Listen to the Podcast

ShareThis

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being how do I secure corporate assets when applications are being accessed and used within and outside of corporate perimeters? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we offer an approach to securing networks without borders.

Traditionally security has taken the form of a perimeter environment where IT assets are housed in the data center under tight corporate control. This environment offers the ability to protect and control these assets. For example, remote access via VPN for employees, customers, suppliers and partners access can be managed as security is managed via firewall perimeter. This approach is the traditional security model and it will stay in place for a long time to come.

But IT is fundamentally changing. There is tremendous diversity in network access from a device, network type and geographic independence points of view. The explosion in device diversity accessing networks, be it smart mobile phones such as the iPhone, blackberry, Nexus One, Android or laptops, notebooks, desktop, readers and kiosk is challenging traditional IT security norms. Not too long ago IT leaders would distribute a corporate-approved computer with a locked corporate standard software image to employees as their IT tools. Not any longer; legitimate business applications have arrived for mobile devices and cloud computing scenarios offer new approaches to application development and delivery. In addition a richness and increased velocity of applications tunneling through Port 80 further challenges perimeter security and IT control. The new world of IT is device diversity, network access point diversity and application diversity, changing how IT leaders mitigate threats while enabling users freedom of access to applications without boundaries.

As device and application diversity flourish, data too is increasingly being distributed. This is very different from the early 2000s IT model and before that as data was centralized in data centers. What used to be stored in a data center and locked behind a firewall is shifting out into clouds. Salesforce.com offers a good example of how proprietary information such as sales leads and prospects are now outside a corporate perimeter and into a public cloud. Further, most corporations don’t know how much their employees are using clouds or SaaS offerings for mission critical business functions. One client conducted an internal survey asking business and IT leaders “how many kinds of SaaS cloud-based applications do you use?” The initial answer was “probably a dozen or so.” After an audit, the real answer was well over 300 SaaS applications were being used from ADP, engineering to Salesforce. The bottom line is that there are a tremendous number of applications already moving outside the data center and the question now being asked is how to protect corporate assets in this new IT environment.

The New World IT Order

With device, network access and application diversity booming along with distributed data, more and more of IT is happening outside the traditional corporate boundary or perimeter. The diversity trend while small in terms of overall corporate application use will only grow and may very well dominate typical corporate application portfolio mixes in the next five years. But in the mean time the traditional perimeter does not go away but needs to be a pillar in a more expansive overall approach to securing borderless networks.

Borders by nature define trust and create trust boundaries. The European Union has eliminated many borders such as walls, physical access, currency differences, etc., but what remains are rules, regulations, passports, etc. The EU reconfigured their boundaries to allow greater freedom of movement and trade. Networking is undergoing a similar transition as corporate defense shifts from a single perimeter to a set of pervasive fungible perimeters or trust boundaries where protection is pushed out to follow users around based on what application they are using, how network access is gained and on what device. Security services have to move in this direction as forcing the new world order of IT into an old world IT security model will not scale and defend corporate IT assets.

For example, IT leaders could choose to back haul all their internet connections to a central site but this will clog their enterprise network, drive up internet access bandwidth and routing requirements plus slow application performance. In addition with more and more devices such as mobile end-points, notebooks, etc., readers connect to the network differently than laptops, IP phones, desktops, etc., and thus don’t lend themselves to back hauling. Therefore, IT and business leaders are thinking about a need to provide IT delivery in the cloud, or maybe perhaps a virtual environment. A much more dynamic approach is needed for applying security in the new IT world order.

An Approach to Borderless Security

One approach is to utilize a family of existing security appliances including firewalls, IPS, web filtering, web security, email security, VPN, etc., as a security enforcement array. These appliances could be put to work to enforce existing and create new trust boundaries such as cloud security, the enterprise perimeter, mobile security, etc. The enforcement array can be segmented into four architecture components. Cisco is the only large IT company to embrace this approach thus far. Cisco breaks down a secure borderless network into 1) Borderless End Zone; 2) Borderless Internet; 3) Borderless Data Center; and 4) Borderless Policy.

