In a previous SecurityWeek column, I wrote about the security considerations for software defined networking (SDN). Whether or not SDN becomes the next evolution of networking, this new architecture clearly showcases the move towards a more dynamic and agile environment. In this constantly changing cloud environment, the most effective method to deploy network security will be via automation and orchestration systems and the ability to integrate these systems will become the key foundational feature for network security.
In a private cloud environment, applications and desktops are increasingly being virtualized at an unprecedented rate and scale. As the number of virtual machines (VMs) increases, automation and orchestration is no longer a “nice to have.” It has not only become increasingly complex to configure and manage multiple security devices, but also extremely inefficient and prone to error.
The ability to translate complex business and organization goals into a set of automated data center workflows is critical to not slowing down the application delivery process. It is also an essential part of making compliance and security requirements a lot easier to manage in a very dynamic environment. To fully realize the promise of private clouds or software defined data centers (as VMware defines it), the traditional IT infrastructure — in particular network security — needs to transform into agile and adaptive end-to-end automated processes.
Consider the process today — the VM IT administrator needs to deliver a particular application X. The actual application provisioning can be accomplished in minutes. However, the security implications of delivering this application will extend the process significantly. First, of course, the VM administrator will need to go through the chains of approval to ensure the application is allowed. From a networking perspective, there may be specific policies that dictate which virtual LANs (VLANs) the application needs to be placed in. Then, the appropriate security policies will need to be added or modified on a variety of network (switch ACLs) or network security appliances (firewall policies) that are in the traffic flow.
The Trinity of Automation and Orchestration
The above process may become more efficient with software defined networking, but there are still three elements at play every time an application is delivered – virtualization, networking and security. In order to unlock the benefits of cloud computing, lower costs and accelerate IT agility, enterprises need a way to rapidly deploy relevant network security services in lock step with the fluid virtual compute layer, with full automation and orchestration among virtualization, networking and security elements.
This requires a systems approach when thinking about network security. The delivery of an application can trigger a cascading series of actions to ensure that the application is delivered efficiently and in compliance with any regulatory requirements.
This also requires more efficient context sharing among three very diverse elements. For example, when a VM is instantiated or moved, one must consider how to share this specific action or the information about the application running on the virtual machine with other management systems. At the same time, while context sharing and automating the process of security insertion in the data center workflow is important, it’s equally important for the security IT administrator to maintain independent security policy creation.
It’s about the Applications
And of course, it’s all about the applications. Cloud is about the ability to deliver applications more efficiently. We’ve abstracted the physical server hardware from the applications itself via server virtualization. Therefore, network security policies need to consider this problem from an application-centric view. Next-generation firewalls (NGFWs) now provide the ability to implement policies based on applications, users and content, and they can provide the appropriate hooks for automation and orchestration solutions. However, extending further on this concept, there is a need to have more application specific contexts such as application containers within security policies instead of having to map them to more traditional networking concepts like IP addresses and fully qualified domain name (FQDN).
One of the considerations in an automated and orchestrated cloud environment is the impact of compliance. In a very dynamic environment, when the configuration of applications, networking and network security are changing, how do you ensure that compliance regulations continue to be met? I believe the automation and orchestration flows actually assist in this regard, but the critical factor will be the understanding of how the various components work and the appropriate actions that are triggered.
I’ve used an analogy of cog wheels or gears working in tandem to describe this concept in the past. The ability to engineer and understand all the gears of the ecosystem, and the impact of every action will be required to ensure compliance requirements are being met.
The Next Big Thing Is…
In summary, the next big thing for network security is automation and orchestration. It may not be sexy, but it will become the key enabler to truly realize the vision of your next-generation data center.
Related Reading: It’s All About the Applications
Related Reading: Network Security Considerations for SDN
Related Reading: Making Systems More Independent from the Human Factor
Related Reading: Software Defined Networking – A New Network Weakness?