We’ve been writing a lot about the software-defined data center and hyperconverged infrastructure and how the benefits of increased agility, greater system utilization, and lower total cost of ownership are well known.
And while we have covered many of the security challenges associated with the software defined data center, it’s important to note that it’s not all bad when it comes to security and the software defined data center — especially when strategies and controls are adapted to these new environments.
One of the primary advantages of the software-defined data center is that it is easier to automate security. This is simply because the software-defined data center can be centrally managed and is easier to automate, it is more straightforward for security professionals to be able to put the right polices, controls and governance in place. This also means that the software defined data center is much more dynamic and easier to change when system configurations or risk posture changes.
Theoretically this means that security is always able to adapt.
Practically speaking, however, enterprise security teams had better be sure that they are automating the right things in the right ways or security can go wrong rather quickly.
While the controller in software-defined networking does pose a juicy target for attackers, because it has insight into the topology of the network and data center infrastructure, as well as all of the network traffic, controllers can deliver, or assist in the delivery, of routing, firewall management, and more capabilities.
Another security benefit from the software-defined data center is that security itself becomes more software-defined. Consider Network Function Virtualization (NFV), which we covered here and here. NFV isn’t a security specific technology, it’s about decoupling any type of network function from the hardware layer by virtualizing it. This way, when security functionality is virtualized, it can be called upon on-demand like any other virtualized or cloud service. The software-defined network control can also benefit from NFV deployments.
This is all heading toward security controls that are fully abstracted from individual servers and are managed policy-based across the entire enterprise. While that is beneficial, it means data centers become more self-responsive and driven by policy that is coded within software. This way, when new attack techniques or vulnerabilities emerge the enterprise can immediately adapt.
Further, because systems and network connections are dynamically configured in the software-defined data center, when actual attacks are underway the connections, server services, application configurations, and related parameters can be changed automatically or much more quickly than with traditional data center policy management strategies.
When looking for any type of security applications for the software-defined data center, there are a number of capabilities enterprises should look for. The first is that the security application should be capable of working with all of the various modern environments: virtualized workloads, public and provide cloud, software defined networking, storage, and hyper converged environments. That said, security should be offloaded to dedicated workloads so that business-servers and workloads can focus on delivering the transactions that they’re meant to.
Finally, security should be centrally managed so that all environments are managed uniformly regardless of the environment, and security policies can be enforced based on real-world business risk.
All of this is how the software-defined data center and software-defined security will dramatically change how enterprises protect themselves from (relatively) static security products and applications to more dynamic, deeply integration, and programmable security defenses.