With the rise of technologies such as software-defined networking, hyper-converged architecture and the Internet...
of Things, customers are facing new security vulnerabilities as the attack surface of their IT environment shifts in dramatic ways.
To help channel partners address these issues, we conducted interviews with several key industry executives who discussed how these technologies are changing the security landscape, identified important security weaknesses and shared tips on how to strengthen a customer's security posture.
In this IT security tutorial, we examine hyper-converged infrastructure (HCI), which consists of hardware appliances or a software-centric architecture that tightly integrates compute, storage, networking and virtualization resources, and other technologies.
Key vulnerabilities of hyper-converged architecture
In hyper-converged architecture, not only are compute and network converged, but so is storage. This means the attack surface of the HCI system dramatically increases, because a root compromise anywhere provides complete and unfettered access to everything in that system.
According to Randy Bias, vice president of technology at EMC Corp., migrating to hyper-converged architecture means moving away from a more traditional data center infrastructure where, for example, there would be a compute system like VMware, a storage system like EMC and a networking system with Cisco. There might also be a general "cloud API" on top like vCloud Director or OpenStack. Each system is separate from the others, but interconnected. Each has its own APIs, each stores configuration data separately, and each has its own security characteristics and profile.
Like SDN, hyper-converged architecture suffers from the issue of reducing the system to a single dimension. This flies in the face of traditional security methodologies that rely on defense in depth for separate systems, such as compute, networking, virtualization resources and so on.
Bias noted that in a hyper-converged system you are running a single set of homogeneous software which is configured for networking, storage or compute capabilities, with all functions running equally across the entire cluster. There is no separation of APIs and configurations, and all services share the same security characteristics and profile. This means if there is a single root compromise, an intruder can access the databases and storage for all systems, the networking functions for all systems and the APIs for all systems.
Tips for protecting HCI systems
Bias' recommendations include:
- Control planes for hyper-converged architecture should have extremely restricted access. Use many distributed smaller clusters for HCI, which minimizes risk.
- Consider using multiple hyper-converged vendors for different use cases to reduce the chance that a zero-day exploit will leave all of your HCI systems vulnerable to a single attacker.
- Intrusion detection, intrusion detection, intrusion detection: Know the state of your systems, and know when they change.
- Push your security vendors for updated offerings that take these issues into consideration.
This HCI tutorial is part of a three-part IT security tutorial on emerging technologies. The tutorial also examines SDN technology and Internet of Things.
Get tips on how to sell hyper-converged infrastructure.
Storage expert George Crump: Reasons to hyper-converge your architecture.
Read about how the hyper-convergence market expanded in 2015.