Security cloud for financial services

Challenge: Security exposure surface is growing geometrically

Simply put, cloud, webscale, and distributed application architectures geometrically increase the exploitable security exposure surface. Virtual machines and containers increase east-west exposures within the datacenter while physical taps are a constant threat. And, the more layered the architecture, the greater the exposure. As complexity rises, it’s increasingly hard NOT to make errors that hackers can exploit.

Solution: Build multi-layered cloud-ready security into your infrastructure

Nokia combines multi-layered security with cutting-edge networking technology to deliver a cloud infrastructure that provides mission-critical communications and operations while reducing costs. Each security component is entirely cloud-ready to handle the complex multi-layer and multi-site needs of modern webscale applications and to manage extremely high and variable scalability.

Security within the data center

As illustrated in Figure 1, security within the data center is centered on the Nuage Networks (a subsidiary of Nokia) product portfolio. The Nuage Networks Virtualized Services Platform (VSP) provides software-defined networking (SDN) capabilities that automate and secure the data center network. The VSP overlays the existing environment to upgrade it, does not require forklift upgrades, and transforms the environment into a best practices cloud. The cloud management system commands from any or all of OpenStack, CloudStack, and VMware vCenter are relayed to components of the Nuage Networks VSP. 

Within the virtualization hypervisor or container host, VMs and containers are secured and isolated, starting at their initial connection to the network. Leveraging micro-segmentation, each network stream is isolated. 

Using a top-of-rack switch with gateway capabilities, even bare metal servers are virtualized and secured. Existing security approaches, such as firewalls, are fully leveraged. And, network inspection capabilities to the packet level enable one or more emerging security approaches to be incorporated. Because a single approach provides the security framework, the entire data center exposure surface is minimized while security is consistent and automated.

Figure 1. Multi-layer controls protect from the initial network connection through the connections to the external network(s)

Figure 2. Security is built into every cloud component to minimize the overall exposure surface

Security among data centers and components

Rather than being a bolt-on afterthought, security is built into each layer and each interface between the layers of the Nokia cloud. Figure 2 shows how our optical networking infrastructure includes Layer 1 encryption to protect north-south against physical taps. By leveraging intelligent declarative policies that are interpreted dynamically at the end point, even the most complex IP environment can be secured effectively and efficiently. 

Further, by creating a unified and secured WAN over any combination of IP, MPLS, and even copper-based networks, the entire WAN environment is highly secure as well as managed by the same system as IP and the data center. Core network services, such as DNS, are protected against malware and other attacks, using the Nokia VitalQIP DDI network services platform. 

Lastly, powerful APIs, including REST, enable a wide variety of specialized security appliances to be seamlessly incorporated.   

How our approach changes the game

This end-to-end security approach minimizes the overall security exposure surface by protecting key components, such as VMs and containers, starting at the initial network connection. Perhaps most importantly, each layer of security — from datacenter to WAN and from data to voice — is completely cloud-ready. 

Our solution’s major capabilities include microsegmentation within the hypervisor and container host, secure networking for even bare metal applications, Layer 1 encryption to protect against physical network taps, and automated declarative policies to minimize or eliminate manual errors. The same approach works within the data center, throughout the cloud, and out to the most remote branch using a WAN, so the overall exposure surface is minimized.