Zhang Lili: How to Address Security Management After Network Virtualization

Zhang Lili: How to Address Security Management After Network Virtualization
โ€œ
Data threats and data security issues are top priorities for every CIO. The biggest nightmare of data leaks is that sensitive internal data falls into the hands of competitors, causing sleepless nights for executives. Network virtualization adds new challenges to this issue. Data loss is a serious problem for both consumers and businesses. How can we enhance security management in an SDX environment?
โ€
Zhang Lili: How to Address Security Management After Network Virtualization

Dr. Zhang Lili

Secretary-General of the Marine Promotion Association, Pujiang Academic Committee

Academic Committee of Pangu Think Tank

In ensuring security for network virtualization, merely adopting traditional security technologies is insufficient; virtualization brings new security risks. Currently, due to the immaturity of security technologies for network virtualization, assessing security protection and assurance technologies for virtualization has become a significant challenge for cloud environment level protection.

We should divide the network virtualization center from user network access, application boundary access, computing environment, and management platform, constructing a triple security protection framework supported by a security management center, which includes a trusted communication network, trusted application boundary, and trusted computing environment.

Network virtualization has profoundly impacted IT architecture, the deployment methods of business systems, and service models, forming an IT architecture of endpoints (terminals), pipelines (networks), and clouds (cloud computing).

Business systems and data are centrally deployed in the cloud, within the resource pool of cloud data centers. This facilitates unified data security protection and unified deployment and management of business systems, improving IT resource utilization, and reducing costs and resource consumption. At the same time, the development of mobile internet networks and 4/5G technologies has greatly expanded the bandwidth of pipelines, providing excellent conditions for a richer array of terminal access.

On the terminal side, the performance and specifications required for terminal devices are more flexible, and the types of terminals are continually diversifying, especially various mobile terminals that allow users to flexibly enjoy various cloud services anytime and anywhere.

The new model of “end, pipe, cloud” allows users to quickly, flexibly, on-demand, and anytime and anywhere access IT resources and services, achieving a transformation to IT as a service, marking a significant information transformation. However, this new IT architecture also brings new security issues and demands.

Zhang Lili: How to Address Security Management After Network Virtualization

Image from the Internet

Security requirements for the network virtualization center (cloud) involve comprehensive use of various technologies and measures, including identity authentication, access control, intrusion detection, malicious code prevention, security auditing, antivirus, and data encryption, targeting the boundaries of the network virtualization center area, computing environment, and virtualization environment, to ensure the availability, integrity, and confidentiality of business applications.

Cloud data security construction should be based on actual customer needs and relevant security compliance standards, enabling data security design throughout the entire lifecycle of data creation, transmission, storage, use, sharing, and destruction within the cloud environment, as well as the construction of a data security system. To ensure the secure use of user data in the cloud environment, it is necessary to protect the confidentiality, availability, and integrity of data in the cloud environment.

In the cloud computing environment, level protection security, from the perspective of security domains, can be divided into secure computing domains, secure network domains, and secure management domains. The secure computing domain is a collection of physical hosts/servers with the same level of security protection, while the secure network domain consists of communication networks and access networks. The secure management domain is a system platform for collecting and controlling security events and alarms in the overall network virtualization.

The security of the network virtualization computing environment includes private cloud secure computing domains and public cloud secure computing domains. The private cloud secure computing domain is the focus for deploying security devices, and the main security measures that can be taken include: 4A systems, virtual security gateways, host hardening, and encryption devices. For the public cloud secure computing domain, measures should include basic platform security reviews, assessments, hosted image encryption, and rented application hardening to ensure the security and reliability of resources and data spread to the public cloud platform.

Network virtualization boundary security consists of physical access network boundaries and virtualization network boundaries. The protection of physical network access boundaries can be achieved using traditional security gateways. For virtualization platforms, virtual security gateways must be deployed within the virtual platform to protect the virtual security boundary.

In network virtualization communication network security, the communication network includes both traditional and virtual networks. For the communication network accessing the network virtualization center from external networks, VPN devices deployed at network access boundaries should be used to achieve secure tunnel communication via SSL and IPSEC; within the internal virtual network nodes of the network virtualization platform, the security tunnel function can be achieved through VPN components deployed within the virtualization platform.

The network virtualization security management center must centrally monitor the operational status of assets and resources in both private and public clouds, as well as related behaviors, security events, and security alerts. Through protocols and data files such as SNMP, Syslog, ODBC, and API, comprehensive analysis can be conducted to form security reports and overall security situation reports. This makes security risks visible, alerts comprehensive, and risk disposal specialized, achieving centralized control of security risks.

The rapid development of network virtualization necessitates level protection measures to provide basic guarantees. Many existing level protection recommendations and schemes mainly target independent cloud environments. This article discusses the challenges faced by level protection in the network virtualization environment, points out the current status and shortcomings of level protection in cloud environments, proposes security schemes for network virtualization based on level protection requirements, and analyzes the schemes from feasibility, applicability, and compliance perspectives, providing valuable reference for network virtualization security construction. With the development of network virtualization technology and the market, further in-depth research is needed on level protection work in the network virtualization environment, and corresponding level protection standards need to be dynamically adjusted.

Zhang Lili: How to Address Security Management After Network Virtualization
More Recommended Articles

[Pujiang Academic] Zhang Lili: Cloud Computing’s Consistency and Change

[Pujiang Academic] Zhang Lili: The Slimmed-Down GE Will Battle Industrial Digitalization

[Pujiang Academic] Zhang Lili: The Focus of China’s Manufacturing Industry Transformation and Upgrade (Full Version)

[Pujiang Academic] Zhang Lili: Why GE’s “Thought + Machine” Turns to Tradition?

[Pujiang Academic] Zhang Lili: Four Aspects of Industrial Internet Construction to Focus On

[Pujiang Academic] Zhang Lili: The Urgent Need to Establish a Framework for Asset Performance Management in Industrial Intelligence

[Pujiang Academic] Zhang Lili: Ideas for Building SDDC and Cloud Automation

[Pujiang Academic ยท Frontier Lecture] Sharing “Luo Qimin and Zhang Lili: Software Defined World – SDDC Analysis and IT as a Service”

Zhang Lili: How to Address Security Management After Network Virtualization

Leave a Comment