Mellanox Turns Zero-Trust to HERO-Trust

Mellanox BlueField empowers zero-trust security solutions  
BlueField

How Mellanox BlueField SmartNIC empowers zero-trust security solutions

From the early days of humanity, trust has been the foundation of social systems and thriving economies. With the development of information science and technology in the 20th century, trust has also played a key role in data security architectures, including cryptography and encryption, certificate creation and management, authentication, and public key infrastructures, among others. However, in the 21st century era of hybrid and multi-cloud computing, trust-based security models alone are incapable of protecting business and personal data.

Zero-Trust in the Datacenter

When it comes to protecting their data, enterprises embracing the cloud face a myriad of challenges. Often scattered across the enterprise data-center and multiple service providers, the perimeters around data are often broken. The added complexities of infrastructure virtualization and levels of attacks make enterprises extremely vulnerable to multiple attack vectors and potential breaches. Finally, the lack of visibility and control is error prone, posing limitations on service providers and enterprises to implement effective security strategies.

The emergent zero-trust architecture model aims to address cloud security challenges. The zero-trust concept guides enterprises not to trust anyone (humans nor machines) around their applications and data and calls for authentication and authorization of every connection attempt, even those originating from allegedly “trusted sources.” Zero-trust is picking up rapidly as many cybersecurity solutions and cloud service providers leverage this new concept to deliver cloud workload protection.

Is Zero-Trust Enough?

In the age of software-defined everything (SDx), networking and security controls have undergone a transformation, and are often delivered at the host-level, including virtual switches, virtual routers, security software agents and more. This transformation creates a twofold challenge—the first being the need to provision network solutions on every host to deliver maximum speed and agility; the second being the need to provision security controls to gain visibility into and enforce a strict security policy on every host. Yet by focusing on the security side of things, how can one protect the host from compromise if the potential attacker, protected data, and security controls all share the same trust domain (the host)?!

There is a saying in cybersecurity, “There are two types of organizations: Those that know they’ve been hacked, and those that don’t know it yet…” As zero-trust takes ground as a prominent cloud security model, enterprises and cloud service providers need to adapt their infrastructures to separate the security controls from the host to realize the full potential of zero-trust in the data-center.

Zero-Trust Approach with Mellanox BlueField Control Plane Isolation

A SmartNIC is a combination of a NIC and a CPU, integrated on the same device. In fact, a SmartNIC is a computer that runs a fully-functioning operating-system and applications, like any other computer in the data-center. Mellanox BlueField is an advanced programmable SmartNIC, delivering industry-leading performance, flexibility and efficiency that enable a wide range of cyber security applications, including resilient micro-segmentation, stateful next-generation firewall, cloud-scale anti-DDoS, and more.

 

The zero-trust approach using Mellanox BlueField SmartNIC

Figure 1: Mellanox BlueField SmartNIC for Cybersecurity Applications

 

Mellanox BlueField SmartNIC integrates the world-leading Mellanox ConnectX® network adapter with a set of Arm processors, addressing performance and security concerns of modern data-centers. Due to its unique form factor and features, BlueField installed in a host acts as a “computer-in-front-of-a-computer,” enabling applications to run on its CPU, fully isolated from the host’s CPU and operating-system. This isolation is key in making BlueField work best for zero-trust security solutions, as it delivers the needed separation of the security controls from the host, while delivering unmatched performance.  In the event a host has been compromised, the separation between the security controls and the compromised host helps stop the attack from spreading further throughout the data-center.

Mellanox BlueField protects the CPU and OS through isolation

Figure 2: BlueField Acts as “Computer in front of a Computer”

 

Mellanox BlueField also addresses those scenarios in which enterprises are reluctant to deploy security control agents directly on their computing infrastructures. Enterprises are looking to gain visibility into workloads and enforce their security policies in the data-center. However, the presence of legacy applications, compliance regulations and DevOps processes, often do not allow for the deployment of agents. The resultant lack of visibility leaves enterprises with infrastructure silos where security policy enforcement cannot be applied. In these scenarios, the deployment of security control agents onto BlueField, fully isolated from the host system, enables enterprises to gain visibility as well as enforce a consistent security policy across their infrastructures. In addition, deploying agents on BlueField also unlocks server performance and is ideal in bare-metal and Kubernetes environments.

Finally, BlueField’s unique design empowers zero-trust security solutions, including “Host-Unaware” solutions that transmit and receive data, while BlueField acts as a bump-in-the-wire for encryption/decryption, or any other type of manipulation. Additionally, a fundamental role of the zero-trust concept is to establish a highly secure access management framework. BlueField can act as a secure platform for key management to deliver secure access management to the host and/or business applications.

Where Performance Matters

For scalable and high-performant workloads, the intelligent ConnectX Ethernet adapters and BlueField SmartNIC both offer accelerated connection tracking performance, powered by Mellanox’s ASAP2 switching and packet processing technology. ASAP2 leverages the adapter ASIC embedded switch capabilities to deliver best of both worlds – the performance and efficiency of bare-metal server networking hardware, with the flexibility of virtual switching software.

ConnectX Ethernet adapters and BlueField SmartNIC offer accelerated connection tracking performance through ASAP2

 

The fully programmable switch (eSwitch) built into the intelligent ConnectX and BlueField SmartNIC, enables both adapters to handle a large portion of the packet processing operations in hardware. Mellanox ASAP2 frees up the CPU from the heavy compute to handle connection tracking, offering superior performance to non-offloaded connection tracking solutions, while delivering the highest total infrastructure efficiency, deployment flexibility and operational simplicity.

Summary

As 2019 continues to roll out, the zero-trust security model will become a priority to enterprise security teams. Why? Zero-trust is the most effective way to reduce risk and has been proven to be highly effective in heterogeneous cloud environments. In today’s software-defined data-centers, hyperconvergence doesn’t stop at the compute and storage functions; it also includes networking and security in the host software stack. Still, zero-trust by itself is not enough to protect business data and applications when the security controls share the same trusted domain as the attacker.

Mellanox BlueField SmartNIC is perfectly positioned to provide functional isolation that eliminates the risk of east-west attacks, enabling a range of cybersecurity applications with best-in-class network performance, and turning zero-trust to HERO-trust!

To learn more about Mellanox intelligent ConnectX and BlueField SmartNIC adapters for cybersecurity applications, visit Mellanox.com

Visit Mellanox at the RSA Conference, March 4-8 where we will be showcasing our award-winning end-to-end Ethernet portfolio including intelligent and smart adapters, switches and cables.

 

About Itay Ozery

Itay Ozery is Senior Product Manager at Mellanox Technologies, driving strategic product management and product marketing initiatives for Mellanox’s cloud networking solutions. Before joining Mellanox, Itay was Sr. Sales Engineer at NICE Systems Ltd., a Nasdaq listed corporation, where he led large-scale business and project in the fields of cyber security and intelligence. Prior to that, Itay held various positions for more than a decade in IT systems and networking with data centers and telecom service providers, where he acquired extensive experience in IT system and network engineering. Itay holds B.A. in Marketing and Information Systems from the College of Management Academic Studies, Israel.

Comments are closed.