Adaptive Segmentationmicro-segmentation September 28, 2015

Data Center Security and Quantum Foam

PJ Kirner, CTO and Founder

It’s clear that data centers are becoming more dynamic and distributed. This trend is accelerating as businesses try to be more agile, and as DevOps teams shape a whole new way of developing and deploying applications. One of the trends I have been watching closely, which plays into this data center agility, is containers technology. There is a lot of this technology out there and it come in various forms (LXC, Docker, Rocket, Hyper-V containers, etc.), and there are lots of challenges deploying containers, connecting them,[1][2] securing them, and segmenting them.

Tobi Knaup, the CTO of Mesosphere, is one of the thought leaders in this area. When he described Mesos and the DCOS product that Mesosphere is offering, what made so much sense to me was taking a broader and holistic data center view rather than just the bottom-up container view. Docker is another company that is defining the new era of dynamic computing, and leading the move from monolithic software architectures to distributed applications.

I realized it is not just containers, but an entire ecosystem enabling microservices architectures and other newer application architectures that the DevOps movement is championing. This perspective was one of the keys to increased agility, and it was the ecosystems that were going to usher in another large step in the trend of the dynamic and distributed data center.   

In talking to more than a hundred enterprises over the past few years, I've realized that data centers and the teams that operate them are at different stages on this “Curve of Data Center Agility.” Some are just beginning to wrestle with this change, while those on the other extreme are holding on to the wild ride, trying to keep up with the pace of change and hoping to not have a breach. Some are figuring out how these new application architectures fit into their organization’s development life cycle, some are changing how development is done and are now working to bring these changes into production securely.

But overall, what is that change going to look like? What are the key principles that are going to accelerate and challenge us? When thinking about it, I remembered back to my time at Cornell when I needed to choose where to focus my studies. The two disciplines that I enjoyed immensely were computer science and physics. Computer science obviously won out, but I still love reading and learning about theories in physics. In trying to deeply understand the changes that have been occurring in the data center over the past decade—from the physical, to the virtual, to the cloud, to the micro service and containerit made me think of quantum foam.

Quantum foam (also referred to as space-time foam) is a concept in quantum mechanics devised by John Wheeler in 1955. The foam is supposed to be conceptualized as the foundation of the fabric of the universe. What we see as completely smooth, flat surfaces at a macro/human scale, give rise to a very different picture at the subatomic level, a turbulent "foam" where things are constantly being created and destroyed. Sounds like the direction our data centers are moving in, huh?

This new, agile data center gives us unprecedented savings in cost and operational efficiencies, however, it also comes with challenges and principles that need to be understood.

Embrace the increasingly ephemeral nature of workloads. Workloads pop into and out of existence just as particles did in the quantum foam. As application developers take advantage of the infrastructure that enables the agile data center, the security needs to be dynamic enough to keep up with this constant change. No longer does thinking about security mean thinking in packets or flows processed per second, now it's thought about in terms of constant change of those workloads. 

Workloads are shrinking and therefore becoming more numerous. With lightweight containers, we can now fit more logical workloads onto a physical server node. Developers are building applications with more moving parts and this is changing the landscape of security. In some ways, containing small functions means less attack surface, less to patch, and less to get wrong for that specific function; but when there are more functions making up a working application, the system as a whole has much more complexitymore to understand and grok for the developers and the operations team, and more for the security team to secure.

Everywhere all the time. Now with technologies like Docker that enable distributed applications for developers and IT, and the systems that treat a large set of server nodes in a data center as a uniform compute resource, like Mesosphere’s DCOS, workloads can show up on any server at any time. Secondly, things can be mixed and matched in various combinations, combing applications, roles, and even environments in ways that were never done before, opening up the data center to new forms of attacks. Security systems for this new generation of data centers must be prepared in a proactive way and be able to deal with workloads appearing anywhere at a moment's notice, and be ready to attest and provide security services.

Illumio was purpose-built to secure the data center and cloud anywhere, on anything (container, bare metal, VM). Our software-based Adaptive Security Platform (ASP)™ fuses security into the continuous application development and delivery process anywhere applications reside. It is analogous with quantum foamdesigned as the fabric, the foundational element, of security for applications. Illumio ASP enables one security architecture that works across data centers, and the private and public cloudfree from any dependencies on the network or hypervisor. Security is finally free to move with and adapt to dynamic computing such as Mesosphere and Docker.

The new data center has been growing in terms of volume, with the sheer number of workloads steadily increasing, and this scale has been putting pressure on security systems for quite some time. But the most important challenge is the velocity of change in the data center. This is the key change for security experts to grapple with: What does security mean when things are in a constant state of flux? Start asking yourself what this means to your organization.




Adaptive Segmentationmicro-segmentation
Share this post: