Nick-Tausanovitch-1.jpg

2017 Prediction: The Move Towards Distributed Security Architectures Accelerates

By Nick Tausanovitch | Jan 17, 2017

The rapid evolution of cloud-based data centers to support virtualized services and containerized applications will accelerate in 2017 and beyond. This will necessitate a move away from traditional data center security architectures, which rely mostly on perimeter-based firewalls, to a more distributed security architecture. This is required because in today’s multi-tenant and multi-group environments, individual applications cannot be trusted, the potential for threat injection inside the data center is real, and the resulting damage can be disastrous. To properly protect tenants and application workloads in this “zero-trust” environment, security functions will be distributed and associated with the application workloads directly with fine-grained control. In a virtualized environment, this translates into placing security rules and policies as close to the Virtual Machines as possible, typically in the server itself.

Distributing Security without Adversely Impacting Performance is key to Adoption

While it is currently possible to distribute security rules to the server networking datapath, applying many rules to each packet in real time creates a drag on server performance, and this has limited the adoption of this approach to date. In 2017, new technologies that accelerate the computation of security rules in the server will be available and ready for primetime. One example would be to have some type of look-aside accelerator, such as an FPGA in the server, which could partially offload some portions of the security rules processing. Another example would be to use SmartNIC technology, where the computation of the security rules is done in-line on the network interface card as the packets enter and exit the server. This approach has the added advantage of completely offloading the server from any security processing, as well as having the ability to offload other functions such as virtual switching at the same time. As these offload technologies proliferate in 2017, data center architects will be able to move to distributed security enforcement right next to virtual machines and containers, while not sacrificing server efficiency and performance, which will in turn lead to accelerated adoption.

Workload Agility must be Maintained

While we have noted that acceleration and offload of security processing will be a key enabler for the adoption of distributed security architectures in 2017, this cannot come at the expense of limited workload agility. Being able to quickly and easily create, destroy, and migrate workloads is critical to realizing the efficiencies of cloud-based networking. Modern cloud data center architectures typically rely on SDN mechanisms for management and orchestration workloads, often leveraging open source environments such as OpenStack for this purpose. As a rule, any acceleration and offload technology for security processing must work seamlessly with and support the full range of functionality of common management and orchestration mechanisms. Ideally, the network operator would not even know that an offload mechanism has been employed, just that the network runs faster, and application workloads are not being starved for data. The offload and acceleration technologies that will be most successful in 2017 will be the ones that best satisfy these requirements.

Ease of Use and Operational Efficiency are Critical

Successful solutions in 2017 that enable distributed stateful security architectures to be practically deployed must be easy to install and use. Customers will tend to reject solutions that are not aligned with the open source ecosystem, require custom drivers and software, or are cumbersome to deploy. Solutions that require a great deal of workload-specific hardware and software configuration will be at a disadvantage to solutions that can handle a wide range of workloads with a common hardware and software configuration. The latter types of solutions will enable data center architects to build upon homogeneous server hardware and software infrastructure with little or no restrictions on workload mobility and placement, thus leading to significant simplification of overall operational complexity.

Conclusion

2017 will be an exciting year as data center operators start to practically realize the benefits of distributed stateful security and the benefits and cost savings of implementing firewall functions that are tightly coupled to the target workloads. This particular use case will be an area where server-based security acceleration and offload approaches will begin to proliferate as a necessary enabling technology. While multiple vendors will likely be bringing solutions to market, the solutions that maintain maximum flexibility and ease-of-use will be the ones that gain the most traction.