Hyper-converged infrastructure has made significant inroads into organizations of all sizes, yet with all the hype...
that surrounds HCI, relatively little is said about one of the most important aspects of any data center system: data security. HCI is all about unifying resources into a comprehensive platform. Hyper-converged infrastructure security must be just as unifying and comprehensive as the platform it protects.
Traditional approaches to security tend to focus on perimeters and firewalls, but today's data centers require greater protections as cybercriminals infiltrate networks and take up residence without being detected. Network segmentation and microsegmentation can help mitigate some of these threats, but segmentation can be complex, inflexible and resource-intensive. Data center systems such as HCI require new security models that offer the flexibility necessary to accommodate fluctuating and evolving workloads in the face of heightening security threats.
The HCI challenge
An HCI system, with its virtual machines (VMs) and software-defined resources, comes with a unique set of security challenges that can't be met with legacy security methods alone. Hyper-converged infrastructure security requires a comprehensive, unified approach that can protect resources at the control plane, data plane and management plane.
As is often the case with young technologies, early HCI vendors were more concerned with such issues as automation, deployment and performance than with developing new security models. They relied instead on existing tools to safeguard data. But many security vendors didn't design their tools for HCI, and they lack the flexibility and extensibility necessary to prevent malicious activity across all planes and resource types.
Also, IT teams unfamiliar with HCI technologies can introduce their own security risks by misconfiguring policies or causing other problems that can lead to security holes.
One of the biggest challenges with hyper-converged infrastructure security is that it abstracts the underlying compute, storage and network hardware, resulting in a shared set of services with a common security profile. All it takes is a single root attack to compromise all systems and sensitive data, an event that can go undetected for months.
Securing the HCI environment
To implement a secure HCI system, IT administrators need to understand how the HCI environment works and its impact on their current security tools. If the organization has an established security team, it should bring in members early to help identify possible issues and assess potential solutions.
IT admins must prioritize security from the start, taking into account the need to protect the control, data and management planes. The overarching security strategy must be as agile as the underlying infrastructure and able to accommodate fluctuating resource allocation, on-demand scaling, changing workloads and much more. The goal is to put in place security mechanisms flexible enough to evolve as the platform itself evolves.
With a strategy in place, IT should look for tools designed with hyper-converged infrastructure security in mind. For example, VMware vSAN now provides software-defined encryption that can help make an HCI environment more secure, and Microsoft Hyper-V now supports guarded fabrics and shielded VMs for better protecting virtualized environments. In addition, vendors are increasingly offering security products that cover both physical and virtual environments, including HCI platforms. For example, WinMagic's SecureDoc products are now fully validated to support Nutanix HCI systems.
Administrators should also consider a policy-based approach to security that focuses on the applications, rather than on components such as ports, virtual networks or access control lists. This can help simplify the security model and provide the flexibility necessary to accommodate evolving workloads, while enabling security to follow workloads throughout their lifecycles. For example, administrators can create policies that permit specific computing instances to communicate with each other across network segments throughout a development project's lifecycle.
Encrypting the entire HCI platform, rather than specific components or workloads, is another option to consider. That protects all data at rest and in motion, while simplifying administrative overhead. Administrators should also ensure that VM files are fully safeguarded, including any backups, in case someone steals a file and tries to execute it on a remote system.
Moving to a hyper-converged infrastructure security model does not mean completely abandoning more traditional approaches to security. Administrators should still ensure that their backup strategies take security into account and continue to use such technologies as firewalls and intrusion detection to protect the network. Organizations might also consider using multiple HCI vendors for different use cases to reduce the risks from zero-day exploits.
Security is still playing catch-up in the HCI industry, but progress continues. Even so, IT teams need to be especially vigilant with HCI because it is such a young technology, with new innovations every day. Administrators must carefully plan how they'll implement security, while taking into account HCI's unique characteristics.