This blog post is an excerpt from GovLoop’s recent industry perspective, "Securing Converged Infrastructures to Achieve Mission Success."
For more than a decade, federal agencies have deployed virtualization technologies to deliver greater service levels to their programs and maximize utilization of IT resources in data centers. Now, many agencies are bringing converged infrastructures – which combine computing, storage and networking in a single package – into these virtualized environments to simplify IT management and reduce costs. At the same time, federal managers are wondering how they can mitigate risks in these increasingly multi-tenant environments and utilize FedRAMP- compliant technologies to successfully forge a path toward the cloud.
What is Driving the Need for Convergence?
By utilizing infrastructures combining storage, server and networking components along with management software into a single computing package, agencies can reduce the amount of physical hardware required to run their IT operations, as well as power and cooling costs.
What’s more, converged infrastructures can enable faster deployment of workloads, help increase system performance and availability and boost automated operations, resulting in IT that is easier to manage and less costly to own and operate.
As federal data center managers seek to reap the benefits of converged infrastructures, however, they must ensure the security of application and database workloads in the virtualized environments.
Converged infrastructures enable data center managers to consolidate multiple physically stove piped or independent workloads and host them on the same physical infrastructure.
Although this capability reduces the overall cost of implementing a data center, it comes with the added challenge of securely managing data belonging to different workloads and tenants in a multi-tenant and cloud-based data center environment.
Data center managers must securely isolate tenants at the network, compute and storage layers of these emerging converged infrastructures, and deploy tenant-level encryption that protects against insider threats.
“Increasingly, converged infrastructures are used to host applications from distrustful or competitive program offices in the same virtual environment, and that is driving the need for more fine-grained cybersecurity at the hypervisor level,” said Mark Zalubas, Vice President of Engineering with Merlin International, a provider of system integration services and solutions that help federal agencies overcome challenges and achieve mission success.
Hypervisors, the Security Achilles Heel
Virtualization uses software to simulate the existence of hardware and create a virtual computer system. This capability allows organizations to run more than one virtual system – as well as multiple operating systems and applications – on a single server.
A thin layer of software called a hypervisor decouples the virtual machines from the host and dynamically allocates computing resources to each virtual machine as needed. And therein lies the problem.
Putting multiple virtual machines onto a single physical server can be risky. If attackers can penetrate the hypervisor or virtual machine monitor – which is the software that orchestrates the whole virtual environment – they can take control of every virtual machine under its control, and all the data stored on them. After all, a hypervisor is software, and software has vulnerabilities that can be exploited by those with malicious intent.
“With the hypervisor in the mix, you need to secure the overall converged system and place significant emphasis on the fact that these platforms are being shared,” Zalubas said.
“The major intrusion protection and data loss prevention security tools, however, do not reach down into the data center and data center management level to adequately secure converged virtual infrastructures,” said Bill Aubin, Vice President of Federal for HyTrust, a leading provider of workload security solutions for multi-cloud infrastructure.
“There are really a couple of pieces that have to be addressed when you talk about security in a converged or hyper-converged environment. And by pieces, we mean groups of people,” Aubin added.
“First, there is the virtual administrator. Few security technologies reach down to the virtual administrator level and put any controls there,” Aubin noted. “Another area of concern is data geofencing or data sovereignty, where stringent requirements dictate that U.S. government data cannot be stored on servers or systems out of the country. This concern is prevalent now that data is stored in virtual cloud infrastructures. So, agencies want to make sure applications are running in specific places on trusted platforms.”
The move to virtualization as well as private, public and hybrid clouds has been ongoing in the public sector – federal, state and local governments – for nearly a decade. Converged IT infrastructures help agencies grapple with federal mandates to reduce and optimize data centers and migrate to more agile (and hopefully more efficient) cloud environments, as long as they are properly secured.
Agencies looking to migrate to a public, private or hybrid cloud environment while meeting federal security requirements will benefit from a solution and approach that provides enhanced security, reduced cost of ownership and improved scalability.
For more information about securing converged infrastructures, you can find the full industry perspective here.