eBooks/eGuides

Data Center and Hybrid Cloud for Dummies

Issue link: https://insights.oneneck.com/i/1458399

Contents of this Issue

Navigation

Page 46 of 82

CHAPTER 3 Delivering Consistent Security Using Zero Trust 41 These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. Historically, organizations would implement security to protect traffic flowing north–south, which is insufficient for protect- ing east–west traffic which now constitutes the majority of data center (including private and public cloud) traffic. To improve their security postures with regard to sensitive data, organizations recognize that protecting against threats across the entire computing environment, both north–south and east–west has rapidly become a security best practice. A next-generation firewall deployed at the trust boundary between trust zones enables a Zero Trust architecture that limits the scope of an attack and blocks lateral movement using a combination of segmentation and threat protection. Using Dynamic Security to Support Moves and Changes Today's data centers and hybrid cloud environments move and change rapidly. Virtualized and containerized workloads are cre- ated and deprecated continually as applications are built and modified. It's imperative that security policy provisioning and updates in these environments keep up with the pace of applica- tion development and change. Traditionally, security policies are applied to workloads based on IP addresses. In hybrid cloud environments, IP addresses are often dynamic in nature, so it becomes essential to abstract these addresses away from the security policies themselves. Tags are the main mechanism by which next-generation firewalls over- come this challenge. A tag creates a grouping of IP addresses that can be used to formulate a policy. For example, a tag can be cre- ated for "map-servers" and a security policy can be created that uses the "map-servers" tag as the source address. As map-server workloads are created and deprecated, they can dynamically enter and leave the map-server group, eliminating the need to update the policy with each change, while still ensuring that any work- load tagged appropriately will be secured (see Figure 3-3).

Articles in this issue

Archives of this issue

view archives of eBooks/eGuides - Data Center and Hybrid Cloud for Dummies