Software Defined Security

Adaptive, automated security for virtualized data centers

Traditional physical data center security architectures are rigid and complex. Classic network security has relied on stateful devices and on static machine and network identities that are challenging to work with and difficult to change. These limitations become acute in virtualized infrastructure, which is characterized by transience and mobility. This complexity is compounded still by the necessity of deploying a multitude of dedicated appliances to enforce any kind of defense-in-depth protection plan, forcing security, load balancing, and gateway services to co-exist and work seamlessly together - a tall order that rarely delivers.

Software-Defined Security, by contrast, introduces simplicity to the world of network security. In this model, protection is based on logical policies not tied to any server or specialized security device. Adaptive, virtualization security is achieved by abstracting and pooling security resources across boundaries, independent of where the protected asset might be currently residing and making no assumptions that the asset will remain in that location.

In a Software Defined Security (SDS) model, all security “devices” are managed and controlled by a common security policy language in which the underlying rules are translated by software. The policy is tied to an asset, with potential for many different policies within the same organization depending on the particular requirements of the people and resources within that organization. Security policies are automatically executed, allowing for quick response time while significantly reducing human error. In a software-defined security environment, it is easy to imagine assets of different “scopes” safely co-residing in the same virtualized host, but subject to very different security policies centrally controlled.

There are several key attributes of software-defined network security:

  • Abstraction: Security is abstracted away from physical constructs such as stateful port firewalls and wire sniffers and replaced by a set of flexible controls, in the form of policy envelopes blanketing the virtualized (or physical) assets. Abstraction is the foundation for establishing common security models that can be deployed repeatedly without concern for underlying physical hardware capabilities.
  • Automation: As each asset is spun up or redeployed, its security policy trails it. Concerns about inadvertent operator error are eliminated, as software-defined security can ensure that no asset can be created without being automatically put into a security trust zone. Role-based controls assure that only properly-privileged administrators can make modifications. SDS automation also means wire-speed reaction to anomalous security events, instantly alerting and quarantining as policy would indicate. By contrast, traditional security is still heavily dependent on manual detection, action and administration.
  • Scalability and Flexibility: Eliminating dependencies on physical hardware and expense means security can be deployed on a scale appropriate to each host hypervisor, growing in scope commensurate with business needs. Because this is software only, security policy is elastic and can extend across a cluster or a data center. It also means that security is available “on-demand”.
  • Control Orchestration: SDS is designed to integrate a range of network security controls (intrusion detection and prevention, vulnerability management, network segmentation, monitoring tools, et al) into a single coordinated engine for intelligent analysis and action. Unlimited sources of security input can be funneled into a policy-driven orchestration system, greatly improving the accuracy of the data and attendant action. Orchestration is critical for successful compliance enforcement, as all major compliance standards dictate a variety of controls as parts of the specifications. Accomplishing anything like this level of orchestration with traditional silo’d physical security-based data centers is complex and expensive, as varying security devices rarely speak the same language and do not have a single engine analyzing their feeds.
  • Portability: In a data center governed by Software-Defined Security, assets carry their security settings with them as they move or scale. ITsec and netsec personnel can “set it and forget it”.
  • Visibility: By virtue of being software and thus living within the virtualized infrastructure itself, Software-Defined Security dramatically improves visibility of network activity. Network administrators and security personnel can detect anomalous behavior that would be blind to them with physical devices and can therefore thwart and protect with a greater degree of accuracy. Network informatics are augmented by this additional data and netflow mapping becomes more extensive and precise.