University of York improves data security with VMware NSX software defined networking

Micro segmentation keeps vital data under lock and key

Although it was already a VMware shop, at 85 percent of the organisation's server estate, the deployment was no small task - but necessary to reduce operational complexity and, importantly, bolster security. As with every organisation, universities are under increased risk of cyberattack. So NSX was appealing to York for that aspect too.

"We had a segmented environment where different applications were hosted on physically separate environments," explains Dr. Arthur Clunes, assistant director of IT services at York. "This made it time-consuming to manage - while the lack of internally networked restrictions or firewalling also reduced security."

Using the microsegmentation available in software defined networking allowed the university to be more flexible in how it stores and accesses its sensitive data. "This means our academics know their work is under lock and key - all student information and personal identification software will be completely secure, but we have operational flexibility in how this data is stored."

"With microsegmentation we have complete control over the individual workloads, and can automate specific security protocols at the hypervisor level - improving the traditional hard perimeter model of data centre security."

Network bottlenecks

Over 800 VMs support much of the university's critical operations - funding requests, file servers, timetabling, student records, database servers, virtual learning environments and more.

"Due to the growth of the university, the network had grown very rapidly over the last few years, and it was a good time to look at how we provided services and increase our efficiency substantially," says Clunes.

"Disparate networks meant it could be hard to deliver services quickly enough. As the organisation was speeding up, networking and security were becoming a bottleneck."

York is a research-intensive university with as many as 18,000 full time equivalent students, plus roughly 3,500 staff, and that number's growing, adds Clunes.

"We do research support, with some HPC support for researchers, but we also give researchers VMs that run on VMWare," Clunes explains. "In terms of managing for teaching, we have a Virtual Learning Environment that runs on VMware, and then all the admin support processes - finance, payroll, HR, student records, identity management - all those run on VMware as well."

"We are very heavily virtualised," Clunes adds. "Databases are moving onto VMware - we have SQL Server on VMWare - and we're just starting to put Oracle on VMWare as well."

To Clunes, success with this deployment looks like properly firewalled and properly segregated firewalls. The other measure is using all of the automation features that VMware products afford. "It's driving savings in cost with staff time, and it's also improving security," he says.

"We took the opportunity not to do it quickly, but to do it right, to give us a really solid foundation moving forward."

While Clunes describes the deployment as a relatively lengthy process - the university built a new cluster from scratch and spent a sizable amount of time working automation around the deployment - it has also been "painless," he says.

"When it comes to moving the hosts across we're putting firewalls on them from day one. We're doing quite a lot of work as we move things across, rather than porting them over and going: 'Oh, well, we'll get around to it later' - we all know how that works out."

Security benefits

As mentioned, security was one of the key considerations. Of course, an NSX deployment is by no means impenetrable - but it's certainly helping, according to Clunes.

"The problem with security is you can only measure specific aspects of it, and we're only solving one particular problem," he says. "I can run up an insecure PHP web server and put it on NSX behind a lovely shiny software firewall, but it's still insecure.

"So success for this project is quite narrowly defined. We are aiming to segregate our data centre service from the rest of the network. That's the only piece we're trying to do - so we certainly wouldn't say that we were secure at the end of it, but we will be better."

Another benefit behind NSX is the ease at which servers can be spun up and automatically dropped into firewall ruleset groups - it's another staff saving, plus it "saves us a lot of problems in trying to maintain those rulesets", Clunes says.

"I think every industry in every sector has seen an increase in attacks," he adds. "There's a big challenge for an institution like us in balancing the freedom of researchers to get on and do innovative and novel stuff which, by definition, is not amenable to central control. We're also ensuring they do that in a secure manner - I think there's a tension just inevitable in what we do do."

"We're a university, so we have an internet connection on a big firewall - we're quite restricted on the internet connection. But we have students on campus, we have students on wireless. They're segregated from the data centres but not to the same degree that the outside world is segregated.

"So really we wanted to improve our security posture. That was a big thing."

Join the CSO newsletter!

Error: Please check your email address.

More about NSXOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Tamlin Magee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts