In the area of data center construction, there is still plenty of room left for innovation. In particular, the industry is trending towards constructing software-defined data centers (SDDC).
For those of you unfamiliar with the acronym SDDC, Webopedia states the following:
Software-defined data center (SDDC) is the phrase used to refer to a data center where all infrastructure is virtualized and delivered as a service. Control of the data center is automated by software
– meaning hardware configuration is maintained through intelligent software systems. This is in contrast to traditional data centers where the infrastructure is typically defined by hardware and devices.
In addition, the University of Wisconsin’s WISDoM program (SDDC-specific research of which my company is a sponsor), calls out “deep programmability” as the defining characteristic of an SDDC. This term brings to mind a vision of 100% software control of servers, network, storage, and security. This control enables more fluid and immediate data center management.
The approach to constructing data centers tends to fall into three categories:
- The customer (e.g. a service provider) selects components (e.g. servers, network, storage, security, management) from a variety of vendors and proceeds to build it themselves. In this case the customer typically has a group of smart sytem-level architects that have the skills necessary to plug the components together.
- The customer limits their component selection to products that are proven to work together. In this case the customer might rely on a partner to help them construct the data center (based on the partner’s knowledge or product interoperability).
- The customer purchases pre-packaged converged data center infrastructure.
For a deeper dive into these three approaches on data center design, I recommend reading Chuck Hollis.
Given these three approaches, in which area(s) is innovation most needed by customers? What topics will be of the most concern?
I would argue that this topic is security, and the areas most in need are items #1 and #2. To prove this point it helps to explore the security benefits of item #3.
A converged infrastructure, by nature, has less component choice and moving parts. As such, the security feature set and resilience to attack is higher, due to the continued hardening of the components working together. The converged VCE data center collateral, for example, contains a document that describes security best practices across compute, network and storage (see the diagram on page 10 of the document). Another example of the benefits of a converged infrastructure is the use of security analytics as a new approach to protecting a data center. All components can contribute a variety of firewall,
network segment, operating system, network traffic, storage system, asset data, etc., into one analytic repository. The analytics that run over this repository can detect and shutdown intrusions more rapidly than ever before.
For customers that are building data centers with a high security profile (e.g. a bank), the default answer is typically to use this third approach (converged infrastructure). They will bake-off multiple vendors of converged infrastructure and choose the one with the highest degree of integrated security.
But where does that leave the customers using the other two approaches? How can they secure their data center to the highest degree possible when mixing and matching components? What are the options when one area (e.g. the server) has strong security features, while another (e.g. an off-the-shelf file system product) has weaker (or unknown) characteristics?
The good news here is that innovation is occurring in this area, and the industry is moving towards a technology known as virtualization security inlays.
Virtualization Security Inlays Defined
A picture tells a thousand words, and virtualization inlays are best defined via a graphical depiction of our SDDC definition (all data center components have a virtualization layer).
An SDDC has the characteristic that all aspects have been virtualized and are addressable/controllable via software APIs. The example above shows how the selection of a highly-secure server environment is negated by the selection of a weakly-secured storage layer. The overall security strength of the SDDC is questionable and unknown.
Many have argued that the virtualization layer is a bane in the area of security. It can serve as a concentrated area of focus for attackers. It is often accompanied by a new piece of software known as a controller. As SDDC evolves, these controllers are new and therefore more vulnerable than other, more hardened pieces of the SDDC stack.
However, the foundational position of the virtualization layer in the SDDC stack can also bring great security benefits. RSA Labs Chief Scientist Ari Juels puts it this way:
Given its foundational position in the software stack, the virtualization substrate is an excellent deployment locus for both new
and traditional security tools. It offers the benefits of elevated security privilege, comprehensive workload introspection, and transparent service injection. We use the term inlay to denote a security tool embedded
within the virtualization substrate.
IRIS
This insight led to some deep research into the “strong versus weak” problem. The resulting innovation, known as Iris, represents a new direction for the industry. When the trustworthiness of one virtualization layer doesn’t match that of its companion (e.g. the example above), the stronger virtualization layer can be augmented with a security inlay that, according to Dr. Juels, essentially grants “freshness, integrity, and reliability assurances” to the weaker party (e.g. the outsourced file system).
The following diagram depicts Iris embedded as a security inlay in the virtualization layer:
It should be noted that the Iris approach can be deployed either within or with the support of a virtualization layer (e.g. a hypervisor).
For those innovation fans out there, you might be wondering: where did this idea come from? How did it move from idea to implementation? How can I get more details about the implementation? Fortunately, Dr. Juels has published a recent post with more detail about the Iris approach.
Throughout 2013 I plan to discuss emerging areas of innovative research that will have similar impact on the industry.
Steve
Twitter: @SteveTodd
EMC Fellow
