Originally Published at CISO Forum
The business benefits of moving workloads to the cloud are so compelling that most enterprises are now investing heavily in this direction. Lower cost infrastructure frees up IT budget that can be focused on net new applications and business innovation.
While driving capital expenditures to near zero is a good aspirational goal, the reality is that most organizations will end up with mixed environments of physical data centers, private cloud and public cloud. The question is: how are companies supposed to keep business-critical assets safe in this new model?
In a cloud and virtual infrastructure world, security and compliance consistently bubble to the top of the list of concerns. In fact, in a recent report, Gartner identified security as one of the top 10 information technology priorities for 2015.
For decades, IT and Internet security has been built around models that assume the availability of fixed perimeters, hardware security appliances, physical proximity of data and explicit control of physical topology.
Cloud environments – including cloud hosting, virtualization and software defined infrastructure – disrupt these assumptions dramatically. And the ripple effects extend to many major IT trends including Software-Defined Data Centers (SDDC), Infrastructure-as-a-Service (IaaS), IT-as-a-service (ITaaS) and software-defined storage.
While the use of “software defined” infrastructure is attractive, it imposes technical and operational characteristics that differ significantly from traditional IT infrastructure strategies.
A few of these differences include broader IT asset distribution, high rates of change, greater diversity in deployed technologies, and large variability in scale. Of course, another key difference is that very often the underlying physical infrastructure is owned and operated by a third party.
It’s clear that new security strategies are needed -- traditional, perimeter-based security models simply don’t work in the cloud.
Leading analysts, CIOs and CSOs agree that adopting a Software-Defined Security (SDSec) architecture is necessary to ensure that security and compliance does not slow down the movement to cloud infrastructure, but rather complements and accelerates the value it delivers to the enterprise. Security and compliance management must evolve to succeed in these massively scalable, fast-moving environments.
So how do we get there? Five key architectural principles have emerged that are central to enabling security and compliance to keep up with software-defined infrastructure. These five principles are:
Abstraction: Most traditional infrastructure security strategies depend on physical constructs such as hardware appliances, physical network segmentation, and proximity of computing components. Given that the underlying infrastructure itself is becoming more virtualized and more widely distributed, security and compliance for the cloud needs to be virtualized and able to operate regardless of where underlying hardware might be physically located.
A true software-defined security strategy should also be independent of any specific infrastructure platform, vendor, or service provider. Achieving infrastructure security abstraction makes security organizations more adaptable in their ability to support any infrastructure model, including a mix of private, public, and hybrid infrastructures (a.k.a., multi-cloud infrastructure) in addition to virtualized and bare-metal systems.
Automation: Manual monitoring and audit of security policies in virtual infrastructure is not feasible and could lead to serious mistakes and slow reaction to business needs. Security automation is required that implements security and compliance controls (e.g. firewall policies, intrusion detection) with minimal human intervention in deployment, configuration, and operation. Well-implemented automation will enable security organizations to keep up with the scale and rapid rate of change associated with emerging cloud infrastructure models. In an ideal world, even automated control deployment is not enough. Most desirable is full lifecycle automation, in which policies are set once and tied to some context, after which underlying controls are 100% automated at each stage of the control’s lifecycle—from deployment to de-provisioning. Keeping up with cloud infrastructure velocity means automation throughout the lifecycle of every enforcement and monitoring control. In addition, modern, software-defined security must be on-demand for low friction, and have “instant on” availability for audit and compliance.
Orchestration: Trying to manually provision security for virtual infrastructure simply won’t work in the dynamic, elastic nature of cloud. Security orchestration reduces the time, effort and potential for error associated with deploying multiple control systems across multiple application or infrastructure environments.
Business security requirements must be satisfied by dynamic, automated, centrally managed composition of individual controls into integrated, holistic security services. Security orchestration platforms centrally manage the composition, deployment, and management of individual control components into more complex, service-oriented security systems. By composing many individual controls into a larger system, security orchestration is considered to be a higher order function than simple control automation. In many implementations, orchestration also addresses licensing, metering, chargeback, and other security resource consumption issues—important in service-oriented cloud computing and software-defined infrastructure environments.
A key strategic value of orchestration is the ability to rapidly create and maintain numerous security environments that are aligned with higher-level business needs while keeping pace with automated deployment, migration, and reconfiguration needs of the underlying application environment.
Security orchestration also reduces the time, effort, and potential for error associated with deploying multiple control systems across multiple application or infrastructure environments. This streamlines control deployment, integration, and change management, preventing security from becoming a speed bump in an otherwise seamlessly orchestrated environment.
And as technology delivery becomes increasing service-oriented, orchestration can relieve the administrative complexities of usage-based security resource management.
Automatic Scalability: Scaling application and infrastructure environments automatically, on-demand, and in near real-time is one of the essential capabilities that makes cloud computing so valuable. Dealing with seasonality or other fluctuations in demand once required maintaining sufficient idle infrastructure capacity to meet peak demand, often on a per-application basis. This approach was operationally and economically inefficient. Security and compliance control capacity must also scale up or down dynamically – and without human intervention.
This means that controls must be deployed directly into the application scaling mechanism (e.g., building controls directly into cloud-burstable virtual machines) or must have the ability to scale based on application scaling triggers (e.g., detection of a cloud-burst triggers deployment of more virtual appliances). Given that an arbitrary number of security controls may potentially be needed across an arbitrary number of diverse application environments, the SDSec principles of orchestration and automation are often leveraged to achieve automatic scalability.
Cloud-oriented application hosting models that support instant deployment and dynamic capacity will demand security that can automatically scale. Automatic scalability as a feature of an on-demand, orchestrated security service is an optimal strategy for implementing software-defined security.
API Enablement: Security monitoring and enforcement control functions should be fully accessible via open Application Programming Interfaces (APIs), so that security and infrastructure organizations can fully integrate and use the tools with which they’re already familiar. CSOs and their organizations should insist on open API enablement of any security solution, especially those oriented to software-defined and cloud computing operations.
These five principles of software defined security—abstraction, automation, orchestration, automatic scalability, and API enablement—can go a long way to ensuring the success of security and compliance programs for enterprises transforming to cloud-oriented infrastructure and technology delivery.
Software-defined security changes the game for the CISO and their teams. Security can now move to being an enabler for enterprises that are taking advantage of the business value offered by cloud services and infrastructure, without sacrificing security or compliance.
Originally Published at CISO Forum