Questions Arise About Security for Cisco UCS

By Chris Preimesberger  |  Posted 2009-05-04

Questions Arise About Security for Cisco UCS

Cisco Systems made big news March 16 when it boldly announced that it was moving into the full-service data center systems business with its Unified Computing System.

But in all the hubbub of the UCS product launch, Cisco left something important out of the conversation: How is security for UCS going to be handled?

It turns out that there are, in fact, some real questions that need to be addressed.

To review, the Unified Computing System consists of a new data center architecture, a new application server (the Cisco UCS B-Series), and a new management software and services package. Cisco partners are providing most of the UCS components.

Intel's Xeon 5500 processors make up the UCS computing foundation. Longtime Cisco partners EMC and NetApp provide the storage hardware. BMC Software brings the only provisioning, change management and configuration software in the stack. Customers will have a choice of either VMware and Microsoft Hyper-V virtualization layers; systems integrator Accenture will help shape the individual product packages for customers.

Now we're back to that glaring omission involving security. With the main news focus being on Cisco entering a huge new business, little or nothing was said about the security aspect at the March 16 product launch.

Although EMC is a major partner in the storage component, its RSA Security subsidiary was not mentioned as being a part of this initiative. Neither were Symantec, McAfee, Iron Mountain or any other well-known security vendor.

What Will Secure Cisco UCS?

So, potential customers are wondering, who will be guarding the fort? How much security will Cisco itself provide?

"The idea of uniting compute, storage and networking capabilities as one system requires a common backbone-a fabric-so that administrators can 'see' and control what's happening throughout the system," Vik Desai, a veteran virtualization expert and the new CEO of Toronto-based Liquid Computing, told eWEEK.

Liquid Computing is a 3-year-old startup that will be among Cisco's competitors in the unified computing space.

"This requires an approach that goes beyond the simple connectivity offered by a networking provider that's simply repurposing existing technology used in 'cable-once' scenarios," Desai said. "I, for one, doubt that a vendor that has focused for 20-plus years on routing or switching can hope to appreciate, interpret or resolve the security implications resulting from the establishment of a broad networking fabric."

To deliver a full solution-especially in a cloud environment-the fabric must be intelligent enough to introduce new levels of application-aware security that common standards don't deliver, Desai said.

"The big players haven't even brought up the issue of security as yet, so I suspect that they haven't figured it out," he said.

Zeus Kerravala, analyst and senior vice president with Yankee Group, told eWEEK that Cisco certainly is expert at some aspects of security but isn't particularly known for others.

"Cisco sells more security than just a couple of companies," Kerravala told eWEEK. "Their security business is huge. A lot of it is VPN and firewall security, however."

Can Cisco Provide the Right Kind of Security?

But is this the kind of expertise that enterprises will be able to depend upon during the crunch-time production workloads that can make or break a business?

"This is an integrated solution, so I guess if you crack part of it, you crack all of it," Kerravala said. "There are other ways around this; I'm sure you could encrypt the disks. Looking back, though, I am a little surprised that with all the third-party vendors they brought in, there wasn't a security vendor that was part of it. It would have been good to have had a third party legitimize the security of it."

Cisco is a good security company when it comes to securing transport, Kerravala said, but has he added that Cisco has never been proven to secure the data itself.

"All a [knowledgeable] hacker has to do to get into this UCS system is to hack into the [Cisco] switch, which controls the data flow and the data itself," Desai said. "For some [sophisticated] hackers, this is not that hard to do."

What asked about this, Brian Schwartz, Cisco director of product management for the UCS platform, pointed out the EMC-RSA relationship to eWEEK as a possible option for potential customers. Nonetheless, RSA is not a part of the original UCS initiative. But it is possible, certainly, that Cisco will bring in RSA as a security partner at a later date.

It also turns out that for other specific kinds of security that might be required in a UCS deployment, customers are expected to use their own existing server, storage and management security vendor-not one provided by Cisco itself.

"When we go out and talk to customers [about UCS], we tell them this: There are things in this system that we [provide that] add value, and there's a bunch of stuff that's essentially unchanged," Schwartz told eWEEK.

"There are a lot of standard best practices and solutions that we don't factor into solving customers' challenges. Built into the UCS Manager, however, we do have a sophisticated RBAC security system that handles both internal and external [network] authentication, that we've spent a lot of time on.

"This is very granular, to give people appropriate privileges, and also to support a full set of [standard] authentication devices. It supports LDAP (Active Directory authentication for server administrators) and others; on the network side, customers often use a Radius-type server or something similar. ... Most customers already have one of these systems in place, and what they want is for our system to fit into it gracefully," Schwartz said.

So, the bottom line is this: In the UCS scheme, Cisco will provide the built-in network protection through its UCS Manager.

However, if an enterprise wants to encrypt storage disks or desires high-end protection for its application, database, Web or any other type of servers, then the customer is on its own.

Rocket Fuel