The cybersecurity threat landscape has changed dramatically in recent years. Today, adversaries are more motivated than ever to penetrate enterprise data centers and steal valuable information. Therefore, adopting the concept of Zero Trust is the number one trend in enterprise security practice today.
For the data center, this means by default trusting no entity on the network, and distrusting all traffic unless a security policy explicitly allows it.
Unlike traditional perimeter security approaches, modern Zero Trust Security architectures recognize trust as a vulnerability. They assume no user, even if allowed onto the network, should be trusted by default because the user could be compromised. Identity and device attestation and authentication are required throughout the network. Every single component in the network must independently establish its trustworthiness and be authenticated by any other component it interacts with, including existing point security measures.
While many Zero Trust Security solutions are focused on the edge or access into the network, it’s critical for organizations to extend Zero Trust thinking and architectural design to include the data center – where the majority of the organizations physical and virtualized business critical application and workloads live.
Data center microsegmentation
Microsegmentation is a fundamental requirement for Zero Trust. Segmentation and isolation are essential to preventing unwanted lateral movement, by inspecting all east-west traffic in the data center and applying policies that stop bad actors from moving through an enterprise or data center network. Consider this analogy, in the same way that modern naval vessels are designed with compartmentalized steel hulls to limit the impact of an attack—modern data centers should leverage design segmentation to limit the blast radius of a security breach.
The granular security controls that microsegmentation provides to data center workloads or applications are invaluable for the modern cloud environment with often several applications running on the same server or VM or container. With microsegmentation, enterprises can apply security controls to individual workloads and applications, rather than having a one monolithic security policy for VMs or servers.
Historically, organizations have had a limited number of suboptimal solutions to help achieve microsegmentation in their data center. These traditional solutions have included stateless ACL based switches, hardware firewall appliances, virtualized firewall appliances, software agent-based firewalls.
Traditional data center segmentation solutions
While these solutions do provide some level of segmentation—they also force administrators into deploying solutions that offer insufficient security, high degrees of design/management complexity, very high CapEx/OpEx costs and limited security scaling and performance.
HPE Aruba Networking distributed services switch
The HPE Aruba Networking CX 10000 series switch with AMD Pensando provides an entirely new class of switching solution to overcome these legacy limitations. This industry-first DPU-enabled switch delivers 800G of distributed stateful firewall for east-west traffic, Zero Trust segmentation, IPsec VPN encryption, NAT and pervasive telemetry services—delivered inline, across every port, closer to critical enterprise applications.
Traditional firewall appliance vs. HPE Aruba Networking CX 10000 design
The CX 10000 delivers a unique blend of performance, scale, and automation for distributing advanced networking and security services where it’s impractical and costly to force traffic back and forth across the network to a centralized policy enforcement point and instead simply apply these services at the services network access layer edge where the applications are running.
Securing your data center with HPE Aruba Networking
The HPE Aruba Networking CX 10000 with AMD Pensando provides an entirely new class of switching solution to overcome the limitations of legacy architectures. Our HPE Aruba Networking distributed services architecture expands Zero Trust deeper into the data center, to the network-server edge, delivering fine-grained microsegmentation, dramatically scaling, and strengthening the security of mission critical workloads—delivering greater scale and performance at lower TCO than traditional solutions.
Related Resources
