Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives //

bitdefender

2/23/2017
09:00 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

How to Secure Hyperconverged Infrastructures & Why It Is Different

The next-generation datacenter requires new security practices, but that doesn't mean everything we learned about datacenter security becomes obsolete.

Securing traditional datacenters used to be all about installing perimeter defenses, such as firewalls, to keep threats away from internal networks. While that was enough a decade ago, today’s next-generation datacenters are prone to advanced attacks from malware and hackers aiming to infiltrate and remain undetected for as long as possible.

Network segmentation using firewalls to protect data and users from cross-contamination can be extremely complicated in large infrastructures and environments. Any form of micro-segmentation increases in complexity as more endpoints are added to a network. Plus, this would require hardware that is not application-aware, and eventually create bottlenecks and performance problems as the network becomes more complicated.

Hyperconverged infrastructures (HCI) that describe software defined datacenters (SDDC) cannot rely on legacy security methods. They need a security model that’s just as flexible as the infrastructure it’s built on. The difference in securing traditional multi-dimensional infrastructures versus converged architectures is that the latter needs a more policy-based approach, intertwining security with applications. Instead of applying a network-based security model, hyperconverged infrastructures require application-based security policies that allow computing instances to communicate with each other, across network segments.

Application-based policies in hyperconverged infrastructures can help reduce complexity and allow security to focus on workloads instead of managing ports, virtual networks and access control lists. Individual computing instances, such as servers, users and workloads, can have security policies that describe their behavior throughout their entire lifecycle. With homogenous software configured for networking, storage and computing running equally across an entire cluster, it’s vital to always know your system’s state and configure alerts for when it changes.

Using more than one hyperconverged vendor helps reduce zero-day exploitation risks that could leave the entire infrastructure vulnerable. Limiting access to control planes for the entire hyperconverged infrastructure is also mandatory, as it helps deny attackers full access to all HCI clusters.

The next-generation datacenter requires new security practices, but that doesn’t mean everything we learned about datacenter security becomes obsolete. Firewalls are still great for securing a datacenter’s network perimeter and network segregation is still recommended. However, these new hyperconverged infrastructures require much more than that, as reducing systems to a single dimension comes with security challenges that need to be addressed.

Liviu Arsene is a Global Cybersecurity Researcher for Bitdefender, with a strong background in security and technology. Researching global trends and developments in cybersecurity, he focuses on advanced persistent threats and security incidents while assessing their impact ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3317
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
CVE-2013-2512
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
CVE-2021-3165
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
CVE-2021-1070
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
CVE-2021-1071
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...