The news of high-profile targeted data center attacks has dominated security news recently. But data center attacks are even more prevalent than those headlines suggest. In fact, a survey conducted last summer by Network World suggests that 67 percent of data center administrators experienced downtime due to malware and related attacks in the previous 12 months.
A key challenge is that many of today's security solutions are simply not designed for the data center, with limitations in both provisioning and performance. The situation will likely get worse before it gets better as data center traffic grows exponentially and data centers migrate from physical, to virtual, to next-generation environments like Software-Defined Networks (SDN) and Application Centric Infrastructures (ACI).
To deliver the protection data center administrators need – without compromising the performance and functionality that these new data center environments enable – intelligent cybersecurity solutions must address five critical issues:
- Security must be designed for the data center. In the data center, security provisioning must occur in hours or minutes, not days or weeks, and performance must dynamically scale to handle high-volume bursts of traffic. Moreover, administrators need visibility and control over custom data center applications, and not just the web-based applications inspected by traditional Internet edge security devices.
- Security must be part of the data center architecture. Security must be integrated into the data center fabric, not simply sit at the edge, in order to handle not only "North-South" (or inbound and outbound) traffic, but also "East-West" traffic flows and application transactions between devices or data centers.
- Security must adapt as data centers evolve. As data center environments evolve from physical, to virtual, to next-generation SDN and ACI environments, security solutions must provide consistent protection across evolving and hybrid data center models. Deploying an integrated security solution across hybrid data centers – many with multiple hypervisors - allows administrators to focus on data center functionality without being bogged down in complex administrative security tasks.
- Security must address the entire attack continuum. Traditional security approaches offer limited threat awareness and visibility in a data center environment, and instead focus primarily on blocking at the perimeter. As a result, they fail to proactively defend against emerging, unknown threats targeting vulnerable servers, custom applications, and critical data. And because they are almost exclusively defensive tools, they offer virtually no solution for identifying and mitigating attacks that manage to slip past defenses. What's needed is a holistic, threat-centric approach to securing the data center that provides protection before, during, and after an attack, especially for specialized data center traffic and environments.
- Remember that data centers do not exist in a vacuum. Data centers are part of a complex network that extends from remote users and branch offices, across the core, into the data center, and out into the cloud. Any security strategy must understand that the goal of a remote user is not to simply connect to the edge of the network, but to access critical resources - often inside the data center. The best security solutions see and protect the entire network, and are not broken up into discrete solutions that hand off security between isolated solutions along the data path.
Introducing Cisco's latest data center security solutions:
To address the data center security challenge, Cisco has just released two powerful new powerful enhancements to our flagship ASA solutions: The new Cisco Adaptive Virtual Security Appliance (ASAv), and the enhanced performance and provisioning capabilities added to the Cisco ASA 5585-X appliance. These releases make them ideal solutions for today's data center environments.
The all-new Cisco ASAv performs the same functions as any ASA appliance, combined with dynamic scalability and simplified provisioning for virtual environments. It maintains its own data path, which allows it to work with any virtual switch, and it will be available on multiple hypervisors. Its flexible architecture means it has the ability to be deployed BOTH as a traditional security gateway, as well as a security resource for intelligent SDN and ACI environments that can be dynamically stitched directly into the intelligent fabric and application service chains.
The Cisco ASA 5585-X Series Next-Generation Security Appliance has been updated and certified to interoperate with the new Nexus 9000 switches—whether they are deployed in traditional, SDN, or ACI data center environments. It provides advanced clustering capabilities for up to 16 nodes, providing 640 Gbps of data center-class performance, and best in class connections per second, that can be deployed across multiple data centers and managed as a single device.
These solutions, along with our all-new Secure DC Cisco Validated Design (CVD) architecture, are part of our announcement release this week. If you were unable to attend the live event, you can catch the highlights, including SVP Chris Young's keynote, via our Virtual Experience.