Ah yes, ‘tis the season. Wherever you go, you’ll run into bell ringers, stores decorated way too early, and predictions of IT trends. We don’t make predictions, but we do look back at IT innovations of the year. Think of it as a progress report, a good way to get grounded and neutralize the pain of security breaches and loss of net neutrality.
Since we’ve been talking cybersecurity for the past several weeks, we’ll continue in that vein. Here are two security-related buzzwords that represent the promise of improved security in on-premises and cloud environments.
One of dozens of buzzwords making the rounds, software-defined security is an umbrella term for several related security approaches and solutions. Touted by enthusiasts as the “new wave of network security,” SDS is a flexible and increasingly popular way to secure data centers, workloads and containers.
SDS enables administrators to deploy protocols companywide with easily adjustable network maps from a software interface. The resulting increases in efficiency enables new rules to be set immediately across multiple devices and networks.
The market for SDS-related products and services is crowded and diverse. Newcomers compete cheek and jowl with household-name vendors of legacy hardware and software infrastructure products.
What’s happening now? Traditional, hardware-based, access control technology has remained stagnant and fixated on endpoint status checks. Fast-growing security applications on the other hand, are growing at an average annual rate of 34 percent. This rate seems a bit too good to believe, but the message is real—the move to software-defined infrastructures, including security, will remain strong for the next several years.
SDS use cases with the biggest growth potential include cloud security gateways, centralized cloud security management, hypervisor security and native IaaS/PaaS platform security tools.
Here’s the SDS status quo:
- The move is to detection and response. Recent SDS use cases reflect resources moving from a focus on prevention to detection, response, and remediation. That’s where the cybersecurity fight is today.
- SDS piggybacks on cloud capabilities. More and more organizations are adopting software and service-centric security solutions such as SDS, which can scale globally and seamlessly, without location-specific constraints.
- Who is signing up first? The growth of SDS reflects the shift to software and service-centric operating models and solutions within organizations. Early adopters include organizations with demanding security, compliance, and operations processes.What to look for:
- Threat prediction is the battlefield of the future. And, quickly maturing big data analytics technology will support high-speed, high-volume data handling that threat behavior prediction demands. All that’s needed now are the messy implementation details…
- Room for improvement. SDS solutions need to scale across diverse networks (including the cloud) and make better access decisions based on more advanced trust criteria.
What’s hot today in SDS solutions reflects big changes, caused by powerful business and technical forces, such as:
- Bigger, more complex and more vulnerable systems. IT, security, and networking teams must protect larger, more complex networks that often operate in a hybrid cloud environment. Increasingly sophisticated attacks are forcing them to rethink their approach to security. The outcome of these changes is a move from hardware to software and service-centered operating models and solutions.
- More and more organizations are moving to the cloud. And, they want to take their security operations with them. Growing cloud use leads many enterprises to demand security solutions that are easy to manage, can be highly customized and provide security without the presence of any hardware.
- The SDS alternative rocks the boat. As the cloud computing environment matures, the number and variety of software-based tools and services threatens security hardware and infrastructure players.
- A move to simpler, faster, more agile security systems. Traditional security systems require more and more procedures to maintain an existing and increasingly obsolete security posture. An increasing number and variety of breaches proves how porous a network perimeter can be.
- Connected devices slow security to a crawl. The advent of the Internet of things and “smart” everything creates explosive growth in the number of network access points. Traditional perimeter security solutions can’t keep up to block untrusted users and devices from the network. The result: security team members must address breaches reactively.
Trading In Hardware for Software Controls
SDS is an approach to network security that uses programmable switches and controls to move as many network functions as possible from hardware devices and appliances to user-defined software. SDS methods and tools enable users to
- Set and change security protocols and rules quickly and without risk of human configuration mistakes.
- Automate network security maintenance tasks and threat response measures.
Yes, SDS works, but better in some environments than others. For organizations with relatively immature security environments, SDS solutions provide the biggest improvement in security. Organizations with more mature security programs might find that SDS controls alone are not enough. They might prefer the belt and suspenders approach—to add SDS solutions as an extra layer of security to their existing security infrastructure.
SDS solutions are especially useful in:
- Software-centric environments, which don’t rely on hardware or have little hardware implementation.
- Virtualized networks, which are scalable and easy to use for mid-sized to large organizations.
SDS tools improve security ops capabilities and enable administrators to set new restrictions, filters, and controls over various points of a network with less effort and cost than manual methods. Here’s why:
- Simpler security architecture. In physical data centers, security architecture is complex. It often requires multiple servers, specialized hardware devices, network identities, and more. In a software-defined model, security is based on logical policies. SDS does not rely on physical location of data; information can be protected anywhere it resides.
