The document discusses the need for new security models in highly virtualized data centers, emphasizing that traditional perimeter-based security methods are inadequate for dynamic virtual workloads. Holland Barry, CTO of Catbird, highlights the importance of a fluid, policy-based approach to security that can adapt to the transient nature of virtualized environments. The conversation also touches on the integration of security measures with emerging technologies like containers and the Internet of Things (IoT).

1. Catbird CTO on Why New Security Models are Essential
for Highly Virtualized Data Centers
Transcript of a BriefingsDirect discussion on how increased virtualization across data centers
translates into the need for new approaches to security, compliance, and governance.
Listen to the podcast. Find it on iTunes. Get the mobile app. Sponsor: Hewlett
Packard Enterprise.
Dana Gardner: Hello, and welcome to the next edition of the Hewlett Packard Enterprise (HPE)
IT transformation interview series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions,
your host and moderator for this ongoing discussion on IT transformation
and innovation -- and how that's making an impact on people's lives.
Our next hybrid-computing case study discussion explores how increased
virtualization across data centers translates into the need for new approaches
to security, compliance, and governance. Just as next-generation data centers
and private clouds are gaining traction, security threats are on the rise -- and
attack techniques are becoming more sophisticated.
Are yesterday’s perimeter-based security infrastructure methods up to the task? Or are new
approaches needed to gain policy-based control over all virtual assets at all times?
Here to explore the future of security for virtual workloads is Holland Barry, CTO at Catbird in
Scotts Valley, California. Welcome, Holland.
Holland Barry: Thank you. Good to be here.
Learn How
Cloud Protection Starts
With a Security-First Mindset
Gardner: Tell us why it’s a different picture nowadays when we look at data centers and private
clouds. Oftentimes, people think similarly about security -- just wrap a firewall around it and
you're okay. Why isn’t that the case? What’s new?
Barry: As we've introduced many layers of abstraction into the data center, trying to adapt those
physical appliances that don’t move around as fluid as the workloads they're protecting, it has
become an issue. And as people virtualize more and we go more to this notion of a software-
defined data center (SDDC), it has just proven a challenge to keep up, and we know that that
layer on the perimeter is probably not sufficient anymore.
Gardner: It also strikes me that it’s a moving target, virtual workloads come and go. You want
elasticity. You want to be able to have fit-for-purpose infrastructure, but that's also a challenge
when you can’t keep track of things and therefore secure them.
Page 1
Gardner

2. Barry: That’s absolutely right. The transient nature of workloads themselves make any type of
rigid enforcement from a single device pretty tough to deal with. So you need something that
was built to be fluid alongside those dynamic workloads.
Gardner: And I suppose, too, that enterprise architects that are putting more
virtualization together across the data center, the SDDC, aren’t always culturally
aligned with the security folks. So you have more than just a technology issue
here. Tell us what Catbird does that goes beyond just the technology, and perhaps
works toward a cultural and organizational benefit?
Greater skill set
Barry: Even just from an interface standpoint or trying to create a tool that can cater to those
different administrative silos, you have people who have virtualization expertise, compute
expertise, and then different security practice expertise. There are many slim lanes within that
security category, and the next generation set of workloads in the hybrid IT environment is going
to demand more of a skill set that can span all those domains.
Gardner: We talk a lot about DevOps and SecOps combining. There's also this need for
automation and orchestration. So policy-based seems to be really the only option to keep up with
the speed on security.
Barry: That’s exactly right. There has to be an application-centric approach to how you're
applying security to your workloads. Ideally that would be something that could be templatized
or defined up front. So as new workloads present themselves in the network, there's already a
predetermined way that they're going to be secured and that security will take place right up
against the edge of that workload.
Gardner: Holland, tell us about Catbird, what you do, how you're deployed, and how you go
about solving some of these challenges.
Barry: Catbird was born and raised in virtualized environments. We've
been around for a number of years. It was this notion of bringing the
perimeter and the control landscape closer to the workload, and that’s via
hypervisor integration and also via the virtual data-path integration. So it's having a
couple of different vantage points from within the fabric and applying security with a purpose-
built solution that can span multiple platforms.
So that hybrid IT environment, which is becoming a reality, may have a little bit of OpenStack, it
may have a little bit of VMware. Having that single point of policy definition and enforcement is
going to be critical to people adopting and really taking the next leap to put a layer of defense in
their data center.
Page 2
Barry

3. Gardner: How are you deployed, you are a software appliance yourself, virtualized software?
Barry: Exactly right. Our solutions are comprised of two components, and it’s a very basic hub-
and-spoke architecture. We have a policy enforcement point, a virtual machine (VM) appliance
that installs out on each hypervisor, and we have a management node that we call the Control
Center. That’s another VM, and those two components talk together in a secure manner.
Gardner: What’s a typical scenario? Where in this type of east-west traffic virtualization
environment, security works better and how it protects? Are there some examples that would
demonstrate where the perimeter approach breaks down would but your model got the task done?
Doing enforcement
Barry: I think that anytime that you need to have the granularity of not only visibility, but
enforcement -- I'm going to get a little technical here -- down to the UUID of the vNIC, that
smallest unit of measure as it relates to a workload, that’s really where we shine, because that’s
where we do our enforcement.
Gardner: Okay. How about partnerships? Obviously you're working in an environment where
there are a lot of different technologies, lots of moving parts. What’s going on with you and HPE
in terms of deployment, working with private cloud, operating systems, and then perhaps even
moving toward modeling and some of the HPE ArcSight technology?
Barry: We have a number of different integration points inside HPE’s portfolio. We're a Helion-
ready certified partner. We just announced our support for the 2.0 Helion OpenStack release.
Learn How
Cloud Protection Starts
With a Security-First Mindset
We're doing a lot of work the ArcSight team in terms of getting very detailed event feeds and
visibility into the virtualized workloads.
And we just announced some work that we are doing with HPE’s HPN team around their
software-defined networking (SDN) VAN Controller as well, extending Catbird’s east-west
visibility into the physical domain, leveraging the placement of the SDN controller and its
command over the switches. So it’s pretty exciting work there.
Gardner: Let’s dig into that a bit, the (SDN) advances that are going on and how that’s changing
how people think about deployment and management of infrastructure and data centers. Doesn’t
this really give you some significant boost in the way that you can engage with security, intercept
and stop issues before they propagate? What is it about SDN that is good for security?
Page 3

