If you can't read please download the document
Upload
nguyenminh
View
224
Download
0
Embed Size (px)
Citation preview
TametheNetworkandSecurityChallengesofaDataCenterMigrationTheTufinOrchestrationSuiteisessentialtoawellplanned,wellexecutedmigration
www.tufin.com
2/14
Introduction
DatacentermigrationplansarehighonthelistofkeyprojectsformanyCIOsthesedays.Migratingcompanyapplicationsfromonelocationtoanother,orfromoneplatformtoanother,representsalotofriskforanorganization.Still,manycompaniesundergothearduousprocesswiththeexpectationthatitwillresultinsignificantefficiencyandbusinessagility.Therearenumerousreasonswhycompaniesundergoadatacentermigration.Formanybusinesses,itispartofanITcostreductioninitiative.Datacenters,particularlyolderoneswitha1:1ratioofapplicationstoservers,areveryexpensivetooperateandmaintain.Companiesmayhaveobsoletelegacyhardwareorsoftwareplatformsthatarenolongersupportedbyvendors,leavingthemlittlechoicebuttomigratetoamoderninfrastructure.Companiesthathavegonethroughmergersoracquisitionsmaybelookingtoconsolidatemultipledatacentersintooneorjustafewinordertoeliminateredundancyandtoattainthecostefficienciesexpectedbycombiningcompanies.Anotherhugedriverfordatacentermigrationsistoincreasebusinessagilitybyutilizingcloudandvirtualizationtechnologiesandservicesthatcanbequicklyprovisionedandadaptedtorapidlychangingbusinessneeds.Manycompaniestodayaretakingtheirapplicationsoutofatraditionalonpremisedatacenterandmovingthemtothecloudwhetheritbeapublic,aprivateorevenahybridcloud.Regardlessofthereasonacompanyhas,orthedestinationplatformitchooses,datacentermigrationandconsolidationprojectscanoffertheopportunitytomeetmanybusinessneeds,includingimprovingtheorganization'ssecurityandcomplianceposture.Despitethefactthatmanyorganizationsareundertakingsuchamajortransition,fewpeopleinITtodayhavelegitimateexperiencegoingthroughanentiremigrationproject.Peoplewhodidthehandsonworkduringthelastgreatmigrationperiodtheonethatledcompaniesfrommainframestoclient/servercomputinghavemostlyretiredormovedontootherrolesintheirorganizations.Asaresult,theirknowledgeandexperienceinhowtoplanandexecuteacomplexdatacentermigrationislosttohistory.AccordingtoGartner,70%ofdatacentermigrationswillincursignificanttimedelaysorunplanneddowntime,largelyduetoimproperplanning.Thisfigureisbasedonmorethan300clientinteractionsGartnerhashadinthepastfouryearsinwhichdatacentermigrationswerediscussed.1
1DavidCappuccio,Gartner,Inc.,"DataCenterMigrationsFiveStepstoSuccess,"26March2014
"Awellplannedmigrationoftenbecomesawellexecutedmigration,andawellexecutedmigrationisoftenmuchfaster,endtoend,thanonethatisruninanadhocmanner."DavidJ.Cappuccio,Gartneranalyst
3/14
Adatacentermigrationisanexerciseinriskmitigation.Ittakessuperiorplanningandexecutiontomakethetransitioninatimelyfashionandwithlittletonobusinessdisruption.GartneranalystDavidCappucciowrote:"Awellplannedmigrationoftenbecomesawellexecutedmigration,andawellexecutedmigrationisoftenmuchfaster,endtoend,thanonethatisruninanadhocmanner."2Thedatacentersecuritypolicylayerisoftenthemostchallengingtoreplicatebetweendatacentersandevencloudenvironments.Thesepoliciesarethecentralnervoussystemofanorganization'sentiredatacenter,whichmakespolicyanalysisandconfigurationcontrolabsolutelyessentialthroughoutthemigrationprocess.Thecompanythatwantstoensureasuccessfulmigrationwilltakeadvantageoftoolsthatautomatetheprocessofplanningfor,predictingandtestingtheimpactofchangestosecurityandnetworkdevices,evenbeforethosechangesareactuallymade.ThiswhitepaperlooksathowtheTufinOrchestrationSuitehelpscompaniesdiscovertheirapplicationsandtheassociateddependencies,aswellasplan,predictandexecutechangesatthenetworksecuritylayeroftheirdatacentermigration.