- Automated tasks and processes. Thanks to their independence from rigid hardware, SDS processes can be automated. When security rules are defined, new devices created within the environment can be protected automatically and controlled under the baseline security policy.
- Automating security reduces dependence on manual detection, response and administration effort. This adds up to less admin time and less chance of disruptive human error (configuration mistakes).
- More scalable and flexible. Virtualization enables scalability and flexibility. Removing hardware from security rules and processes makes it quick and easy to scale security up or down.
- Lower total costs. Virtualizing workloads eliminates the need for hardware, which is expensive to buy, upgrade, and manage. That’s why SDS is a cost-effective model that can be used and paid for in a pay-as-you-go manner. Heavy capital costs of physical network security are eliminated.
Microsegmentation is another umbrella term with an elusive meaning. In our case, it includes different methods that isolate and segment bits of a network to protect its data. This approach can stop attackers, who are already inside the system perimeter from moving laterally to other systems.
MS is not a class of security products or services. Instead, it’s a software-based approach to managing and securing network traffic in virtualized environments. So, the effectiveness and value of MS-based security solutions depend on how well product developers use MS capabilities.
For several years, security and networking professionals have been interested in the promise of software-defined networks and network virtualization blocking unwanted traffic from moving laterally through sensitive enterprise assets.
However, for some paying customers, that excitement might have turned to disappointment. As of July 2017, MS solutions are stuck at the bottom of the Gartner Hype Cycle trough. That means many customers are either disappointed in the value that their MS-based solutions provide, or they aren’t aware of the value.
Why? Performance might not be up to expectations, and over-the-top claims might be the culprit. Some marketing copy claims that MS-based products can segment down to individual workload. Some commentators consider this to be highly unlikely—it’s just too cumbersome a system to manage and maintain.
So, what’s feeding what might be genuine excitement?
- Interest moves to software security. More and more organizations are moving from perimeter-centric, hardware-based security to flexible, scalable security processes.
- More isn’t always better. More and more organizations have figured out that simply piling on more security products make a network less secure.
- MS, security and virtualization are regarded as related approaches and tools. MS is getting attention as a way network virtualization can improve security. In fact, SDxCentral research has shown that security, and specifically MS used in security processes, drives adoption of network virtualization.
And what’s feeding the notion that there is value in MS-based solutions to begin with? Security stakeholders and professionals are looking for new solutions to new security challenges. Here are just three of the modern facts of network management life that create the pressure to find those solutions:
- Old solutions don’t work well anymore. The bad guys are getting smarter—and more innovative. Advanced threats bypass traditional firewalls and intrusion prevention methods, antivirus software, and anti-evasion methods. There’s also more interest in visibility and further segmentation of "east-west" traffic.
- Workloads come and go in seconds. Modern workloads (applications, containers and virtual machines) come, go and change their content in the blink of an eye. This goes beyond “dynamic.” It’s practically light-speed, and it makes traditional segmentation strategies nearly impossible to keep up with.
- Data centers are moving to the public cloud. Extension of data centers into the public cloud has encouraged a focus on software-based approaches for MS-based security.
All these situations create the need for fast, accurate and flexible management of oodles of network traffic.
In the spirit of “follow the money,” it’s best to follow the value—the lower effort and cost of securing a modern network. What about MS enables these money- and work-saving capabilities?
- Say hello to fast, flexible management. MS virtualizes a data center or network (that is, chops up a software representation of it into workable functional pieces and manages them with IT security rules.) Segmenting the network in this way limits access and lateral movement of an attacker when traditional perimeter security is breached.
- Say goodbye to data management drudgery. MS enables security pros to define security rules by workload, application, virtual machine, operating system, or other characteristics. The ability to manage traffic centrally enables administrators to avoid repetitive, time-consuming tasks
- Lower capital and support costs. One major benefit of MS is that it integrates security directly into a virtualized workload without requiring a hardware-based firewall. an approach that reduces capital and ongoing support costs.
- Avoid costs of a data breach. MS reduces the risk of an attack and its related costs by minimizing the possibilities for lateral movement in the event of a security breach. Loss of employee productivity, remediation costs and damage to one’s brand are just three examples of breach-related costs. With traditional networking technologies this is very hard to accomplish. With software-defined networking methods, this isn’t just possible but practical.
Administrators must rely on every system in a network or data center being highly secure. MS methods make this possible by embedding security functions throughout the system. And, with MS, security pros can ensure that data in microsegments will:
- Be available, no matter how the environment changes.
- Enforce protocols and rules in a consistent way.
- Adapt to new and changing situations.
MS is not a cure-all, but it is an intrinsic capability of a superior architecture, not just a feature of an extra security product that’s added to the stack.
Next Time: More security technology progress reports: cloud workload protection platforms, netwok traffic analysis and cloud access security brokers.