The Borderless End Zone provides security services to end-point devices such as securing the end-point and obtaining secure network access. End-point security is increasingly important as a plethora of new mobile and innovative end points have emerged and are consumed in mass. One significant trend is that end-points are thin with little footprint or storage/memory for large security agent software. In addition mobile end-points access networks and IT assets differently than traditional laptops and desktops, requiring a different approach to protecting today’s powerful mobile devices that preserve the ease of user experience. A transparent VPN connection that is able to select an appropriate persistent network connection and apply the right kind of security independent of end point device without user intervention will go a long way to securing new thin and mobile end-points.

The second component is the Borderless Internet which plays a large enforcement array role by delivering real time threat protection, signatures, etc., to existing gateways, appliances and network infrastructure to make enforcement decisions. For example, even though users may be accessing cloud-based applications as simple as email and not even traversing back to their corporate premise, a borderless internet applies some of the same security policies and protections afforded to them within their enterprise to enforce what users can do and then protect them from exploits and threats. Expect to see large security portfolio moves into this enforcement array as the borderless internet develops.

The third security component of a secure borderless network architecture is a Borderless Data Center. Data center network security has become more critical, particularly as servers and soon I/O becomes virtualized. Data center security services such as firewalls, et al., are becoming virtualized, affording a wide range of threat protection without additional hardware. There is a new dynamic security model needed in the data center that allows security services to move without operational intervention when VM workloads are moved. To address dynamic security more security services are required in the hypervisor such as moving firewall features closer to the virtualization layer.

The fourth and last security component of a secure borderless network architecture is Borderless Policy including access control, acceptable use, data security and exploit mitigation. Policy has traditionally been focused on permissions and access control of resources within the corporate perimeter, but policy now needs to be pushed out across enterprise, internet and mobile networks to follow users and afford them policy enforcement. In other words, as users traverse outside their corporation using different devices, network access and a mix of applications how do IT leaders provide the same policy enforcement across a global network and ensure that access and data usage is appropriate while protecting users and corporate assets from exploits, threats and malicious websites, avoiding back haul into the corporate perimeter?

The main point of borderless policy is to enable IT leaders to make greater policy decisions that are pushed out across a global network that factors who, what, when, where and how a user accesses networked resources. Borderless policy will strive to provide ubiquitous control over how users are using IT assets across different devices. To achieve this, policy needs to be translated into code that a machine understands, can enforce, and then monitor.

Securing networks without borders needs to provide protections and enforce policy in a new set of use scenarios that are growing rapidly in their adoption and use within corporations. This is not to say that existing IT security is not critically important. None of today’s security appliances will be displaced or removed any time soon. Private data centers will be with us for decades as will the need for effective corporate perimeters. IT leaders want to leverage existing security investments to protect corporate IT assets when users access applications on mobile end-points, across and behind the perimeter. The Secure Borderless Network offers an approach of providing security, protection by setting new boundaries for a different IT use and delivery model that will only accelerate as the global economy continues its recovery.

ShareThis

On-Premise
* On-box malware prevention
* Performance & scalability
* DLP
* Real-time categorization

Cloud
* Simple management interface
* Reporting
* Ease-of-deployment
* Real-time categorization

Visit the Link

ShareThis

* Cisco is the only vendor to move from a non-leader position into
the Leaders’ Quadrant

* Cisco is forging the path as 10 of the surveyed vendors consider
Cisco a major competitive threat

* Cisco exceeded all other vendors in the number of new concurrent
SSL VPN seats in the period

* Gartner clients report that feedback and satisfaction with the
Cisco SSL VPN product have improved significantly

Visit the Link

ShareThis

The Cisco Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and December 2009. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2010.

Get the White Paper

ShareThis

Listen to the Podcast

ShareThis

Hope to see you there and bring your questions about unified communication in the Small to Medium sized Enterprise!

