Organizations around the world are choosing to move from traditional physical data centers to virtual infrastructure, affecting every layer in the data center stack. This change will not only yield a scalable and elastic environment, but will also be more sustainable and secure. This new converged data center, sometimes referred to as a software-defined data center (SDDC), is centrally managed with capabilities to control demand capacity and resource allocation from a single dashboard. Ensuring that the SDDC is sustainable and secure requires a new approach to IT, and nowhere is this more apparent than in the software-defined network (SDN).
Traditional data centers relied on perimeter-based network security appliances placed at strategic choke points on the physical network. The SDN’s ability to dynamically adapt, introduce new abstraction layers and avoid traditional routing necessitates a more comprehensive security implementation. Network security must be multifunctional and adaptive, ensuring that security controls can react to change events in the converged data center. This discussion focuses specifically on how SDN components offer new opportunities for improved network security controls and compliance, organizational changes as technologists’ roles shift, and considerations when implementing security controls in virtual compute and network architecture.
A Look at the New Converged Data Center
The new converged data center, or software-defined data center, is a data-storage facility in which all elements of the infrastructure—networking, storage, CPU and security—are virtualized and delivered as a service. Deployment, provisioning, configuration and operation of the entire infrastructure is abstracted from hardware and implemented through software. Network virtualization is a concept of combining the available resources in a network by splitting up the available bandwidth into channels, each of which is independent from the others, and each of which can be assigned to a particular server or device in real time.
The transitional process to reach a software-defined environment starts with understanding what technical capabilities will need to change. When most IT professionals think of SDN, it’s usually in the context of the SDDC. An SDN without the proper security mechanisms in place leaves the data center professional with only a piece of the overall puzzle. The capability to manage capacity demand on the fly requires that the components that make up the architecture be standardized and supportive of the methods of virtualization and automation. For example, unlike traditional networks that default to “open,” thus requiring firewalls to provide isolation and segmentation, SDN defaults to “close.” Only when connections between devices are explicitly defined can they communicate. So the functions of firewall and network traffic monitoring, such as net flow, must adapt. It makes little sense to build out a virtual network and then secure it with traditional perimeter-based devices that hinder the capabilities of virtual fabric and undermine the automation process while providing little visibility and control into inner virtual processes. Determining the correct technical controls is just as important as choosing the foundational equipment to support the virtual strategy. To maximize efficiencies and return on investment, organizations must architect a security strategy from inception as part of the software-defined environment.
New Opportunities for Network Security in the SDN
Software-defined networking promises highly efficient management capabilities coupled with the simplicity and the exponential speed of execution, consuming the attention of vendors and consumers alike. There are many considerations when building out an SDN, one being security—a critical component that requires a new approach in the SDN. At a basic level, the definition of SDN is the ability to separate the data plane from the control plane, enabling centralized software-based control. Commands from the controller are then communicated back to the data plane for execution on the switches and routers. Ultimately, this approach enables a full perspective of the network and gives the administrator the ability to make changes centrally without a device-centric configuration on each switch or router. Although some vendors have taken a more immediate, tactical approach by providing direct access to the hardware via an API, this method does not allow for central control and is proprietary in nature.
Central control of the network is accomplished by the logical centralization of control-plane capabilities, enabling the network administrator to deal with a pool of network devices as a single entity. A global abstraction layer, as opposed to the individual devices used by the OpenFlow protocol, then controls network flows. Central command simplifies network administration by providing this single point of instruction and execution. Network allocation becomes achievable, with more-accurate perspective of the flow demand and bandwidth constraints than ever. All of these capabilities will aid in the ever evolving challenges faced by today’s IT work force; the opportunity that comes with ease of administration is the capability to secure and ensure compliance in a way that capitalizes on the fundamental concepts of SDN.
Ensuring that security controls are multifunctional and adaptive and can react to change events in the network is an essential component of the converged data center. Software-defined security (SDS) meets these needs and protects the network from within the virtual infrastructure. What distinguishes SDS from perimeter security are three characteristics: (1) the use of logical zoning that relies on SDDC APIs to (2) implement policy-based multifunctional software-defined controls for continuous monitoring and mitigation of risk, (3) deployed at the lowest possible level on the virtual switch fabric. Compliance can then be achieved through continuous monitoring of the security event stream against the appropriate control framework.
The concept of logical segmentation, or trust zones, is in line with the concepts of a software-defined data center. Trust zones are logical, flexible policy envelopes that continuously detect and assign all virtual machines (VMs) to groups. They are enabled by the tight integration of software-defined security with the SDDC APIs. This automated zoning mechanism ensures that all VMs are identified and assigned to a policy group, providing real-time perfect inventory and security coverage. Segmentation enabled by trust zones provides precise visibility and management of all virtual networks, network devices, system components and sensitive data in the cloud.
Trust zones can be aligned with SDN logical groupings such as Cisco Application Centric Infrastructure’s (ACI) use of end-point groups (EPGs). They can thus ensure that assets automatically inherit security policies set for the containers, where the containers can be defined as EPGs. Proper segmentation requires that even if an out-of-scope system component is compromised, it cannot affect the security of sensitive data in a trust zone. The automation around trust zones provides a crucial benefit as a compensating control against any ACI change that violates policy, since manual tracking is nearly impossible owing to rapid, continuous changes in virtual infrastructure. An additional benefit is independent audit and control to assure accurate inventory mapping, thus enabling automatic production of net-flow diagrams across all systems and networks. Manually mapping accurate net flow is impractical if not impossible in the converged data center.
