The Good and Bad of Unlimited Policies for a Micro-Segmented Data Center
“Think about an M&M. Once you’re in that M&M, you kind of get wherever you want. With the data center it’s similar. Virtual desktop is in, and now you have free run of the place,” said Aaron Dumbrow (@adumbrow), senior systems engineer, VMware in his Austin Powers-infused presentation "Your Laptop Has Been Stolen with 80,000 Patient Records - You're Held to Ransom for… ONE MILLION DOLLARS!" during VMworld 2015 in San Francisco.
A single firewall perimeter-based security solution is no longer sufficient. One step to a more secure solution that isn’t just hard on the outside and gooey in the center is creating a micro-segmented data center where you can have unlimited firewalls at different points. The danger of creating policies for what you can and cannot do, is what you may have missed and rules sprawl. Too many rules becomes unusable or a miserable experience for the end user.
To understand what rules you should create, Dumbrow advises that you first understand the problem you’re trying to solve, then he offers the solution of software defined security. Given that he works in healthcare, he skews the discussion to healthcare related issues, but you can extrapolate to almost any other industry.
What is the problem we're trying to solve?
- Lost/stolen laptops: First step is to be able to secure it. Next step is to know what’s actually on that machine. Certain industry regulations levy heavy fines if you don’t know what’s on a computer that’s been lost/stolen.
- BYOD: Managing devices owned by a person and the company.
- Remote/temporary workers: Support this audience, and applications being built by contractors.
- Patients demand a consumer experience: If it doesn't just ‘work’ they're not going to use it. Why can't it work like this consumer product we love so much?
- Affordable Care Act requirements: There are so many in there that the healthcare industry is still struggling to understand what they all mean. They have to comply with the law and protect patients. How do you provide care while maintaining compliance?
Software defined security solution
- Data center micro-segmentation: You have to have data center security before you can have end user computer security.
- Isolate: Don’t allow a communication path between unrelated networks.
- Segment: Control the communication path within a single network. This is where you can create fine-grained enforcement of security. Security policies can be based on logical groupings of VMs.
- Advanced services: Depending on policies, include third party security programs.
Putting a firewall on the desktop can be as granular as you'd like it to be, said Dumbrow. This is all done by a policy. But as we discussed in our conversation, this is an ongoing battle to manage all the issues of security, usability, and industry compliance. While they’re not ready to let policies be automatically changed through credential authorization (“We don’t want doctors spinning up servers,” said Dumbrow), they can make the process as simple as possible. When a request comes in for access, policy changes can be managed by a low-level employee, thus minimizing the workflow disruption for the end user.