Partner Perspectives //

bitdefender

2/23/2017
09:00 AM
Liviu Arsene
Liviu Arsene
Partner Perspectives
Connect Directly
Twitter
LinkedIn
Google+
RSS
50%
50%

How to Secure Hyperconverged Infrastructures & Why It Is Different

The next-generation datacenter requires new security practices, but that doesn't mean everything we learned about datacenter security becomes obsolete.

Securing traditional datacenters used to be all about installing perimeter defenses, such as firewalls, to keep threats away from internal networks. While that was enough a decade ago, today’s next-generation datacenters are prone to advanced attacks from malware and hackers aiming to infiltrate and remain undetected for as long as possible.

Network segmentation using firewalls to protect data and users from cross-contamination can be extremely complicated in large infrastructures and environments. Any form of micro-segmentation increases in complexity as more endpoints are added to a network. Plus, this would require hardware that is not application-aware, and eventually create bottlenecks and performance problems as the network becomes more complicated.

Hyperconverged infrastructures (HCI) that describe software defined datacenters (SDDC) cannot rely on legacy security methods. They need a security model that’s just as flexible as the infrastructure it’s built on. The difference in securing traditional multi-dimensional infrastructures versus converged architectures is that the latter needs a more policy-based approach, intertwining security with applications. Instead of applying a network-based security model, hyperconverged infrastructures require application-based security policies that allow computing instances to communicate with each other, across network segments.

Application-based policies in hyperconverged infrastructures can help reduce complexity and allow security to focus on workloads instead of managing ports, virtual networks and access control lists. Individual computing instances, such as servers, users and workloads, can have security policies that describe their behavior throughout their entire lifecycle. With homogenous software configured for networking, storage and computing running equally across an entire cluster, it’s vital to always know your system’s state and configure alerts for when it changes.

Using more than one hyperconverged vendor helps reduce zero-day exploitation risks that could leave the entire infrastructure vulnerable. Limiting access to control planes for the entire hyperconverged infrastructure is also mandatory, as it helps deny attackers full access to all HCI clusters.

The next-generation datacenter requires new security practices, but that doesn’t mean everything we learned about datacenter security becomes obsolete. Firewalls are still great for securing a datacenter’s network perimeter and network segregation is still recommended. However, these new hyperconverged infrastructures require much more than that, as reducing systems to a single dimension comes with security challenges that need to be addressed.

Liviu Arsene is a senior e-threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
To Click or Not to Click: The Answer Is Easy
Kowsik Guruswamy, Chief Technology Officer at Menlo Security,  11/14/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19279
PUBLISHED: 2018-11-14
PRIMX ZoneCentral before 6.1.2236 on Windows sometimes leaks the plaintext of NTFS files. On non-SSD devices, this is limited to a 5-second window and file sizes less than 600 bytes. The effect on SSD devices may be greater.
CVE-2018-19280
PUBLISHED: 2018-11-14
Centreon 3.4.x has XSS via the resource name or macro expression of a poller macro.
CVE-2018-19281
PUBLISHED: 2018-11-14
Centreon 3.4.x allows SNMP trap SQL Injection.
CVE-2018-17960
PUBLISHED: 2018-11-14
CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste.
CVE-2018-19278
PUBLISHED: 2018-11-14
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expanded length but actually matches a compressed lengt...