In the still early but euphoric days of the software-defined-everything universe, security is looking to get some of that loving, but not everybody is buying into the newest SD addition. While server virtualization has become the norm, and software-defined networks (SDNs) are moving up the Peak of Inflated Expectations on Gartner’s Hype Cycle, there are a lot of questions about SDS.
At the end of January NetCitadel, founded in 2010 but only now going public, announced what it called the first software-defined security platform to orchestrate real-time dynamic updates of security policy and controls across security infrastructure in response to changes on cloud, virtual and physical environments. The key to SDS – and the reason why it is necessary – is the ability to apply automatic, consistent security policies and controls across heterogeneous infrastructures, said co-founder and CEO Mike Horn.
Existing security solutions are largely powered by manual processes, what Horn calls “Human Middleware”, and they can’t keep up today’s dynamic networks. There was increasing pressure on IT to keep up, for doing things much, much faster, he said. So NetCitadel created security orchestration, and built it into a platform. “The whole idea was bridging the gap between physical environments, virtualization and the cloud.”
The manual security approach is built on four processes, said Horn: know there is a change (detection); determine what the impact of that change is (analysis); determine what must be done to deal with those impacts (adaption); and then implement the solution, often with manually-introduced errors (deployment). According to Gartner, through 2018, more than 95% of firewall breaches will be caused by misconfigurations, not firewall flaws.
“We had to rethink the problem,” he said. “You couldn’t just throw boxes at it.”
NetCitadel’s solution is OneControl. ‘We go through all four phases by automating that infrastructure.”
Jon Oltsik, senior principal analyst and the founder of the Enterprise Strategy Group’s Information Security and Networking services, blogged that SDS might be the new marketing term, but as of a few months ago, he’s not buying it. ‘I don’t like this new term because:
• It doesn’t fit. In networking, SDN has a specific focus on making the network control plane programmable through APIs and protocols. OpenFlow goes even further by centralizing these functions through a server-based controller. Regardless of how you pull off SDN, you still need physical switches and ports that speak SDN. In other words, SDN is a new networking architecture, not just the movement of software from physical to virtual.
• It ignores physical security technologies. Remember when Check Point firewalls were regularly hosted on Sun servers? When this became too complex and couldn’t scale, large organizations replaced venerable Sun boxes with network appliances. Yes, we will need virtual security technologies capable of tagging along with mobile workloads, but these controls must complement rather than replace existing physical safeguards.
• Market realities trump marketing rhetoric. While the SDN buzz continues, the fact is that VMware’s $1.25 billion acquisition for Nicira was at least 10 times more than the entire SDN market. How big is the software-defined security market? Not very big at all.
Aside from service providers, I don’t see a lot of adoption of virtual security technologies, even in large IT shops. Why? Few organizations are anywhere near the dynamic IT model of Amazon, Google, or Znyga, so they continue to rely on network segmentation (subnets, VLANs), physical server zones, and network security controls. In fact, network security vendors like Check Point, Crossbeam, and Juniper are selling lots of high-end multi-service network security boxes that support this model.’
Analyst Edward Haletky, The Virtualization Practice, pondered how to use SDS, especially when security is often an afterthought, a bolt-on. Can security ever be 100% automated? Security can be automated as Puppet Labs has proven, but can those measures be automatically tied to business logic, hybrid clouds, and protect the data while providing compliance without human intervention? Can this security be invisible until needed instead of overly draconian?
Commenting on NetCitadel’s official debut, VP and Gartner Fellow Neil MacDonald, blogged that four characteristics and four capabilities that arise from being “software defined” are the key to all software defined infrastructure, including security. The four foundational characteristics are: Abstraction – the decoupling of a resource from the consumer of the resource (also commonly referred to as virtualization when talking about compute resources); Instrumentation – opening up of the decoupled infrastructure elements with programmatic interfaces (typically XML-based RESTful APIs); Automation – using these APIs, wiring up the exposed elements using scripts and other automation tools to remove “human middleware” from the equation; and Orchestration – beyond script-based automation, automating the provisioning of data center infrastructure through linkages to policy-driven orchestration systems where the provisioning of compute, networking, storage, security and so on is driven by business policies such as SLAs, compliance, cost and availability.
The four capabilities enabled by these characteristics that are really driving the interest in “software defined everything” are: Agility – speed to respond human middleware, speeding the ability of infrastructure to be provisioned; Adaptability – ability to change infrastructure usage to dynamic meet dynamically changing requirements and changing context – such as location, sensitivity of the data being handled and so on; Accuracy – by removing the human middleware component, reducing the chance for misconfiguration and mistakes by making infrastructure “programmable” and tieing this into automation systems; and Assurance – confidence that what is deployed accurately meets your policy and compliance requirements.
These 4 characteristics and 4 capabilities that arise from being “software defined” are the key to all software defined infrastructure, including security. So when you hear the hype about “software defined X”, see if it delivers against the above characteristics and capabilities.
MacDonald added a fifth enabled capability: Alignment – by linking infrastructure provisioning to policy-driven orchestration systems that use business SLAs, imperatives, sensitivities, priorities, etc. to program the infrastructure accordingly — using business policies and priorities to govern infrastructure allocation and performance.
‘Ignore the hype and navel-gazing arguments on the definition of “software defined”. It’s all about the capabilities enabled.’
Horn doesn’t know if this year will see SDS make a real breakthrough, but he believes the pressure will continue to escalate as existing security solutions continue to fail. “Before, people were concerned about using security and automation in the same sentence. What we’re finding now, they’re saying if we don’t automate, bad things are going to happen, in fact are happening. It’s really starting to set in.”
The NetCitadel OneControl Security Orchestration Platform is a virtual appliance that automatically orchestrates security intelligence by mapping context about cloud, virtual and physical environments to security infrastructure and vendor devices, and enables network security policy changes to be implemented accurately in minutes rather than days or weeks, said Horn. The company says it is the industry’s only solution that separates the control plane from Policy Enforcement Points (PEPs), transforming existing security infrastructure into a context-aware environment that delivers intelligence about workloads from sources such as VMware vCenter and Amazon AWS to security infrastructure such as Cisco ASA and Juniper SRX devices, all through a single pane of glass that enables consistent security policies and enforcement across heterogeneous environments.
OneControl supports modular security options, of which the first two available are the Virtual Security Module and the Cloud Security Module that are sold as add-ons. Additional modules are expected later this year.