your system’s state and configure alerts for when it changes.

Using more than one hyperconverged vendor helps reduce zero-day exploitation risks that could leave the entire infrastructure vulnerable. Limiting access to control planes for the entire hyperconverged infrastructure is also mandatory, as it helps deny attackers full access to all HCI clusters.

The next-generation datacenter requires new security practices, but that doesn’t mean everything we learned about datacenter security becomes obsolete. Firewalls are still great for securing a datacenter’s network perimeter and network segregation is still recommended. However, these new hyperconverged infrastructures require much more than that, as reducing systems to a single dimension comes with security challenges that need to be addressed.

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.