Visit the Link

ShareThis

IT business leaders have long been seeking more dynamic data center infrastructure that allows applications and services to scale with demand, both up and down. This flexibility of service delivery has become acute during the recent economic downturn as business leaders cut under performing business models, streamlined business processes and sought to quickly enter markets as they developed. This business agility requirement to usher in new business priorities and processes need prompt data center provisioning and service delivery automation. The time to provision a server, storage, network and application is too long, often measured in months. Provisioning automation is paramount in the data center as it quickens the pace of business while also contributing to business continuity initiatives.

In addition to scale, many IT business leaders are confronted with the challenge of greening or reducing their data center power consumption and cooling requirements as they represent approximately 25% and 15%, respectively, of total amortized data center cost. For each watt delivered to a data center approximately 59% is consumed in IT equipment, 8% to power distribution loss and 33% to cooling. Over a 3-year period energy cost can be twice server acquisition cost! In addition, data centers or more accurately server utilization can be very low, as low as 10%. Making matters even worse is that servers draw as much as 65% of peak power while idle. Two key design goals are to increase server utilization to near 35% and reduce energy consumption so that the Power Usage Efficient or PUE (Total Facility Power/IT Equipment Power) is 1.7. Note inefficient data centers run at 2.0 to 3.0 PUE while extreme Green data center projects are striving for an ultra low PUE in the 1.05 range.

The above business pressures placed upon data center resources are in addition to operational pressures that most are confronted with. Increasing productivity is a top priority. Well-run data centers typically have a staff to server ratio of 1:1000. As productivity pressures increase so too do service levels. Service Level Agreements (SLAs) between IT and business units are changing data center business models, as IT becomes more of an internal service provider with formal chargeback mechanisms for use of infrastructure services. Therefore, IT business leaders are challenged with increased efficiency, productivity and service delivery.

Virtualization Trends

Data center virtualization has emerged as a main solution to address many of the challenges identified above and has become a means to enable large-scale data center consolidation. As CPU suppliers move to multi-core processors and server virtualization offers multiple isolated application and OS pairs per server, IT leaders are able to build larger scale data centers measured in the 10s to 100s of thousands of servers. As more applications are loaded upon servers their utilization increases too, reducing power consumption, cooling and server acquisition requirements. Because of virtualization’s value it has become a “top down” executive management decree as companies that embraced it early realized business value in controlling and reducing operating costs, easing sub-function spent and extending the life cycle of acquired capital assets.

Why Massive Virtualization is Inevitable.

IT service delivery demands are growing faster than Moore’s Law which predicts a doubling of transistor density every two years and in today’s engineering that’s a doubling of CPU core width. This leaves IT leaders to either re-write applications for multi-core processors or settle for halved deficiency every two years. The path of least resistance has become to virtualize servers, but this too offers challenges around span of control. Virtualization has fundamentally changed the role of IT executives in charge of networking, storage, servers and applications. IT organized around competency centers, or centers of excellence are finding that responsibilities around IT silos are changing permanently.

In short, server configuration changes now impact networking and storage. Virtualization breaks the premise that IT can be organized around isolated technology groups. Server virtualization is powerful enough to IT business leaders that they are willing to sacrifice the 15-year proven network design approach to achieve business benefits. Therefore, networks are changing, servers are changing and storage is changing to embrace and accelerate virtualization.

Hybrid Virtualized And Non-Virtualized Data Centers

But for all the value associated with virtualization there are impediments to deployment. For example, not all applications are capable of running on a VM. Many IT leaders and application teams struggle with Microsoft Exchange, SAP and Oracle database implementations, for example in virtualized environments. In the mean time, some IT groups are deploying Oracle, for example, on non-production virtualized machines to gain experience and confidence. But many older or legacy applications cannot run on a virtualized machine or they have not been tested in a virtualized environment on various blade offerings. IT leaders are concerned with professional service cost to port legacy applications onto a VM while application teams are slow to fully embrace virtualization due to performance and reliability fears. The end result is that most servers are not virtualized and the industry is slightly beyond the early adaptor cycle.

