University of York improves data security with VMware NSX software defined networking
"We had a segmented environment where different applications were hosted on physically separate environments," explains Dr. Arthur Clunes, assistant director of IT services at York. "This made it time-consuming to manage - while the lack of internally networked restrictions or firewalling also reduced security."
Using the microsegmentation available in software defined networking allowed the university to be more flexible in how it stores and accesses its sensitive data. "This means our academics know their work is under lock and key - all student information and personal identification software will be completely secure, but we have operational flexibility in how this data is stored."
"With microsegmentation we have complete control over the individual workloads, and can automate specific security protocols at the hypervisor level - improving the traditional hard perimeter model of data centre security."
Network bottlenecks
Over 800 VMs support much of the university's critical operations - funding requests, file servers, timetabling, student records, database servers, virtual learning environments and more.
"Due to the growth of the university, the network had grown very rapidly over the last few years, and it was a good time to look at how we provided services and increase our efficiency substantially," says Clunes.
"Disparate networks meant it could be hard to deliver services quickly enough. As the organisation was speeding up, networking and security were becoming a bottleneck."
York is a research-intensive university with as many as 18,000 full time equivalent students, plus roughly 3,500 staff, and that number's growing, adds Clunes.
"We do research support, with some HPC support for researchers, but we also give researchers VMs that run on VMWare," Clunes explains. "In terms of managing for teaching, we have a Virtual Learning Environment that runs on VMware, and then all the admin support processes - finance, payroll, HR, student records, identity management - all those run on VMware as well."
"We are very heavily virtualised," Clunes adds. "Databases are moving onto VMware - we have SQL Server on VMWare - and we're just starting to put Oracle on VMWare as well."
To Clunes, success with this deployment looks like properly firewalled and properly segregated firewalls. The other measure is using all of the automation features that VMware products afford. "It's driving savings in cost with staff time, and it's also improving security," he says.
"We took the opportunity not to do it quickly, but to do it right, to give us a really solid foundation moving forward."
While Clunes describes the deployment as a relatively lengthy process - the university built a new cluster from scratch and spent a sizable amount of time working automation around the deployment - it has also been "painless," he says.
"When it comes to moving the hosts across we're putting firewalls on them from day one. We're doing quite a lot of work as we move things across, rather than porting them over and going: 'Oh, well, we'll get around to it later' - we all know how that works out."
Security benefits
As mentioned, security was one of the key considerations. Of course, an NSX deployment is by no means impenetrable - but it's certainly helping, according to Clunes.
"The problem with security is you can only measure specific aspects of it, and we're only solving one particular problem," he says. "I can run up an insecure PHP web server and put it on NSX behind a lovely shiny software firewall, but it's still insecure.
"So success for this project is quite narrowly defined. We are aiming to segregate our data centre service from the rest of the network. That's the only piece we're trying to do - so we certainly wouldn't say that we were secure at the end of it, but we will be better."
Another benefit behind NSX is the ease at which servers can be spun up and automatically dropped into firewall ruleset groups - it's another staff saving, plus it "saves us a lot of problems in trying to maintain those rulesets", Clunes says.
"I think every industry in every sector has seen an increase in attacks," he adds. "There's a big challenge for an institution like us in balancing the freedom of researchers to get on and do innovative and novel stuff which, by definition, is not amenable to central control. We're also ensuring they do that in a secure manner - I think there's a tension just inevitable in what we do do."
"We're a university, so we have an internet connection on a big firewall - we're quite restricted on the internet connection. But we have students on campus, we have students on wireless. They're segregated from the data centres but not to the same degree that the outside world is segregated.
"So really we wanted to improve our security posture. That was a big thing."