Building in Security by Default in Next Generation Data Center at NetApp
Derek Botti
As a certified application integration and security architect, I understand the traditional data center security approach to monolithic applications. The apps are typically heavily customized, inefficiently designed, and can reside on unpatched servers with poor admin control. Network port ambiguity can also exist because the app owners don't know what ports their apps run on. As a result, the app owners often instruct IT Security to open many ports.
In response, IT Security builds a hard, complex network security perimeter. This hard shell is intended to protect the internal applications from bad actors who hack unpatched servers or hosts to get into the Active Directory, escalate privileges, and move laterally. It is a complex approach and makes automation nearly impossible.
When designing our next generation data center (NGDC) as a DevOps platform inside NetApp, we wanted to build in security by default. From the beginning, we took every opportunity to build security into the platform and the applications themselves.
With our NGDC we have built-in secure code practices for development teams like software-controlled development workflows that require security features and checks. Automated application testing is done that includes security vulnerability tests that are tracked as defects throughout the application lifecycle management process. We restricted administrator capabilities while infrastructure agnostic containers allow hardened virtual machines. Network segmentation is done with only known, standard protocols.
The NGDC radically simplifies, although not fully eliminates network perimeter security. Instead, it allows us the ability to automate firewall perimeter security through Continuous Integration, Continuous Deployment (CI/CD) efforts that is software controlled and orchestrated. We run a series of QA tests during the CI/CD process currently and are looking to add extra tests in the future. Automation with the NGDC is helping us to lessen the burden of our security team.
The NetApp-on-NetApp blogs feature advice from subject matter experts from NetApp IT who share their real experiences using NetApp’s industry-leading data management solutions to support business goals. Visit www.NetAppIT.com to learn more.
Derek Botti
Derek is a Cloud & Application Security Architect at NetApp and is a certified application integration and security architect. He has experience in the development, implementation, and operation with cybersecurity, cloud infrastructures, and more. Derek has over 30 years of IT experience.