Effective Security Management
Software defined infrastructure (SDx) along with use of private and public cloud technology is completely changing the way IT departments manage enterprise data centers and application workloads. Automation is a key component of software defined networking (SDN), bringing network, server, storage, security management and other IT functional teams together to transform the data center from a hardware-focused to an application-focused environment.
In the past when organizations deployed new applications, the application owner needed to collaborate with several disparate teams. For example: one team was responsible for installing the required server hardware and operating systems, another team was responsible for connecting the new servers to the network, and yet another team was responsible for provisioning the security and firewall rules.
It was as if the stars, planets and moons (or in this case all the functional teams) had to align in order for all of the necessary components to be provisioned. Then, and only then, could the application owners’ start using the new infrastructure. The result of all these tasks was it would take weeks or even months before the infrastructure was ready and the new application could start to be rolled out.
Today, private and public cloud infrastructures allow IT to automate these manually intensive operations; virtual machines are dynamically created and deployed, operating systems are quickly and easily provisioned, and connecting new services to the network is streamlined and automatic. As a result, pre-configured templates of commonly used and well defined services are available to the application owner. With a single click on a self-service portal, applications can now be quickly provisioned across multiple data centers, within or among private and public clouds.
In this software defined world where new apps are instantly created or moved to a different location as the infrastructure gets provisioned, changed and elastically scaled based on demand, security officers are challenged to enforce security policies and retain full visibility of security incidents. In fact, security often lags far behind the application developer’s ability to provision new infrastructure since traditional security controls remain fixed at protecting the network perimeter and don’t easily extend into the highly dynamic and automated software defined infrastructure. As such, security remains a key challenge for organizations looking to get full visibility and control of their threat landscape and plug any vulnerabilities in their cloud-based environments.
It turns out the keys to getting control back are creating dynamic security policies, API scoping and security management consolidation.
Creating Dynamic Security Policies
Dynamic security policies in modern networks are achieved by close integration with network virtualization and public IaaS solutions like VMware NSX, Cisco ACI, OpenStack, AWS or Microsoft Azure. By tightly integrating with these solutions, objects defined by those systems such as groups and tags can be learned and utilized in network security policies. This allows for the creation of dynamic security policies where changes in the software-defined environment are immediately translated and instantly reflected into an effective and active security policy that is applied to all traffic automatically – without human intervention.
Exposed or published APIs in popular SDN or cloud services controllers provides the logical integration point for creating dynamic security policies. Data defined by the controller – such security groups, VM or host names, tags, and more – can be exchanged with network security tools to create meaningful context for both security personnel and network administrators. Now, instead of arbitrary or meaningless IP addresses, the security in a software-defined network can leverage meaningful information about the network to ensure the right policies always follow application data and workloads – wherever they go.
Additionally, leveraging and populating this contextual information in log files gives security admins the ability to better understand and investigate any security incident. Security solutions for cloud-based networks must be able to integrate with leading cloud and network virtualization tools to not only provide advanced threat protection for both east-west and north-south traffic but also make use of dynamic cloud and other SDN objects in the security policy and logs for effective security management.
In order to completely automate the deployment of new applications, organizations need to grant developer’s access to APIs that in many cases involve modification of security policies. It is vital to ensure this access is scoped or limited appropriately; otherwise, a mistake by a developer could potentially alter the security policy of the entire organization making it vulnerable to threats.
Scoping access to APIs example:
The printer admin use an app to add printers to the network. In doing so, this involves modifying firewall rules using an API. The security policy must ensure that the printer application can only add new printers – nothing else – and is only permitted within relevant network segments.
Incorporating sub policies in the security management solution is the best way to allow scoping API access down to a rule level, thus eliminating the possibility of inadvertently modifying the security posture and exposing the entire organization to new threats. This also ensures delegation of administrative duties down to specific use cases to streamline security management while maintaining oversight of all activities.
Security Management Consolidation
Consolidation of management functions is necessary to gain complete and holistic visibility of security policies and incidents across the entire organization’s infrastructure. Without management consolidation incidents are difficult to identify, correlate and analyze across the various cloud networks, making it operationally impossible to secure these environments.
The new software-defined infrastructure is complex, constantly changing and being driven by functional teams who don’t always understand the security implications that come from defining new infrastructure. In addition, organizations still have physical or legacy networks to maintain. It is now more difficult than ever to get a handle on not only where data center traffic goes – north-south, east-west, virtual and physical, private and public cloud – but how exposed an organization’s infrastructure is to vulnerabilities and threats.
Cloud-based security solutions must be able to provide customers with a unified solution that consolidates policy management, visibility and reporting across private and public clouds – all from a single pane of glass. It should be intuitive and scalable enough to handle security deployments wherever customer data goes while providing detailed analysis and correlation of security events across the entire enterprise network.
By Yoav Shay Daniely