Traffic flows in two directions in the data centre, north to south which indicates data that either enters or leaves the data centre either to or from a system that physically lives outside of the data centre and potentially in an entirely different geographic location. East to west traffic indicates data flow between devices within a specific data centre, such as servers or applications.
Ensuring that this type of data is secure can be a challenge for many organisations. A recent report from ESG found that the vast majority of organisations understand the importance of securing east-west traffic, but only 37% currently have and enforce east-west policies.
The monitoring and controlling of east-west traffic are often an overlooked aspect of security programs when data centres are on-premise. Implementing firewalls, intrusion detection and prevention systems and other controls at the data centre perimeter has meant that organisations have had control over north-south traffic.
But the increase in virtualisation and cloud adoption has rapidly changed the architecture of the data centre and has led to a large increase in the amount of east-west traffic. Securing east-west traffic is now a priority for many organisations across a wide range of industries. Let’s take a look at some of the most common challenges with securing east-west traffic.
Expansion of hybrid multi-cloud environments
As hybrid multi-cloud environments have become more commonplace in recent years it has complicated the process of securing east-west traffic, with east-west traffic now moving in a north-south direction, on and off-premises between the data centre and cloud.
This combined with the microservices-based nature of cloud-native applications makes east-west security an even greater concern. By default, cloud-native applications contain more discrete tiers than traditional client-server applications which makes inter-application east-west traffic more complex to secure.
Complex IT infrastructure
IT environments across many organisations big and small have become more complex over the last few years. Many are a patchwork of on-premise technologies, public cloud services, legacy applications and systems and emerging technologies. As IT infrastructure grows in complexity so does securing east-west traffic.
In order to reduce the attack surface and mitigate the risks of a breach, it is imperative that organisations maintain deep visibility and granular control over east-west application traffic. Organisations that have adopted a hybrid multi-cloud approach to infrastructure should consider distributed IDS/IPS and micro-segmentation solutions.
Inconsistent policy enforcement
The ESG report shows that 80% of organisations view east-west security enforcement in the cloud as important, but less than half currently enforce east-west traffic. One of the main reasons for this disparity is the need for a range of security tools to provide consistency across a range of different environments.
Consistent policy and enforcement across different environments are crucial for the success for strategies to secure east-west traffic. In fact, 74% of respondents in the ESG report agreed that consistent policy enforcement was a top purchase consideration.
Using the wrong type of firewall
All firewalls are created equally, right? While on the surface that may seem to be the case, in reality it’s not true. There are several major differences between traditional, appliance-based firewalls that are designed to protect your network perimeter and distributed and scale-out internal firewalls that are designed to protect east-west traffic in your data centre.
While both types of firewall serve the same purpose and work to the same goals of monitoring network traffic, detecting threats and blocking malicious activity, appliance-based firewalls monitor north-south traffic, which has different characteristics to east-west traffic. Traditional firewalls were never intended to protect both north-south and east-west traffic, and as such should not be used to secure east-west traffic.
Next Steps
Sophisticated security, agility and collaboration drive success in today’s digitally connected organisations, but network outage downtime, high costs of purchasing and maintaining physical networks and security vulnerabilities created by old networks can hinder your success.
As a VMware partner, here at MTI we offer a free virtual network Micro-Segmentation assessment to help you gain a clearer insight in your virtual network. We provide a detailed report that shows how the agility and flexibility of software-defined networking (SDN) technologies can improve network security, operational efficiency and highlights how VMware NSX can help you adopt automated and enhanced security.
Arrange your free security assessment for your VMware virtual networking environment to discover how your network traffic flows, identify security shortcomings and highlight improvement opportunities.