How to secure software-defined data centers?

Everything from patching to account privileges and encryption must be part of your security architecture if you want your software-defined data center (SDDC) to be a foundation for secure and efficient operations.

While migrating to a software-defined data center provides flexible resource management and application provisioning, it can complicate your organization’s information security if not handled properly. We recommend considering software layer vulnerabilities, role access features, and storage encryption when developing your security strategy.

The abstraction layer allows organizations to build software-defined architectures. This approach adds another layer of complexity to infrastructures compared to the traditional data center approaches. Since the basic equation of cybersecurity is that the probability of vulnerabilities increases as complexity increases, security should be one of the top priorities when considering software-defined data centers.

The best way to mitigate the threats posed by increased security risks is to include all layers of your software-defined data center (SDDC) (operating systems, hypervisor memory, and virtual servers) in a patch management strategy. Organizations should apply available patches as soon as possible within the update framework to sustain SDDC security. It’s also vital that the IT department has apps that will regularly check for patch and version updates.

Hackers know when new patches are available, and they can easily recognize unpatched systems with known vulnerabilities and exploits.

Storm is brewing

Another common risk threatening SDDC security is privileged Unix root or Windows administrator accounts. These accounts can be hacked and allow cybercriminals to roam freely on your systems. One way to avoid this is to enforce the use of secure passwords and multi-factor authentication wherever possible.

We can mention two direct actions for protecting user accounts against security breaches. The first is to create a custom Active Directory that only provides authentication services for the SDDC infrastructure. You can add hypervisors, management servers, and other low-level infrastructure components to a domain at this level to obtain certain permissions. Active Directory-based authentication can make it easier to audit privileged account use in the software-defined database.

The second measure is to use single-purpose service accounts instead of having a single service account for the entire SSDC infrastructure. This approach makes people’s job harder than it is, but it prevents user accounts from being easy targets for hackers. Because when a service account is used for more than one purpose, that account starts gaining more privileges than required for any task. This is a tremendous danger because hacking the account will give hackers a picklock that opens every door in your SSDC environment.

It is possible to extend this anti-privilege approach to administrator accounts. Instead of giving the IT team unlimited administrative access, role-based access controls can be used to limit the scope of each privileged account. For situations where IT staff need top-level administrative permissions, we recommend creating a set of low-privileged accounts rather than assigning all necessary privileges to a single account.

Storage as an SSDC security component

SSDC manages storage resources with software, and accessing storage poses potential risks. An attacker could gain unrestricted access to your storage despite all other precautions you may have taken. However, it is possible to eliminate this risk to a large extent with authentication and encryption mechanisms.

It is necessary to ensure that iSCSI storage requires bidirectional authentication. The system must require host authentication before connecting the iSCSI target. At the same time, hosts should use a Challenge-Handshake Authentication Protocol to prevent fraudulent connection attempts.

Encryption layers should also be applied for data at rest and in motion. Protecting data at rest means encrypting the storage. If the volume contains virtual hard disks, the contents of the virtual disks must be encrypted. A private network segment, virtual local area network, or IPsec encryption can be used to protect the data in motion.

Accelerate your digital transformation with Cisco SDDC

Cisco software-defined data center (SDDC) solutions offered by Netas provide purpose-based infrastructures that facilitate the management of formerly siloed resources such as networking, storage, and computing in new, diverse, and yet more unified than ever IT environments.

Cisco’s software-defined data center (SDDC) solutions provide the automation and efficiency needed to achieve more in less time, at low cost, and with fewer resources. It also frees the application layer from the physical infrastructure, allowing applications to be hosted anywhere with maximum use and efficiency of the infrastructure.

Cisco SDDC solutions enable centralized management of the software-defined data center from a single platform and provide seamless workload mobility across the data center, cloud and multi-environments. The solutions ensure that security policies are consistent across all environments by automating security profiles across all devices and applications with artificial intelligence. All this, combined with a low total cost of ownership and advanced cost controls, make Cisco SDDC solutions the ideal choice for organizations looking to accelerate their digital transformation.

Cisco SDDC solutions, which bring cloud-level speed and agility to all environments, whether private, hybrid, or multi-cloud, consist of three main products:

• Cisco ACI: Cisco ACI lays the foundation for zero-disruption networking by utilizing consistent policy-based automation to improve cloud-based and software-defined network segmentation, security, and control. Facilitating data center automation and increasing application agility, Cisco ACI enables organizations to have highly available and self-optimizing networks, accelerate network operations and deliver superior application experiences.
• Cisco Intersight: Cisco Intersight is a software-as-a-service (SaaS) that manages, automates, and optimizes computing infrastructures and applications across the data center, endpoints, and clouds. Cisco Intersight is a single platform that gives you complete control over everything from servers to containers, applications to infrastructures.
• Cisco Secure Workload: Cisco Secure Workload protects the entire infrastructure using workload-level firewalls deployed regardless of where applications are hosted. Secure Workload brings security closer to applications, protecting both applications and data with a zero-trust framework; proactively mitigates risks by identifying workload behavior anomalies, vulnerabilities, and risks.