Mar 03, 2011

Securing the High Performance Cloud

by Pam O'Neal

UPDATE: BreakingPoint's Application Load Evaluation Service is now available to help you you properly test cloud and virtualized infrastructures.

By Pam O’Neal

Striking a balance between performance and security has always presented a tightrope walk for IT professionals charged with securing enterprise networks and data centers. Veer too far toward performance, and you open yourself up to a DDoS attack that will bring performance to a standstill. Lock security down too tight, and you risk blocking functionality or frustrating users who have come to demand low latency.

Navigating this tightrope has been difficult enough; add virtualization to the mix, and you’re now walking a tightrope in the dark. Security threats, heavy user load, infrastructure changes, and compliance requirements still come at you from all angles — only now they do it within a dynamically changing infrastructure. We’ve addressed these cloud testing challenges — and how virtualized infrastructures and dynamic provisioning complicate matters — before here on the BreakingPoint blog.

Johnnie Konstantas, a Vice President in Juniper’s Cloud Security Solutions group, elaborated on the multi-layered issues brought about by virtualization in a presentation on cloud security in the BreakingPoint theater at the RSA Conference 2011. Her tutorial illustrated how virtualization presents roadblocks to visibility and compliance in the data center, and provided examples of how security controls can be tested and deployed effectively to allow companies to harden infrastructure and demonstrate compliance — while maintaining high performance and stability.

Virtualization and Visibility: Mutually Exclusive?

Konstantas explained that the challenges of cloud security start at the structural level. In a virtualized environment, many of the old rules for connecting equipment no longer apply. While virtualization delivers significant cost savings to the enterprise, it also comes with its own price tag. In particular, virtualization substantially inhibits the ability to secure traffic between servers, because the infrastructure has been fragmented into virtual machines (VMs). As Konstantas illustrated with the following graphic, traditional security devices have no visibility into the traffic between VMs:

But that’s just the beginning. In a virtualized setting, you also have servers with different “trust levels” combined together. For example, some end-user devices that access your virtualized environment — think of a field rep’s smartphone or laptop — demonstrate high-risk behavior in terms of connecting to other networks and computers of varied trust levels. These high-risk end-user devices are brought right into the heart of the data center as they access cloud services.

The goal for IT staff in keeping these infrastructures running is to enable the cloud and its benefits, while retaining adequate controls and ensuring compliance — which is difficult to do without visibility in an ever-changing environment. Data center operators must apply the right security provisions in a dynamic environment, because changes to VMs happen several times a day as the virtualized system automatically re-provisions resources.

Ensuring a Secure Cloud Infrastructure, In Advance and In Production

Konstantas advised presentation attendees to address these challenges with a hypervisor-based security approach, which uses virtual firewalls embedded within the virtualization platform. This gives data center operators “X-ray” level knowledge about each VM through a process called VM Introspection. The point is to enable effective security for virtual environments while maintaining enough flexibility that end users can get their jobs done. This approach emphasizes:

Visibility — with a full view of all the applications flowing between VMs and how they are used
Compliance — to ensure enforcement of corporate and regulatory policies, especially regarding trust zones inside the virtual environment
Control — via policies that define which ports, protocols, destination VMs, and so on should be allowed

This advice on virtualization security and performance goes hand in hand with BreakingPoint’s message about data center resiliency. Juniper’s technology gives data center operators granular control over users, applications, access privileges, and so on in the production environment. BreakingPoint’s recently debuted Data Center Resiliency Score, which runs on our Cyber Tomography Machines, allows those same enterprise IT professionals to gain X-ray-like visibility into the resiliency of data center environments in the pre-production stage. That way, you can see for yourself precisely how virtualized environments will support users once deployed. With it, you can understand, among other things:

The impact of turning on security
The ramifications of different security policies
How to optimize VM configurations
How well different configurations support different application types
The latency and performance of application delivery infrastructure (ADI) components such as load balancers

Here is an image showing the score itself, which presents performance and configuration information:

In this example, the virtualized data center being validated can support 4,030 users accessing Web, database, and mail servers. The diagram below shows the impact of a certain mix of conditions on data center resiliency at a more granular level:

Notice how the transaction success percentage (the bright green line) drops off sharply about 17 seconds into the scoring process — when the load of simulated users became too much to handle for the data center being validated. That kind of advance insight into how a cloud implementation will handle particular applications, configurations, and levels of traffic allows data center operators to tune their environments for an optimal balance of performance, security, and stability — or resiliency — before cloud services are rolled out to staff or customers.

Only by gaining greater insight into the actual workings of virtualized environments — before deployment and in production — can data center operators maintain their footing as they walk the virtualization tightrope.