4 Tips for Managing Security Across Microsegmented, Software-Defined Networks

Software defined networks (SDNs) provide elasticity, scalability and greater agility, while enabling more secure datacenters to be built.  They allow private cloud operations to become more like the public cloud, where network and security is managed end-to-end from an API base, with a security policy manager to rule them all.

Behind the rise of SDN

As a result there is little wonder that they are growing in popularity. This increasing prevalence of SDN in the enterprise network mix can be attributed to the range of benefits it delivers as organizations evolve their infrastructures. First, SDN can offer stronger security because it potentially enables more advanced network segmentation capabilities – in areas of the data center previously considered too expensive to handle, at significantly lower cost – compared with traditional hardware-based infrastructures.

Second, with SDN organizations can make network changes on the fly – as and when they are needed, rapidly isolating and re-routing traffic when problems occur. And with SDN, organizations can spend more time defining security policy and less time enforcing it as policies don’t need to be changed in multiple locations.

However, the flip side to all of these benefits is that complexity can pile up in SDN environments just as quickly as it does in on-premise networks – and where complexity goes, human error often follows. And as such Gartner predicts that by 2020 95% of cloud breaches will be due to human errors, such as misconfiguration, mismanaged credentials or insider theft, not provider-based vulnerabilities.

Understanding SDN security

This complexity is compounded by the fact that within SDN there are a range of security options available – depending on the vendors you are working with and the precise nuances of the network. These range from using virtual firewalls or host-based firewalls to using native security controls offered by the vendor, with each having its own strengths and weaknesses.

Regardless of which security controls you use it’s critical to remember that each come with their own pros and cons. For instance, with NSX dynamic objects you can logically define groups of machines that should fall under the same security policy. This simplifies policy definition – but complicates the visualization of said policies, because the network flows are not only within the virtualized datacenter, they also flow outside of it.

Similarly, networks that span multiple datacenters allow you to define the policy once for all datacenters – but again, they make policy visualization complex.

The upshot of all this is that ‘islands’ of SDN automation are likely to develop, which are automated in themselves, but do not cover the entire organization.

Four key recommendations

As such, managing security across next-generation datacenters depends on following four key principles.

1. Understand that a cloud approach brings new network security challenges – and possibilities. As such if you are following the same implementations in SDN environments as you are on premise, you’re probably not making use of full set of capabilities allowed by your platform.
2. Evaluate all the security controls you have in place (SDN, cloud, on-premise) and ensure that they meet your unique needs, consistently securing the entire network. This should be supported by the recruitment of bona fide cloud experts to your network security team. This is a specialist area, which requires specialist experience.3
3. Unify security management across your hybrid environment.  Failure to do this will result in unnecessary complexity and potential configuration errors, which can lead to major security vulnerabilities. This can be achieved by using a security policy management solution which provides a single pane of glass visibility of the entire network infrastructure and automatically implements policy across all areas of the network.
4. Automate as a matter of course. Automation is essential for supporting the agility that is likely to have been your main driver to SDN in the first place. Furthermore, it will remove the need to make cumbersome, error prone, manual changes to network and security processes policies every time a new application is deployed or a new server added. This is complex enough in on-premise networks, but in a SDN environment making changes manually quickly becomes impossible. A security policy management solution that automatically calculates, implements and documents all change processes, from connectivity discovery right through to security policy decommissioning, is therefore essential for SDN.

Achieving SDN security success

The software-defined network is undoubtedly different, and possibly more complex, than in an on-premise environment. However, the basic security principles remain the same in SDN environments as they do on premise, and with the right automation tools and processes, cloud security can be handled with the same visibility and control as they are in on-premise networks.

If you want to learn more, click here to watch my recent webinar on how to manage security in your next generation data center.