Cisco Blogs

Cisco Blog > Security

Best of Times, Worst of Times: Is Virtualization in the Data Center a Problem or an Opportunity?

As I travel the world, I ask my customers two simple questions:

First, are you virtualizing your data center? (Universally the answer is yes.)

Second, have you deployed any virtual security solution? (Universally the answer is no.)

Wow. How can this be? Does a virtual data center not need security? Not a chance. It needs security more than ever. Most customers are confining their virtualized infrastructure into secure zones, or virtual local area networks (VLANs). That’s useful for a first phase, but excessive VLAN segmentation holds us back from achieving the efficiencies of the utility computing model—and it also gets really complicated really quickly.

Read More »

Tags: , ,

Can Workspace-Aware Infrastructure Deliver Better End-User Outcomes?

Yesterday I had the opportunity to sit down with a panel comprised of the following folks here at Cisco Live!  First off, my thanks to Friea Berg (@friea) for creating this opportunity.  Events like Cisco Live are a great venue, but pulling together a group of industry peers to have a meaningful dialog around the challenges our mutual customers face, and how we can better serve them is something that magnifies the impact of these events.  So, yesterday I was lucky to join the following folks: Read More »

Tags: , , , , , , ,

Cisco Live, VXI, and the Challenge of Monday 8:55am

So here we are, Monday at Cisco Live…  Most likely you cut your weekend short to get here on time, or… you fought some insane TSA line-ups and a full-body x-ray scan this morning to squeeze onto an oversold flight.  Regardless, you’re hopefully reading this from the comfort of a quiet, convenient spot you’ve staked out in the Mandalay Bay with a vodka-tonic within arms-reach (well maybe not). Read More »

Tags: , , , , , , , , , ,

Repackage or Reimagine? Virtualization and the Potential for a New Security Regime

I started my professional life using a mainframe. Back then the people running the mainframe world were known as the “data center guys.” These guys had a certain DNA combination that created an expanding waistline, a retreating hairline, a belt buckle the size (and shape) of Texas, and a penchant for big iron. This crowd ruled the data center for a long time, but virtualization in the data center is now driving a radical shift that seems to be changing everything.

Instead of having an application running on a dedicated tower of hardware power, apps are now free from the limitations of the infrastructure underneath. Hardware is evolving rapidly into dynamic blocks of utility computing (and storage and networking) that can be standardized, widely deployed, and efficiently utilized. This change is good news, as it can cut data center costs by 50 percent or more. If the big iron crowd from the mainframe days doesn’t adopt this fundamental shift, they’ll be hanging up their Texas belt buckles in the computer museum next to the punch card, the VAX, and a replica of the ILLIAC.

The same shift is also happening with security. Since most security products are primarily software based, it is not much of an effort to repackage these products as “virtual security.” But merely repackaging security products misses the point. Today’s security architecture was built at a time when the workplace was very different than it is today. End users would come into the office and work on a PC, which sat on a desk and was connected by a wire to a port on the wall. At this time, the IP address was a pretty good proxy for the user’s identity. And applications would each run on their own tower of power—hardware that was often running in a unique data center rack or racks. Therefore segmenting the data center in this era was relatively easy; it was based on IP address ranges and, later, on virtual LANs (or VLANs).

But the workplace of today (and tomorrow) looks very different. We’re no longer tied to a specific lump of hardware. We expect to access our apps in the cloud from any device, at any time, from anywhere. Therefore the IP address is a less useful means of defining data center boundaries.

We need a new capability that allows the security team to maintain its meaningful policy enforcement capability, while enabling that policy to be relevant across all infrastructure—physical and virtual. An important nuance here is that the policy should be consistently enforced across physical infrastructure as well as across virtual infrastructure from any virtualization vendor. This level of enforcement requires special access to the hypervisor. Without this access, a virtual security solution can’t see traffic between two virtual machines (VMs).

How the various security vendors plan to address hypervisor access is still an open question. And how that question gets answered is significant—and is likely to reshape the security vendor landscape.

So as we consider various virtual security solutions, simply repackaging today’s security software as a VM running in a cluster of other VMs is extremely uninteresting. Instead we must reimagine the way that we build and deploy security solutions. How do we bridge the policy model from today’s hardware-based firewalls to the virtual firewalls of tomorrow? How can we maintain a separation of duties, so that security policy definition is separate from traditional network operations? And how will we orchestrate all of these components in the dynamic, nimble data center of tomorrow? These are not small issues. But of course, that’s what makes my job fun.

Tags: , ,

Cisco Live and All-Things-VXI, happening next week!

This is shaping up to be another great outing – as a number of my peers have already highlighted, there is an endless buffet-line of learning opportunities while you’re spending the week with us in Vegas.  This year marks the entrance of the Virtualization Experience Infrastructure (VXI) into the Cisco Live realm, and with it comes my favorite part – the opportunity to meet with customers from across the globe who are coming to this event, armed with the objective of getting the info they need to help get their desktop virtualization initiatives off the ground. Read More »

Tags: , , , , , , , , , , ,