Traditional physical data center security architectures are rigid and complex. Classic network security has relied on stateful devices and on static machine and network identities that are challenging to work with and difficult to change. These limitations become acute in virtualized infrastructure, which is characterized by transience and mobility. This complexity is compounded still by the necessity of deploying a multitude of dedicated appliances to enforce any kind of defense-in-depth protection plan, forcing security, load balancing, and gateway services to co-exist and work seamlessly together - a tall order that rarely delivers.
Software-Defined Security, by contrast, introduces simplicity to the world of network security. In this model, protection is based on logical policies not tied to any server or specialized security device. Adaptive, virtualization security is achieved by abstracting and pooling security resources across boundaries, independent of where the protected asset might be currently residing and making no assumptions that the asset will remain in that location.
In a Software Defined Security (SDS) model, all security “devices” are managed and controlled by a common security policy language in which the underlying rules are translated by software. The policy is tied to an asset, with potential for many different policies within the same organization depending on the particular requirements of the people and resources within that organization. Security policies are automatically executed, allowing for quick response time while significantly reducing human error. In a software-defined security environment, it is easy to imagine assets of different “scopes” safely co-residing in the same virtualized host, but subject to very different security policies centrally controlled.