Policies automatically assigned to virtual assets placed in trust zones enable centrally controlled software-defined security to automatically and deterministically enforce those policies to protect sensitive data wherever it may be processed, stored or transmitted in the virtual environment. Trust-zone membership is automatic and based on any attribute of the asset. Policy-based security controls are orchestrated in SDS, continuously monitoring network components in the entire virtual environment to ensure adherence to policies. The benefit of continuous monitoring is the ability to immediately spot changes that may compromise the security and compliance posture of an organization. Policies can include automatic mapping to regulatory standards and must include vulnerability management to include network-based checks on VM and hypervisor configuration. Alerts for security-policy violations can be followed by manual or automatic policy-based enforcement actions to mitigate risk and maintain compliance.
Software-defined security is deployed and managed at the lowest level, on the virtual switch fabric, ensuring the highest level of visibility and control over events in the software-defined network. Managed from a single processing hub and interface gives organizations significant operational efficiencies—beginning with a simplified infrastructure to support security controls and compliance for the virtual environment. Software-based security has a minimal processing footprint and is easily hosted by existing IT platforms. As multifunction security, organizations get systematic and maximum coverage without having to deploy and manage multiple tools. Automation of inventory tracking and monitoring as well as accurate reporting are available on demand. Converged data center technologists as well as security and compliance professionals can focus on a single interface, driving efficiency in the organization.
Approached in a manner consistent with the focus of agile, predetermined rules and policies applied and monitored automatically, security as software in the data center is adaptive and elastic. Investing in a software-defined environment to impose only legacy security methods will not only prove ineffective, but it can also be detrimental to the security posture and compliance model. Consider that the compelling factor driving the transition to the SDDC model is the ability to instantaneously adapt to organizational needs and requirements. With this notion, organizations should without question do the same with their security and compliance strategy.
Organizational Changes and Shifting Roles
With the advent of virtualization, changes in data center architecture have also led to shifting roles in the organization. Software-defined networking and software-defined security present an opportunity for existing IT personnel to embrace change and expand their portfolios. The software-defined data center is radically reshaping traditional IT responsibilities and roles for network administrators, security administrators and operations. For IT to function efficiently, these changes must be understood and managed. Rather than regarding the changes as reducing responsibilities or otherwise changing them for the worse, the software-defined data center is actually an opportunity to take on a larger scope, as the days of IT siloes are over.
The integration of traditional operations and hypervisor administration with network and security management in the software-defined data center necessitates a workflow shift. The focus has turned away from workflow process management towards forward-looking development, supporting system enhancements and improvements. Historically, IT organizations have had multilevel approval processes for change control in the network topology and have dedicated resources to tuning devices or validating whether incidents are false positives. Applications have been based on the limitations of the network. Software-defined networks and security have reversed the focus. With the ability to institute predefined capabilities based on rules executed automatically, the network is now designed according to the needs of the applications. IT can spend less time on operations and more time building highly efficient applications. IT personnel can also contribute more to the organization by expanding their roles and becoming leaders in converged-infrastructure administration.
Five Key Considerations With SDN Adoption
As organizations plan to move to virtualized systems and software-defined networks, it is helpful to review the realistic challenges that they will face. To be able to take advantage of the benefits of a software-defined environment, architects should consider the following:
- Vulnerabilities: A converged network will inherit common operating-system vulnerabilities. Greater attention to patch management and configuration changes must be implemented. Continuous monitoring is critical and can be automated with the right tools in place.
- Access control: An SDN will have single points of compromise that lead to broader access. Strong access-control policies for authentication and authorization must be imposed on the system. It is best to use a role-based authorization mechanism to assign access levels, permissions and privileges.
- Failover: Design the SDN for failure, including adequate backups for speed-to-recovery, fault tolerance and failover capabilities.
- Control plane: The control plane requires elevated privileges. Manage the SDN control plane out of band, separating the path to it from the path for normal traffic. Remove all default configurations from SDN, as this is common information for those with negative intentions.
- Activity log: Implement a logging mechanism and net-flow analysis to track activity and report on compliance status. Continuous monitoring will ensure speed to resolution for any misconfiguration or unauthorized activity.
As is true with any technological movement, operations must adapt as data centers evolve. The key to adaptation in the software-defined network—and more specifically, the software-defined data center—is putting a plan in place that not only addresses infrastructure requirements, but also supports security and compliance policies. The virtual fabric introduces new vulnerabilities that can be managed with the right set of tools in place. Having the opportunity to implement security differently—and better—will pay dividends as security risks and compliance regulations increase. Perhaps most importantly, legacy processes can be dramatically improved on by boosting operational efficiency and promoting greater innovation as team members shift focus from process management to application development.
Security implementation and organizational opportunities faced by IT during the transition to converged data centers are daunting only because change is required. Solutions are available and continue to improve, supporting a more secure and solid virtual architecture than ever. It is essential to embrace the changes, and ultimately, both data centers and technologists will have a more competitive edge in their industries.
Leading article image courtesy of earthrangers
About the Author
Randal Asay recently joined Catbird as chief technology officer in September 2013, having over 15 years of experience in network security, architecture, design and implementation in a variety of retail and governmental environments. Randal has vast experience in the implementation of security practices relating to large enterprise solutions as well as e-commerce platforms alike.
Before Catbird, Randal served as a director of engineering at Walmart Stores Inc. In his time with the company he developed industry leading code-analysis practices to support security and compliance initiatives, as well as contributing to the development of an outsourcing governance body. Randal served numerous roles in information security department, contributing to the enhancements of perimeter and network security as well as overall policy enforcement. In addition to his leadership in the information security domain, he led the e-commerce infrastructure teams through extensive growth, delivering capacity-management and technology-refresh methods ranging from network design, storage capacity and database tuning. Before Walmart, Randal focused on government agencies, servicing the information assurance division of the United States Air Force, and focused on perimeter security, data security and incident response.
Randal received his bachelor of science degree from Weber State University, as well as his sequential master's degree in information technology management and MBA from Webster University.