“Security breaches are the only things growing faster than security spending,” said Pat Gelsinger, Chief Executive Officer, VMware – wise words that resonate more and more as each day passes. At a macro level, we’re not just seeing security threats escalate; we’re also seeing them change in nature. Gone are the days of the inconvenient virus and annoying spam malware. Today, we live in a different world where cyber threats and attacks are significant global and political challenges.
For companies, there are commercial and reputational risks to overcome. Despite increasing types of protection at the edge of data center networks – from advanced firewalls to intrusion prevention systems – attacks are succeeding in penetrating the perimeter and breaches continue to occur. This goes some way in explaining why Gartner cites ‘Adaptive Security Architecture’ as one of the Top 10 Strategic Technology Trends for 2016, explaining that “the complexities of digital business combined with an emerging ‘hacker industry’ significantly increase the threat surface for any organization”.
This new world of security requires a new type of solution, which is why Software-Defined Networking (SDN), and, on the underlying layer, network virtualization, has moved from an innovative new technology to a core priority for forward-thinking organizations. But what exactly is Software-Defined Networking? In short, it’s bringing the operational model of a virtual machine to a data center network, transforming the management of the network and security operations to deliver better visibility and control for the network manager. Crucially, it encourages the use of micro-segmentation – moving from a ‘hard perimeter’ style of protection to a more granular security model, tied to individual workloads. Think of the different security models as a boat vs. a submarine: the former with one central, fairly vulnerable hull which, when breached, is completely exposed vs. the latter with compartmentalized air-locks throughout that ensure specific sections can be locked off quickly if required, or automatically if there is a fire.
The impact of this for organizations is very real. It’s the difference between them having adequate protection against the modern, evolved security threats of today and having their data, operations and IP exposed when the old ‘hard perimeter’ defense is compromised. The challenge facing IT departments is that these issues become deeply technical, very quickly – they’re all too easy for the rest of the business to ignore…until (another) security breach happens and it’s too late.
So what can be done to address this? There’s the need for IT to dramatize the issue, escalate it throughout the organization and make a solid business case for investing in Software-Defined Networking to those at the very top of the business. And there are three key steps IT can take to do this…
1. Establish the need for a culture of trust
Many companies have begun using infrastructure that they don’t own and don’t control, with minimal assurance of its verification. There’s a role for the IT department to champion the necessity of a trusted environment, one where employees know that they can trust their new forms of infrastructure to be available and to safely manage the integrity of their data.
2. Communicate solutions, not obstacles
It is often the case that a cyclical effect occurs where we are so busy, we are unable to break from the cycle of “being busy”. As an aside, a great read on this is “The Phoenix Project” (Kim, Behr & Spafford): if we cannot effect change that is open to modernizing networking practices that have been in existence for the best part of 20 years, we will be compelled to continue to be busy making manual changes and hand-cranking policy etc. forevermore. Network virtualization as part of a broader automation strategy can help IT create the time/resources necessary to be proactive in providing solutions the business needs but requires support from the top down. The obligation on IT though is to be able to ask for the right support to make it happen.
3. Prepare teams the right way
The reality is that there is no need to reskill roles for the Software-Defined Networking world – the process is more of a ‘tune up’ for teams, so less of an investment for the broader business. For instance, firewall administrators still retain and leverage their existing experience and knowledge of writing policy to secure application communication flow. However, rather than relying on age-old manual policy definitions based on IP addresses/port numbers which result in a policy push, they can focus now on templates that automatically apply based on characteristics of the workloads being deployed irrespective of IP address (e.g. this VM is production or test, or this VM is a web server etc). This significantly reduces the complexity/number of rules to manage and allows the firewall team to shed the error-prone burden of manual policy maintenance. In a similar vein, server virtualization changed the role of the server administrator, but in most cases it enhanced their role – Software-Defined Networking can also do the same for the firewall admin.
These will undoubtedly be starting points of more in-depth conversations, but there is the need to persist. To return to the opening point ‘Security breaches are the only things growing faster than security spending’ – only by embracing change will businesses turn this trend on its head. While there will be initial upfront investment required to modernize enterprise security, it’s a nominal figure compared to the commercial and reputational costs associated with the modern type of security breach that organizations are increasingly getting exposed to.