Security measures at the workload level
If workloads in the cloud are decoupled from the underlying hardware, this changes the security calculation fundamentally. In a multi-cloud world in which containers and virtual machines can be moved between on-premises and public cloud infrastructures, network-based partitioning is no longer possible. Richard Bennett, Head of Industry Solutions & Strategy, EMEA at VMware, says: “The castle walls no longer work. You can ditch crocodiles, but what happens if someone jumps over it with a pole? ”
The majority of data traffic within a conventional data center flows in an east-west direction and is therefore outside the control of the usual security measures such as firewalls or intrusion prevention systems (IPS). Multi-cloud scenarios go a step further because the workloads share their physical hosts and internal network resources with unknown third parties.
With such architectures, security measures cannot simply be implemented in the form of border fences. Since the hardware used is also subject to constant changes, all hardware-oriented protective measures must be reconsidered. That means the new approach depends on software-based security. Mike van Vliet, Consulting Pursuit Lead for EMEA at Dell Technologies, recommends that “all security rules … should be as close as possible to the data and applications, ie directly in the VM or in the container”.
In such a case, security measures such as firewalls and IPS are defined in the software; this is brought up and down together with the workloads. It is even more important that these resources are created at the workload level within the container or the virtual machine. They protect you even if the workload is moved back and forth between internal and external systems.
This procedure is essential because this is the only way to decouple security from the hardware – just as it is the case with decoupled workloads. Data protection must therefore be set up independently of the operating environment. Security functions must act at the level of the individual workloads, because this is the only way to protect against threats, which is not possible with all infrastructure-based measures.