4. Barry: As the edges of what has traditionally been rigid network boundaries become fluid as
well, knowing the state of the network, knowing the state of the workload, is going to be critical
to applying those traditional security controls. So we're really trying to tie all this together -- not
only with our integration with Helion, but also utilizing the knowledge that the SDN Controller
has of the data path. We can surface indications that compromise and maybe get you to a
problem a little bit quicker than traditional methods.
Gardner: I always like to try to show and not just tell. Do you have any examples of
organizations that are doing this, what it has done for them, and why it’s a path to even greater
future benefits as they further virtualize and go to even larger hybrid environments?
Barry: Absolutely. I can’t name them by name, but one of the US’ largest carriers telcos is one
of our customers. They came to us to solve a problem of that consistency of policy definition and
enforcement across those hybrid platforms. So it’s amongst VMware and OpenStack workloads.
That's not only for the application of the security controls and not only for the visibility of the
traffic, but also the evidence of assurance of compliance, being able to do mapping back to
regulatory frameworks and things like that.
Agentless fashion
There are a couple of different use cases in there, but it’s really that notion where I can do it in
an agentless fashion, and I think that’s an important thing to differentiate and point out about our
solution. You don’t have to install an agent within the workload. We don’t require a presence
inside the OS.
We're doing it just outside of the workload, at the hypervisor level. It’s key that we have the
specific tailored integrations to the different hypervisor platforms, so we can abstract away the
complexity of applying the security controls where you just have a single pane of glass. You
define the security policy and it doesn’t matter which platform you're on, it’s going to be able to
do it in that agentless fashion.
Gardner: Of course, the march of technology continues, and we're not just dealing with
virtualization. We're now talking about containers, micro-services, composable infrastructure.
How will your solution, in conjunction with HPE, adapt to that, and is there more of a role as you
get closer to the edge, even out into the Internet of Things (IoT), where we're talking about all
sorts of more discrete devices really extending the network in all directions?
Barry: As the workload types proliferate and we get fancier about how we virtualize, whether
it’s using a container or a virtualization platform, and then the vast amount of IoT devices that
are going to present themselves, we're working closely with the HPE team in lockstep as mass
adoption of these technologies happens.
Page 4

5. We have plans in place to solve platform by platform, and we believe taking an approach where
we're looking at that specific problem and asking how we're going to attack this thing while
keeping that bigger vision of, "We're still going to keep you in that same console and the method
in which you apply the security is going to be the same."
Containers are a great example, something that we know we need to tackle, something that’s
getting adopted in a fashion far more than I have ever seen with anything else. That’s a pretty
exciting one. But at the end of the day, it’s a way of virtualizing a service or micro-services.
We're aware of it, and I think our method of doing the security control application is going to be
the one that wins.
Gardner: Pretty hard to secure a perimeter when there really isn’t a perimeter.
Barry: Perimeter is quickly fading, it seems.
Learn How
Cloud Protection Starts
With a Security-First Mindset
Gardner: OK, we'll have to leave it there. We've been exploring how increased virtualization
across data centers translates into the need for new approaches to security, compliance, and
governance. And we have seen how policy-based control over all virtual assets provides a greater
protection and management for next-generation data centers. So a big thank you to our guest,
Holland Barry, CTO at Catbird. Thank you, Holland
Barry: Pleasure to be here. Thank you.
Gardner: And a big thank you to our audience as well for joining us for this Hewlett Packard
Enterprise transformation and innovation interview. I’m Dana Gardner, Principal Analyst at
Interarbor Solutions, your host for this ongoing series of HPE-sponsored discussions. Thanks
again for listening, and come back next time.
Listen to the podcast. Find it on iTunes. Get the mobile app. Sponsor: Hewlett
Packard Enterprise.
Transcript of a BriefingsDirect discussion on how increased virtualization across data centers
translates into the need for new approaches to security, compliance, and governance. Copyright
Interarbor Solutions, LLC, 2005-2016. All rights reserved.
You may also be interested in:
• Redmonk analysts on best navigating the tricky path to DevOps adoption
• DevOps by design--A practical guide to effectively ushering DevOps into any
organization
Page 5

6. • Need for Fast Analytics in Healthcare Spurs Sogeti Converged Solutions Partnership
Model
• HPE's composable infrastructure sets stage for hybrid market brokering role
• Nottingham Trent University Elevates Big Data's role to Improving Student Retention in
Higher Education
• Forrester analyst Kurt Bittner on the inevitability of DevOps
• Agile on fire: IT enters the new era of 'continuous' everything
• Big data enables top user experiences and extreme personalization for Intuit TurboTax
• Feedback loops: The confluence of DevOps and big data
• IoT brings on development demands that DevOps manages best, say experts
• Big data generates new insights into what’s happening in the world's tropical ecosystems
• DevOps and security, a match made in heaven
• How Sprint employs orchestration and automation to bring IT into DevOps readiness
Page 6