Software-Defined Security: The Missing Piece in Your SDDC Strategy
By Shishir Singh, VP, Network Security, Intel Security
It seems the stars are finally aligning to bring the much-promised benefits of the software-defined datacenter within reach of enterprise users. You know the promises: When our data centers are software-defined, we'll deliver new services faster, support business innovation with more agile IT, utilize existing infrastructure more efficiently and cost-effectively, and manage our operations more simply and centrally.
Because we need all of these things, most of us have taken the plunge into compute virtualization, and we've proven those benefits for ourselves. Each year more of us dip our toes into pools of virtual storage, and we're poised for the SDN deep dive. Slowly but surely we're gaining experience and building skills. We're learning to manage software-defined infrastructure, to scale and migrate workloads, to streamline operations with automation and orchestration. Piece by piece we're solving the puzzle of IT as a service.
We're One Piece Short of Secure IaaS
But as with all nearly complete puzzles, there's one piece missing, right in the middle of that beautiful blue sky. You see we still don't have full featured security that is as agile or automated as the virtual environments we need to defend. We do have a growing selection of virtualized security functions and appliances, but very few of them are tightly integrated with the controllers that orchestrate the virtual datacenter. We don't yet have the breadth of security solutions and ease of deployment required for true software-defined security in the SDDC.
"Micro-segmentation is an effective strategy for isolating workloads and enforcing specific security policies within the virtual environment"
Before we push critical workloads and data into a fully virtualized environment, we need to be sure they'll be there when we need them, that we can keep them safe from hackers, attackers, and the merely unauthorized. There are four things (at least) we need to think about when we consider security for the software-defined datacenter.
Will your virtual security functions interoperate seamlessly out of the box with the rest of your virtual infrastructure? Open source SDN controller APIs can still be challenging to work with, and commercial SDN APIs are often proprietary and may not play well with infrastructure from other vendors. If your security vendor hasn't done the work up front, you may find yourself coding custom APIs, writing workaround scripts, and manually reconfiguring security for every new workload change.
Once your organization's virtual security becomes more SDN aware, remember your existing physical security controls. As your data embraces its new found freedom of movement it will no doubt cross the boundaries between your physical and virtual networks. Do you have an easy way to unify your security policies and postures across all of your networks? Again, look to your vendor to help solve administrative challenges as you embrace the brave new world of software-defined security.
Most of the traffic in a software-defined datacenter flows between virtual machines without ever crossing the datacenter perimeter or encountering a perimeter security sensor. Micro-segmentation is an effective strategy for isolating workloads and enforcing specific security policies within the virtual environment. This, however, requires virtual security solutions capable of enforcing different policy sets, even on traffic flows within a single physical host. Consider the needs of a multi-tier application when several components run on the same host, or the needs of different customer applications in a multi-tenant environment. Can your virtual security manage the complexity without constant manual reconfiguration?
Consider Advanced Threat Defense
When a virtual datacenter is micro-segmented using an SDN controller, each segment is typically secured at the perimeter with workload-specific access policies enforced by the controller's built-in virtual firewall. For many workloads, however, access control alone isn't enough. Additional layers of defense may be desirable, including intrusion detection and prevention, deep packet inspection, file reputation analysis, behavioral analysis, advanced threat defense, and bot detection. Software-defined security should include the ability to provide these defenses for any workload by steering traffic to the appropriate virtual security engines as their services are needed.
Take a typical three-tier application with web, application, and database tiers. Each component should have its own security policies, which are enforced at its segment perimeter. Inspection at the Web tier access will focus on malicious addresses, URLs, and stack vulnerabilities. Database security, in contrast, should protect its valuable information with more advanced inspection and data loss prevention capabilities. Software-defined security must enable such deep and customizable inspection simply, reliably, and automatically.
Scaling and migrating workloads dynamically is a core value of the SDDC, and your virtual security will have to mirror every move with the same degree of automation and accuracy. Whatever security controls a workload requires must remain attached, moving along with it in a perfectly choreographed pas de deux. Managing this manually will not be an option. So does your virtual security solution integrate with your virtual infrastructure controllers? Can you define security policy as a workload attribute that instantiates automatically with every instance, scales dynamically over time, and disappears without a trace when the application spins down?
Recommended: A controller-based approach to SDDC security
So what should we look for in a virtual security solution to be confident it's compatible with our virtualization platforms, supportive of micro-segmentation, and able to orchestrate?
Software defined security requires more than virtual versions of physical firewalls and IPS appliances. Like other virtualization technologies it needs a control framework to separate the security infrastructure (the virtualized security functions) from security infrastructure management (a security controller).
A security controller can synchronize change in the security infrastructure with change in the compute, storage and network infrastructure, by acting as a broker between the security functions, the virtual infrastructure controllers (especially the SDN controller), and security management applications. To be useful, it must have two essential attributes: Seamless, built-in integration with most leading SDN controllers, and an open API for security function integration.
If a security solution delivers both the specific virtual security functions we need, and a controller that can synchronize our security infrastructure with the virtual environment, then we have all the essentials for software-defined security and a secure SDDC.