A Neat Fix for "Clamp On" Security
By Bill Hancock
Most security in information technology today is what I call "clamped on." This is mostly due to the fact that software, server computers, and networks don't have security built into the products. As a result, security components have been developed over the years that are clamped on to provide some rudimentary levels of control. Just as in plumbing, where a clamped-on pipe patch is nowhere near as solid as an original pipe fitting, security controls provided by clamped-on solutions just aren't as sturdy as if the security were built into the products.
If you have ever had to install and operate an Internet firewall, you have a rough idea of how difficult clamp-on security can be. Getting a computer configured for the firewall software, installing it, getting all the cabling sorted out, and figuring out what the firewall security rules are daunting tasks. The same applies to other security products, whether they're intrusion-detection systems, virtual private networks, or anything a company may deploy to protect its network.
Oh, by the way, did I mention the cost? Managed Internet firewalls can easily cost between $1,500 and $4,000 per month to set up and manage. That's for just the firewall, mind you.
Enter the concept of "virtualization." Virtualization has been around for decades, using software to enhance the performance of scarce physical computing resources, such as memory, storage, and networks. Virtual storage, for example, uses software that can make multiple hard drives act like one large virtual drive. The result is you can run more powerful software at a lower cost and with greater performance.
Virtualization is now coming to security. Virtualized security offerings provide a very large, very powerful server with multiple processors, called a multiblade server, in a specific location on a network. The traffic that is normally sent to something like an Internet connection point is then routed by the company providing network services to that virtual security server.
The benefit is that setting up a virtual security "box" can be done in minutes instead of the days required by a traditional set up. The other major benefit is higher performance. As more processing power or network bandwidth is required for the network connection, the upgrade can be made with simple software commands to the server, without physically upgrading any equipment. In larger networks, a single virtualized security server can replace many physical boxes, allowing for much more sophisticated network defense and reduced management costs.
THE TRUST FACTOR.
And virtualized security saves you money. As an example, one supplier of managed security services provides a managed firewall for a T1 Internet connection -- which streams data at 1.54 megabytes per second -- for $1,500 per month. The exact same company will provide a virtualized managed firewall, which looks and acts exactly like the traditional firewall, for $250 per month. With a monthly savings of over $1,250, this is something to make a chief information officer sit up and take notice.
Is virtualized security for you? That answer depends on how much you're willing to trust the technology and the service provider that may be doing the work. Most of the virtualized security hardware on the market is from relative startups. If you plan on building your own security systems using this new virtualized hardware, you should invest in training for your security team and build a strong working relationship with your hardware supplier.
Another approach would be to sign up for security services from a managed security services provider (MSSP). In this case, the MSSP is responsible for evaluating, integrating, and managing the virtualized security hardware. You pay for the security service on a month-to-month basis and receive a service-level agreement (SLA) that guarantees performance and security controls that are up to your corporate standards.
The good news is that we're no longer stuck with clamp-on security. Virtualized security products and services offer a good way to reduce the complexity of deploying and managing security systems and can save businesses a significant amount of money.
Bill Hancock is chief security officer of SAVVIS Communications and is chairman of the FCC's Network Reliability and Interoperability Council of the Homeland Security focus group on cybersecurity