Intel Security Controller Aims To Better Secure OpenStack Clouds

TOKYO—In a virtualized data center or a cloud deployment, simply putting a firewall or a network security device at the perimeter isn’t enough. It’s an area in which Intel Security is active, and the company discussed its efforts at the OpenStack Summit here in a session titled “Inserting Advanced Network Security in OpenStack Clouds” on Oct. 29.

In any data center or cloud deployment, what is often referred to as “East-West”—that is, traffic inside the actual data center or cloud—is typically more than traffic in and out of the data center (often referred to as North-South traffic). The East-West issue isn’t the only challenge to cloud security. There are also challenges dealing with virtual machine migration and the need for different policies for different workloads, noted Jacob Sendowski, product manager at Intel Security Group, during the session. That’s where the Intel Security Controller effort comes into play.

“The Intel Security Controller is an abstraction between the virtual infrastructure management pieces, which are OpenStack and an SDN [software-defined network] controller like MidoNet and the security functions themselves,” he said. MidoNet is an open-source SDN technology developed by Midokura.

Firewall

The security functions inserted by the Intel Security Controller could include firewall or intrusion prevention system (IPS) capabilities. Sendowski said that the virtual security functions should not need to worry about what type of environment they are plugged into, but rather they should just know how to receive packets and then map the right policy to the traffic flow.

Sendowski explained that there is an application image that is associated with the security function that is registered with the OpenStack Glance image repository. From there, it can be deployed via an OpenStack Nova compute API call whenever an organization decides it needs to deploy security to a particular stack. The overall goal is to enable security at a micro-segmentation level on a cloud network.

That means anywhere an organization can create a logical boundary, a security service can be inserted to inspect traffic and apply security policies.

The Intel Security Controller is not an SDN solution, which is why Intel is partnering with Midokura. Midokura’s MidoNet can enable and create the micro-segmentation of a given network or cloud applications.

Pino de Candia, CTO of Midokura, explained that an organization just needs to define polices, then associate workload groups with those policies.

While MidoNet is open-source, the Intel Security Controller is not. The plan, however, is to make the technology open-source, likely at some point in 2016, according to Sendowski.

Another effort under way at Intel to further extend the technology is integrating it with the Intel TXT (Trusted Execution) technology to enable security verification and hardware attestation.

“This effort is really all about bringing security in an agile way to an agile environment,” Sendowski said.

Originally published on eWeek.