Everything you ever wanted to know about security policy management, and much more.
Software defined networks (SDNs) provide elasticity, scalability and greater agility, while enabling more secure datacenters to be built. They allow private cloud operations to become more like the public cloud, where network and security is managed end-to-end from an API base, with a security policy manager to rule them all.
Behind the rise of SDN
As a result there is little wonder that they are growing in popularity. This increasing prevalence of SDN in the enterprise network mix can be attributed to the range of benefits it delivers as organizations evolve their infrastructures. First, SDN can offer stronger security because it potentially enables more advanced network segmentation capabilities – in areas of the data center previously considered too expensive to handle, at significantly lower cost – compared with traditional hardware-based infrastructures.
Second, with SDN organizations can make network changes on the fly – as and when they are needed, rapidly isolating and re-routing traffic when problems occur. And with SDN, organizations can spend more time defining security policy and less time enforcing it as policies don’t need to be changed in multiple locations.
However, the flip side to all of these benefits is that complexity can pile up in SDN environments just as quickly as it does in on-premise networks – and where complexity goes, human error often follows. And as such Gartner predicts that by 2020 95% of cloud breaches will be due to human errors, such as misconfiguration, mismanaged credentials or insider theft, not provider-based vulnerabilities.
Understanding SDN security
This complexity is compounded by the fact that within SDN there are a range of security options available – depending on the vendors you are working with and the precise nuances of the network. These range from using virtual firewalls or host-based firewalls to using native security controls offered by the vendor, with each having its own strengths and weaknesses.
Regardless of which security controls you use it’s critical to remember that each come with their own pros and cons. For instance, with NSX dynamic objects you can logically define groups of machines that should fall under the same security policy. This simplifies policy definition – but complicates the visualization of said policies, because the network flows are not only within the virtualized datacenter, they also flow outside of it.
Similarly, networks that span multiple datacenters allow you to define the policy once for all datacenters – but again, they make policy visualization complex.
The upshot of all this is that ‘islands’ of SDN automation are likely to develop, which are automated in themselves, but do not cover the entire organization.
Four key recommendations
As such, managing security across next-generation datacenters depends on following four key principles.
Achieving SDN security success
The software-defined network is undoubtedly different, and possibly more complex, than in an on-premise environment. However, the basic security principles remain the same in SDN environments as they do on premise, and with the right automation tools and processes, cloud security can be handled with the same visibility and control as they are in on-premise networks.
If you want to learn more, click here to watch my recent webinar on how to manage security in your next generation data center.
Receive notifications of new posts by email.