Rethinking Data Center Security – From an M&M to a Jawbreaker Model

 
Security

Data Center Security: M&M’s or Jawbreakers?

With the explosion of mobile devices and applications, more and more of our personal data and online interaction is captured, stored, and analyzed. As a result, security and privacy are becoming major issues, at a government, corporate and personal level.At the same time there is a rapid and fundamental transformation occurring with applications and data shifting from traditional enterprises to the cloud. This in turn causes a major change in network security architectures. In traditional enterprise architectures, a perimeter based security model was sufficient, with ingress and egress points to the internal network protected, but all internal access and applications within the enterprise being assumed as trusted. This is the so called “M&M” security model – hard on the outside but soft on the inside!

 

The Problem

However with the cloud this model breaks down. In the cloud providers actually invite their customers and their customers’ customers, right inside the data center. In fact in a multi-tenant cloud this means that customers are able to spin up their own applications, potentially running on the exact same physical infrastructure as their most bitter competitors or other “hostiles.” Clearly in this environment the M&M model is insufficient, and requires instead the “Jawbreaker” security model – hard on the outside *and* hard on the inside. For example the recent Spectre and Meltdown security exploits enable applications hosted on shared cloud resources to steal data and harm other users applications. This Great Security Blog explains how to avoid these types of  threats using BlueField SmartNICs.

So security is a key part of what is driving virtualization, at both the server and network levels. Server virtualization provides good isolation between applications running on Virtual Machines (VM’s). However this protection of application data comes at a real cost – as the hypervisor effectively implements security functions in software to isolate the VM’s, and this consumes massive CPU resources. This means that the most expensive part of the server, the CPU and memory sub-system, is being consumed by tasks not related to the actual customer application that needs to be run. The amount of CPU consumed is increasing dramatically as both data and east-west traffic increases.  These problems are exacerbated as VMs move to containers – creating an explosion of microservices, increased network traffic, and diminished isolation containers. So many more CPU cycles are consumed to deliver distributed security.

Similarly network isolation is being provided by overlay networks which create virtual layer 2 networks over a layer 3 physical underlay network. While this provides good isolation of network traffic in a multi-tenant cloud, again this creates massive CPU utilization to map and bridge between the logical overlay and physical underlay networks.

The Solution – Smart Network Accelerators Enables Distributed Security Everywhere

Fortunately both server and network security can be addressed by smart network accelerators within SmartNICs and next generation Ethernet switches. Networking vendors such as Mellanox, are at the forefront of this acceleration technology – delivering scalable, secure solutions that can protect an individual’s activities, data and privacy – no matter where a consumers digital wanderings may take them. The new BlueField SmartNIC is a great way to achieve comprehensive distributed security without sacrificing application performance.

These accelerators are implemented by technologies such as NFV, OVS, VXLAN, DPDK, and ASAP2. But in many cases these technologies are extending core security functions, which used to reside at the hard edge of the M&M model, into the hard interior of the new Jawbreaker security architecture.

This means functions like load balancing, firewalls, address translation, and application delivery control move from edge appliance, to being distributed software services running on servers throughout the network. Software-only implementations are extending and improving the security of data and resources – but at the huge cost of reduced efficiency of the server and storage infrastructure implementing these features. Fortunately a new generation of smart networking adapters is able to deliver the needed security in hardware, leaving expensive server CPU resources available to run applications.

So the network is becoming more important than ever, allowing a distributed Jawbreaker security model, while simultaneously enabling cloud and service providers to achieve total infrastructure efficiency from their server and storage investments.

About Kevin Deierling

Kevin Deierling has served as Mellanox's VP of marketing since March 2013. Previously he served as VP of technology at Genia Technologies, chief architect at Silver Spring Networks and ran marketing and business development at Spans Logic. Kevin has contributed to multiple technology standards and has over 25 patents in areas including wireless communications, error correction, security, video compression, and DNA sequencing. He is a contributing author of a text on BiCmos design. Kevin holds a BA in Solid State Physics from UC Berkeley. Follow Kevin on Twitter: @TechseerKD

Comments are closed.