Why 'Goldilocks Zone' Of Data Center Security Makes Sense - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud // Infrastructure as a Service
01:35 PM
Martin Casado & Tom Corn
Martin Casado & Tom Corn
Connect Directly

Why 'Goldilocks Zone' Of Data Center Security Makes Sense

VMware's networking CTO Martin Casado and security strategist Tom Corn make their case for using virtualization to embed security controls into the very fabric of the data center.

Security has become a top issue for executives, board members, and leaders in both the public and private sector. Growth in security spending has outpaced overall IT spending. It would seem the only things outpacing security spending are security losses. We must rethink our approach.

The needed breakthrough might not be a new box or control, but rather an architectural shift that can vastly improve the efficacy of our controls. At the recent Interop show in Las Vegas, we offered up our vision for what we believe represents the future of data center security. We call the concept the Goldilocks Zone -- using virtualization to embed security controls into the very fabric of the data center.

What is the Goldilocks Zone?
The term Goldilocks Zone was originally coined to describe a planetary location that exhibits characteristics that must be simultaneously present for a planet to support life. We borrowed it to describe the location for security controls that simultaneously provides context and isolation -- key characteristics required to create a secure information infrastructure.

[Want more from Casado on hypervisor-based security? See VMware Touts Virtualization For Datacenter Security.]

When it comes to instrumenting IT infrastructure with security controls, IT historically had two choices: the network or the host. With those two choices, IT was forced to make a tradeoff between context (visibility into the application layer) and isolation (protection of the control itself).

If IT places controls in the network, there is isolation, but we lack context. Visibility is limited to telemetry such as ports and protocols. These were never good proxies for applications, but in modern IT architectures such as the cloud, where workloads are mobile, these physical identifiers become even worse. Next-generation firewalls emerged precisely because of this issue.

If IT places controls on the host, we get context about the application, processes, files, and users -- but lack meaningful isolation. If the endpoint is compromised, so will be the control. In both cases we lack ubiquity, a horizontal enforcement layer that places control everywhere.

Virtualization and the broader infrastructure of the software-defined data center provide a unique opportunity to get it all -- isolation, context, and a horizontal layer that provides near-ubiquitous coverage. Through virtualization, organizations can insert security in a location that provides end-to-end coverage, isolation, and the full context of application, user, and data. Moreover, the team can use the infrastructure to respond better to threats in the event of an attack. 

The importance of ubiquity
The traditional data center security architecture remains perimeter-centric, with the majority of data center security investment spent on the north-south boundary. Why? Because putting security inside the data center turns out to be extremely difficult. On the perimeter you have a few egress points. Inside the datacenter, you have a complex web of data paths. The more controls you use, the more complex a distributed policy problem you have. The fewer controls you use, the more choke points you create.

Inside the Goldilocks Zone, however, we get unparalleled ubiquity. In a software-defined data center, virtualization is at the nexus of computing,

Tom Corn is vice president of security strategy at VMware. Martin Casado, VMware CTO of networking, has worked as a specialist in network security for US intelligence agencies.

Martin Casado is Chief Technology Officer for Networking at VMware. He is the former co-founder and CTO of Nicira, which VMware acquired in 2012. He received  his PhD from Stanford University in 2007, where his dissertation work led to the creation of the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
Charlie Babcock,
User Rank: Author
6/16/2014 | 3:24:53 PM
Let's pursue the 'not too hot, not too cold' security zone
The notion of a "Goldilocks zone" that's not too hot, not too cold and isn't stuck on the perimeter of the enterprise is worthy of more discussion. I think it's too easy to dimiss the idea of hypervisor-based security as simply another by VMware in its own interest. If it's a strong vantage point -- which it is -- then it's in everyone's interest to see how security could function there.
The Best Way to Get Started with Data Analytics
John Edwards, Technology Journalist & Author,  7/8/2020
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll