For operators of multi-tenant data centers, segmentation of computing environments is not just important — it is fundamental to their operating model. First, they need to separate their own infrastructure from their clients’ environments, and share certain resources while preventing access to others. Second, they need to prevent “crosscontamination” among their clients’ respective environments, whether accidental or nefarious. That includes preventing successful breaches or malware infections from spreading from one client’s environment to others. Finally, within the owned operational applications, a good level of separation is required to limit the impact of a potential breach. Looking deeper into data center providers’ operational networks, there are three scenarios in which segmentation, if achieved efficiently, can significantly improve security posture and reduce costs.
- Separating operational networks (DCIM, BMS, etc.) from the enterprise network (the provider’s internal systems, which include billing) and customer networks.
- Reducing the risk of lateral movement inside the operational network, which has many hard-to-patch systems and introduces risks if not properly segmented.
- Creating efficient and secure connectivity between customer-facing networks — such as the DMZ, where the custom portal is located, which needs secure access to data from operational networks (reading the power status, for instance) and from enterprise networks (for reading the billing information).