The Office of Management and Budget has mandated that the federal government reduce the number of data centers by 40%, cutting approximately 800 data centers, by 2015. Federal agencies are implementing virtualization of their data centers to achieve this goal.
Meritalk asked more than 200 federal IT professionals about their views concerning the data center consolidation mandate. Surprisingly, only 10% of those surveyed said they thought that OMB’s data center consolidation goal would be met by 2015.
The respondents identified data security as one of the top challenges in their data center consolidation efforts. “As you have more data in one place, security becomes paramount. As you try to build shared infrastructure, security gets more difficult because you are sharing the physical infrastructure but you don’t have physical separation”, Andy Ingram, vice president of product marketing and business development at Juniper Networks’ Fabric and Switching Group, told an Aug. 16 webinar.
Ingram identified a number of security issues regarding data center consolidation. One is that the physical infrastructure is shared among more users, but the traffic separation needs to be maintained. As a result, a virtual separation, for example using a virtual LAN, has to be put in place.
“Another challenge is that a lot of the security devices were implemented to meet the needs of a single application, so you had one set of security devices for this application and another set for that application. As you try to put these altogether in the same physical infrastructure, you are going to run into challenges”, he explained.
Ingram related that a Juniper Networks’ customer was trying to figure why its collaboration environment was working slowly. After examining the issue, the customer discovered that traffic was going through 13 different firewalls.
Ingram recommended two strategies to address security issues in virtualized environments. The first strategy is to replace the many small security devices with larger devices that can be placed in strategic locations to secure more data flows throughout the data center. One device could be placed in the DMZ to monitor data flowing in and out of the data center and another could be placed between zones within the data center in order to create the traffic separation.
“With larger devices and better architecture, you reduce the number of devices and have the same level of security with fewer devices to manage, so you can have a consistent set of security policies”, he said.
Another strategy is to use a virtual security appliance, such as Juniper Networks’ Virtual Gateway, Ingram explained. “The security policies are injected in the data streams inside the hypervisor itself. So I can have a consistent set of policies spread across all of the virtualized servers, and then those policies can be implemented regardless of where I move things.”