The smash hit Netflix series ‘Stranger Things’ centers around the mysterious disappearance of residents of Hawkins, Indiana. Those who vanish find themselves in a frightening, parallel nether-world called the ‘Upside Down’, where things are not exactly as they seem.
For some organizations, moving from physical hardware-based networks to SDx public or private clouds can feel similarly alien. While the familiar, conventional network construct still exists, the security infrastructure has disappeared since there’s no physical infrastructure to get to grips with. So what do they do next?
What makes SDx strange?
As we know, SDx stands for software-defined infrastructure. That is, rather than being structured around physical hardware – routers, switches, cabling and so on – SDx environments consist of virtual machines and networks, which may be wholly owned and managed by the business, in the case of private clouds, or wholly owned and managed by an external cloud provider, in the case of public clouds. Hybrid cloud models offer a combination of the two.
In a software-defined environment, new applications can be created, or existing ones moved to new locations, almost instantaneously. And it is this elastic scalability that makes SDx environments so different from their hardware-based forebears. These infrastructures are provisioned and changed, flex and contract on demand – potentially hundreds of times in a single day.
Automation is key feature that makes SDx environments so attractive and ultimately possible. Automation covers everything from expanding or defining new networks, storage and servers to – crucially – deploying security. Collectively, automation of these functions shifts the datacenter to being application-focused, rather than hardware-focused.
So, when it comes to the key features of this Upside Down world, we’re talking about characteristics like elastic scale, dynamism and automation. What is the impact of these new network characteristics to security management?
Security management in the Upside Down
Before enterprise datacenters were turned Upside Down by SDx, the deployment of a new application was a complex process involving numerous different parties and lots of time. Different personnel were responsible for installing server hardware and operating systems, for connecting new servers to the network, and for provisioning the necessary security equipment and policies. As such, deployment a new application could take weeks or even months.
The Upside Down features outlined earlier – elasticity, dynamic rates of change, and automation – have drastically sped up these processes. Pre-configured templates of frequently used services are even available to application owners, and they can provision applications across multiple datacenters and cloud environments with a simple click in a self-service portal.
In turn, this places huge pressure on security admins. Apps are created, moved or altered at lightning speed – which means that enforcement of security policies and visibility of security incidents also needs to move at lightning speed. But in practice, it often doesn’t. In too many SDx environments, security management trails the ability to automate the provisioning of new infrastructure, because traditional security controls are fixed at the network perimeter. To keep up with the elastic dynamism inside the SDx environment, security management needs to move inside that environment too. But how?
Security management in SDx environments, where physical hardware has disappeared and dynamic elasticity is the norm, depends on two key principles.
We’ve focused heavily on the rapid rates of change in SDx environments – how applications can be created and moved in seconds. Security provisioning and management absolutely must be equally dynamic if it’s to be both effective and a business enabler, rather than a road block on day-to-day operations.
Dynamism is achieved by close integration with the network virtualization and public infrastructure as a service (Iaas) solutions that underpin the SDx environment – whether Microsoft Azure, AWS, VMware NSX, OpenStack, Cisco ACI and so on. The objects defined by those solutions when provisioning applications – groups, tags, etc. – need to automatically feed into security management, so that any changes in the software-defined environment are automatically and immediately reflected in the security policies. Security management should not be based around arbitrary IP addresses – it needs to speak the same language as the virtualization technology on which the SDx environment is built. Manual management of security policies, or human intervention to ‘translate’ between the languages of security and virtualization, is not a viable option in this brave new SDx world.
Security management in SDx environments needs to be holistic. IT security needs comprehensive, real-time visibility into the entire environment – and it needs this visibility from a single pain of glass. Security management consolidation is essential if security incidents are to be effectively identified, correlated and analyzed across the various cloud networks that make up a typical SDx environment.
SDx environments are complex, continually shifting and changing, and the teams who manage applications across them may not necessarily be able to visualize the security implications of the changes they make. What’s more, physical hardware or legacy networks often remain in place alongside the virtualized environments. Collectively, this makes it remarkably difficult to track where datacenter traffic is going from and to – and to ascertain how exposed the infrastructure is to threats and vulnerabilities.
As such, effective security management in the SDx environment means having a unified solution that consolidates policy management, visibility and reporting across all physical, private and public cloud networks. It must be intuitive enough for all stakeholders to manage easily, scalable enough to handle security deployments wherever data goes, and analytical enough to offer detailed correlation of security events across the entire virtualized network. With this in place, security can be managed effectively in any environment – whether in the physical world, or in the Upside Down.