DataCenterMigrationChallenges
Alargescalemigrationprojectcanbeoneofthemostriskyandcomplexundertakingsanenterprisecanexperience.Thechallengesaremyriad,buttherearethreeuniversalchallengesinherentineverymigrationproject.
DiscoveryofApplicationDependencies
Theorganizationmustfullydiscoveralloftheapplicationservicedependencies,evenforapplicationsthatarenotconsideredpartofthemigrationprojectbecausetheycanhaveunknownorundocumentedrelationshipsanddependencies.IfaserverisbeingmovedfromdatacenterAtodatacenterB,orfromphysicalserverAtovirtualserverB,therearemanycomponentsthatdependonthatserver.Forexample,perhapsthereisanapplicationrunningonthatserverandthereisanothersecondaryapplicationthatcommunicateswithadatabasewhichisonthisserver.Ifthedatabaseisgoingtomoveelsewhere,thenthesecondaryapplicationisgoingtostopworkingbecausetheapplicationcodehasithardcodedsomewherethatthedatabaseislocatedonaspecificIPaddress.
Closelyrelatedtothisissueistheneedtoidentifybusinessownershipoftheapplications.It'scommonthatmanyapplicationscurrentlyrunninginanorganization'sdatacenterhavebeenrunningthereformanyyears.Thepeoplewhoknowthedetailsoftheseapplicationsmightnotevenworkforthecompanyanymore.It'snotthatunusualtohaveanapplicationwherenoonereallyknowspreciselyhowitisworking.Thisisn'tterriblyimportantaslongaseverythingisworkingasexpected,butifthere'sastoppageforanyreason,theapplicationownerwillwanttoknowwhy.2Ibid.
4/14
It'squitehardtounderstandwhatapplicationsexistandwhatdependenciestheyhaveinthenetwork.Inmanyorganizationstheconfigurationmanagementdatabase(CMDB),whichshouldcontainanaccurateversionofthisinformation,isn'tactuallyuptodate.Atthesametime,thisiscriticalinformationtohavebecausewithoutit,theorganizationhasabigriskofhavingbusinessdowntime.Gartnersaysthisdiscoveryandidentificationphaseisreallyariskassessmentphaseandit'soneofthemostimportantstagesofthemigrationplanningprocess.Itentailsdoingadetailedevaluationorauditofexactlywhatneedstobemoved,whenandhow.DavidCappuccioofGartnerwrites:"Thisphasetakesadetailedlookatapplications,networkrequirements,andmostimportantly,dependenciesbetweenapplicationsandthecascadeeffectsonapplicationdeliveryandbusinessimpactifanapplicationfailstomigratecorrectly."3
MinimalImpactonBusinessDuringtheMigration
Theidealscenarioistobeabletomigrateallnecessaryhardware,software,applicationsandserviceswithnodiscernibleimpactonbusinessoperations.Thisincludesmakingtherequiredchangestothenetworkandsecuritypolicies.Thepeoplewhoaredoingthemigrationaretypicallygivenscheduledperiodsoftimeinwhichtheyareexpectedtocompleteallnecessarywork.Failuretoadheretothiswindowoftimemighthaveanegativeimpactonbusinessandwouldcertainlyreflectpoorlyonthecompetenceofthemigrationteam.Consequently,theteammembersneedtohavebetterpredictabilityintheprocessofmovingthingsfromoneplatformtoanother,aswellasagoodlevelofcertaintythattheycanaccomplishwhattheyneedtodointheallottedtime.Forinstance,theteammightbegivenafourhourwindowtocutoverbusinessoperationsfromanapplicationthathasbeenrunninginalegacydatacentertoaparallelapplicationthatisrunninginthecloud.Themigrationteamexpectstheirworkshouldtakelessthanfourhoursbuttheywanttoallowextratimeincaseproblemsarise.Beforedoingthecutover,theylookforwaystoshortenthemigrationprocessandalsotohavemorecertaintyinpredictingwhatworkisrequiredforthiscriticalprocess.Duringthemigration,theywanttohavegoodvisibilityandcontrolsotheyknowexactlywhat'sgoingon.
