Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

University of York improves security with VMware NSX software defined networking

Tamlin Magee | June 27, 2016
Micro segmentation keeps vital data under lock and key

"We took the opportunity not to do it quickly, but to do it right, to give us a really solid foundation moving forward."

While Clunes describes the deployment as a relatively lengthy process - the university built a new cluster from scratch and spent a sizable amount of time working automation around the deployment - it has also been "painless," he says.

"When it comes to moving the hosts across we're putting firewalls on them from day one. We're doing quite a lot of work as we move things across, rather than porting them over and going: 'Oh, well, we'll get around to it later' - we all know how that works out."

Security benefits

As mentioned, security was one of the key considerations. Of course, an NSX deployment is by no means impenetrable - but it's certainly helping, according to Clunes.

"The problem with security is you can only measure specific aspects of it, and we're only solving one particular problem," he says. "I can run up an insecure PHP web server and put it on NSX behind a lovely shiny software firewall, but it's still insecure.

"So success for this project is quite narrowly defined. We are aiming to segregate our data centre service from the rest of the network. That's the only piece we're trying to do - so we certainly wouldn't say that we were secure at the end of it, but we will be better."

Another benefit behind NSX is the ease at which servers can be spun up and automatically dropped into firewall ruleset groups - it's another staff saving, plus it "saves us a lot of problems in trying to maintain those rulesets", Clunes says.

"I think every industry in every sector has seen an increase in attacks," he adds. "There's a big challenge for an institution like us in balancing the freedom of researchers to get on and do innovative and novel stuff which, by definition, is not amenable to central control. We're also ensuring they do that in a secure manner - I think there's a tension just inevitable in what we do do."

"We're a university, so we have an internet connection on a big firewall - we're quite restricted on the internet connection. But we have students on campus, we have students on wireless. They're segregated from the data centres but not to the same degree that the outside world is segregated.

"So really we wanted to improve our security posture. That was a big thing."



Previous Page  1  2 

Sign up for CIO Asia eNewsletters.