The de-facto standard is that the majority of data centers live in a hybrid state of virtualized and non-virtualized servers. While this hybrid state will last for many years to come the trend line is clear that the portion of virtualized servers will increase, and increase significantly, especially for x86 servers, over time. In fact x86 servers are typically on a two to three year refresh cycle, which IT business leaders are using to synchronize their vitalization plans. In short, new x86 services will be increasingly virtualized.
The virtualized side of the hybrid data center will grow, as application teams feel comfortable about virtualization. While there are many server virtualization providers such as VMware’s vSphere, Microsoft’s Hyper-V, Citrix’s Xen virtual servers etc., VMware dominates the market segment. Its vSphere 4.0 goes a long away to increase performance, management, security and visibility capabilities of virtualized environments, a major concern of application teams.

vSphere adds significantly more power and flexibility as current ESX hypervisors only support up to 64 GB of main memory allocated to a single VM on a server and can only span up to four x86-64 cores. vSphere will span up to eight cores and address up to 256 GB of memory. In addition, vSphere allows application teams to change the amount of RAM allocated to VMs without rebooting. These capabilities are going a long way toward making application teams conformable, as it should help avoid disruption or downtime when making a memory change. The new vSphere’s maximum RAM limit is now set at 1 TB. Furthermore, an integrated Microsoft PowerShell command-line interface can be used to adjust the configuration of a VM running Microsoft Exchange on the fly. Many of these features are solutions to key technical hurdles, such that application teams will now be able to virtualize larger, more-mission-critical applications, such as Oracle, SAP and large Exchange implementations.

With server virtualization an efficiency technology compacting operating systems and applications into every increasingly more powerful server hardware, IT leaders are afforded lower cost, greener data centers and most importantly scale. Cloud spec data centers are able to scale to 100s of thousands of servers thanks to virtualization. With all this scale and increased network speed in the 10 Gb to 40 Gb and soon 100Gb a new approach to storage and networking is afforded that combines their access over a single fabric. This converged I/O via a single NIC card that splits storage and network traffic further reduces data center energy consumption, cabling and equipment cost while contributing to workload mobility requirements by automating network and security changes required during such moves. But these advances are not just afforded to public cloud providers; they are available to IT leaders building private cloud too. In fact, IT leaders are moving just as fast as cloud providers to take advantage of these new data center design approaches especially as large IT suppliers such as HP, IBM, Cisco, Dell and others offer new blade system designs that package computing, virtualization and converged networking into units.

In upcoming Lippis Reports we’ll focus on these new blade systems and converged network designs that offer new economics and performance advances.

ShareThis

The standard for 10 Gigabit Ethernet (IEEE802.3ae) was ratified in 2002. While 10GbE deployments have grown every year since then, the technology has primarily been used to interconnect switches and routers. Almost all of the server connections in data centers have remained at 1 Gbps, limiting the amount of network throughput available to each server. With recent enhancements in CPU performance, system I/O, and storage I/O the gigabit network has increasingly become the application and workload performance bottleneck.
The primary reason for staying with Gigabit Ethernet has been cost-performance. Until recently it has been more cost-effective to have multiple GbE connections rather than a single 10 GbE port. In addition, most installed servers typically cannot utilize the full bandwidth of a 10 GbE connection. However both of these factors are changing, which are leading to widespread adoption of 10 GbE for server connectivity over the next few years.

Download this white paper for an overview of the factors that are driving the growth for 10 GbE in the data center.

Get the White Paper

ShareThis

Cisco IT is transforming its data centers with solutions that help to realize the company’s Data Center 3.0 vision, which employs a unified network fabric to connect servers and storage devices in a way that is resilient, scalable, and easy to manage. The transformation occurs in three stages: 1) Consolidating I/O and increasing throughput by implementing unified I/O running on 10 Gigabit Ethernet (current stage); 2) Increasing the power available to compute resources by reducing the power consumed by the network infrastructure and; 3) Making applications location-independent, which will simplify changes and possibly eliminate the need for change requests

Learn how Cisco is deploying consolidated I/O in their data center by downloading this paper.

Get the White Paper

ShareThis