Security,RiskandCompliance
Whiletheentiremigrationprocessisfraughtwithriskwhatifsomethinggoeswrongandbusinessisdisrupted?themorelongtermconcernisaboutriskandsecurityissuesthatmightbeintroducedasapplicationsmovefromoneplatformtoanother.Forexample,inmovingfromalegacydatacentertoavirtualizedenvironment,physicalfirewallsmaygivewaytothevirtualizedversion,whichmaybesomethingtheoperationsteamisnotyetcompletelycomfortablewith.Thechallengeforthemigrationteamistomakesurethat,astheyaremovingthingsaround,theyareactuallyimprovingtheorganization'ssecuritypostureandtheyarenotaddingnewriskstothemix.
3Ibid.
5/14
Withregardtothenetworkaspectofthenewplatform,theteamisespeciallyconcernedaboutrisksfrommisconfigurationsandfrompoliciesnotbeingfullyimplementedorevenuptodate.Afirewallchangetoenableconnectivityofanapplicationthathasbeenmigratedfromoneenvironmenttoanotherisapotentialrisktosecurityandbusinesscontinuity.Forexample,it'snotuncommonforsecurityandnetworkingteamstofirstfocusonenablingconnectivityinthenewenvironmentinordertomakesurethebusinessapplicationsareworking.Forthistheyoftenconfiguretheirfirewallandrouterswithanoverpermissivesecuritypolicywhichfocusesonconnectivityratherthansecurity.Theyplantogobacklaterandfixthisbutunfortunatelytheynevergetaroundtotighteningtheirsecuritypolicies.Consequentlytheyendupwithamorevulnerablenetwork.Migrationteamsneedvisibilityintohowmakingsuchchangeswillimpacteverythingelse.Nowconsiderthatadatacentermigrationcaneasilyinvolvehundredsoreventhousandsofapplicationsandthemagnitudeofthechallengebecomesquitelarge.Maintainingcomplianceisanotherissue.Everybusinessofasignificantsizeiscompelledtocomplywithatleastonegovernmentorindustrymandatedregulation,whetheritbethePaymentCardIndustryDataSecurityStandard(PCIDSS),SarbanesOxley,theGrammLeachBlileyAct(GLBA),theHealthInformationPortabilityandAccountabilityAct(HIPAA),oranynumberofothers.Companiesoftenhaveinternalregulationsaswell.Theregulationsandstandardsrelatingtoinformationsecurityputanemphasisoncomplianceandtheregularauditingofsecuritypoliciesandcontrols.Whileregulatoryandinternalauditscoverabroadrangeofsecuritychecks,thefirewallisfeaturedprominentlysinceitisusuallythefirstlineofdefensebetweenthepublicandthecorporatenetwork.Thetaskofmaintainingcomplianceisdifficult,atbest,inamultivendorenvironment,andtheadditionalburdenofmigratingfromoneplatformtoanothercompoundsthechallengeofadheringtoregulatoryrequirements.Onceagain,thisprocessrequiresgoodvisibilitybefore,duringandafterthemigration.
TechnologyChallenges
Oneofthegreatbenefitsofanewdatacenterarethenewtechnologiesthatarebeingimplementedtoday,whetherit'scloud,virtualizationorSDx("softwaredefinedanything").Thesetechnologiesoffertremendousflexibilitywhichhelpsanorganizationgainbusinessagility.Nowit'spossibletoadaptthecomputinginfrastructurequicklytomeetchangingbusinessneeds.Never