Micro-Segmentation Builds Security Into Your K-12 Data Center’s DNA

Executive Summary

Most education IT professionals agree that securing the network only at the perimeter is inadequate for the demands put on today’s district and school data centers. Once malware has managed to make its way behind the perimeter firewall by latching onto an authorized user (or other means), it can move easily from workload to workload. This lateral movement is possible due to a lack of sufficient internal network controls regulating server-to-server or east-west network traffic.

Micro-segmentation, enabled by VMware NSX™, is a breakthrough model for data center security. Network security policies are enforced by firewall controls integrated into hypervisors that are already distributed throughout the data center. This enables security that is both ubiquitous and granular, placing security policies close enough to workloads and applications to give them rich context while keeping them removed enough to have isolation from threats. Security policies also become more dynamic by being coupled directly to the workload, moving, changing, and being deleted as required.

This approach to security, which is much better suited to support the dynamic nature of data center operations, has never been possible before. This model is more effective and dynamic for creating, maintaining, and improving security measures than attempting to simply plug gaps in perimeter defenses or manipulate the underlying physical network infrastructure. Ultimately it means that IT and instructional decision-makers can innovate with confidence, extending the reach of digital learning while safeguarding student information and privacy.

The Tortoise and the Hare: Security Isn’t Keeping Up With Fast-Moving Workloads and Faster-Moving Threats

As virtualization and cloud technologies dominate both K-12 data centers (accelerating the speed at which servers, storage, and network resources are provisioned), administrators are under pressure to offer security that keeps pace with today’s application and environment demands. This is especially critical as scrutiny around student privacy and safety grows—one breach can be devastating to both mission and reputation. The cost of recovery can be immense—but even with those risks, most decision-makers remain unsure.

Following are just some of the data points that tell us the current model for K-12 data center security is not keeping up with threats:

  • 47 states now have data-breach laws that apply to public entities, including school districts.
  • Nearly 800 educational institutions have experienced a data breach event since 2005 (about one educational institution per week). Nearly 1 in 3 were K-12 primary and secondary schools.
  • 7 in 10 parents are comfortable with data-driven instructional tools, if the school can protect their data.

Fortunately, there is a smarter way to address these risks. By isolating workloads and regulating lateral movement, malware can be prevented from starting in one place and moving around until it achieves maximum damage or successfully downloads sensitive information. It’s called micro-segmentation, and it helps set a whole new standard of information security.

Today’s Security Normal: Good but Not Good Enough

The issue isn’t that the current physical security appliances used by education IT organizations use aren’t sophisticated. Given the purpose for which they were designed, today’s adaptive firewalls and intrusion prevention systems are intelligent and formidable. But statistics show that they aren’t sufficient to protect the data center. Some challenges include:

  • Complex security mechanisms like physical firewalls are administratively intensive to maintain and update. District CIOs are having a tough time justifying this rising overhead when they’re under constant pressure to expand access to teaching and learning resources without increasing costs.
  • Physical devices cannot be everywhere at once, or even too many places at once. It’s simply too complicated and expensive to locate firewalls pervasively throughout the data center. Even if the devices could be adequately deployed, it would be impossible to keep them constantly updated and protected against evolving threats.
  • The perimeter-centric security model is designed to work from north to south, which means from the client to the server. It’s not designed to handle east-west traffic, which is how communication between servers travels, and how many threats propagate inside the data center.

Most IT professionals agree that securing the network only at the perimeter with physical firewalls is inadequate for today’s data centers. While perimeter defense is strong, it isn’t impregnable.

Among the many ways that intruders can make their way into the data center is by creating malware that latches onto an authorized user to get behind the physical firewalls. This is especially risky for education IT, where users aren’t always educated on security best practices and nearly all data is potentially sensitive.

The World is More than “Trusted” and “Untrusted

Historically, using traditional network firewalls, similar compute systems are grouped into security or trust zones. Firewall policies can then be used to create a comfortable envelope around these siloed zones. To contain complexity and cost, larger zones are easier to set up than smaller ones—the most immediate example being the practice of creating a “trusted” zone, separated from an “untrusted” zone.

Large envelopes with more compute systems inside them are better for economics and ease of administration—but not, as it turns out, better for security. Once inside a security or trust zone, access is completely unrestricted between systems—because anything in the zone is assumed to be trustworthy by everything else in that zone. The bigger the zone, the more havoc a single piece of malware can wreak. The malware can travel around unchallenged, disrupting operations or stealing sensitive data for days, weeks, or even months.

The Traditional Choice: Performance or Security?

The typical data center might have a pair of firewalls at the perimeter and maybe a handful inside the data center, compared to several hundred workloads. To protect all of this east-west traffic would not be feasible even for the most skilled and well-funded IT team.

Given the infeasibility of this strategy, you still have the problem of directing all VM-to-VM traffic through a large chokepoint firewall, and the negative performance impact would be frightening.

Since physical security is optimized in one direction, a better model requires an entirely different approach: micro-segmentation enabled by network virtualization. Micro-segmentation can help your organization address all of these issues:

1. Stopping the spread of malware within the data center
2. Enabling faster delivery of networking and security services
3. Creating more flexible and even automated adaption to changing demands and security conditions

Until network virtualization with VMware NSX, a micro-segmentation model for data center security was not possible. Now it is not only feasible, but also streamlined and cost-effective to deploy and administer.

If Threats Can Start Anywhere, You Have to be Everywhere

In a sense, physical security is like using gloves to guard against germs. It is external, limited protection. If someone sneezes in your face, you’re probably going to end up with a cold or flu. Micro-segmentation is like fortifying the immune system of the data center: so germs (or malware) can’t get in. Or, if something does, the system can shut it down (or limit its spread) so it can’t do any more damage.

Micro-segmentation is based on the assumption that threats can come from anywhere within the data center, so the micro-segmentation model makes security ubiquitous throughout the data center. This model not only provides pervasive coverage, but also the ability to create and change security policies with agility and speed that matches the dynamic workloads they must protect.

The DNA of Better Security is not unlike how biotechnology is used to change plants at the molecular or cellular levels to be pest and disease resistant. That’s what micro-segmentation can do to secure all of your data center resources. It allows security to become both pervasive and extremely granular, eliminating gaps and vulnerabilities throughout the data center; this is how NSX builds security right into your K-12 network’s DNA.

Thanks to the innovation and efficiency made possible by network virtualization, micro-segmentation has become a practical and powerful reality for K-12 decision-makers worried about securing their district’s information and infrastructure. Data center administrators no longer have to predetermine where security needs to be located, because it’s available anywhere.

This means policies can be created to match workloads and change as readily as workloads change. Security is pervasive, but not rigid. It’s revolutionary, but not disruptive to your existing infrastructure.

Micro-segmentation enabled by VMware NSX blankets the data center itself with complete, adaptive protection. In short, your data center now has security infused into its operational DNA. New applications, new users, new demands—your digital learning infrastructure is now ready for anything, thanks to micro-segmentation.