The ONUG Community Rethinks Security For a Software-Defined Cloud-Based World
by Nick Lippis
Gone are the days when enterprise security was defined by physical firewalls and IPS devices placed in a DMZ and programmed with rules that either allowed or denied access. It’s not that these security appliances are not needed or important anymore, it’s just that they are legacy, hardware-based, inflexible gatekeeper devices that were build for an older world and application portfolio. Network security, like all hardware-based appliances, is rapidly being disaggregated from hardware and software so that security services can be applied to workload independent upon its locale. The new security market is based on Software-Defined Security Services and there are a wide range of new companies making up this ecosystem. Companies such as vArmour, Juniper Networks, Illumio, Aporeto, Avocado Networks, Drawbridge, Cloud Passage, Darktrace, FireEye, ShieldX, ForeScout, CIX, and Catbird are all either currently or soon-to-be offering products and services for the Software-Defined Security Services market. Even the cloud providers such as Google, Amazon, and Microsoft are starting to get involved by offering APIs to Software-Defined Security Services. You can also expect VMware, Cisco, HPE, Palo Alto Networks, Checkpoint et al. to build modules and extensions to their products this year.
Where is the Software-Defined Security Services ecosystem taking shape? At ONUG. Spearheaded by co-chairs Fred Lima of eBay, Rakesh Kumar of Juniper and Scott Bradner famed legendary figure in the development of the Internet and IETF and until recently University Technology Security Officer at Harvard University. These three industry leaders are plotting out the course for S-DSS with the help of one of the largest ONUG working groups.
Software-Defined Security Services or S-DSS
S-DSS was defined exclusively by IT executives from the large enterprise market including Bank of America, Barclays, Cigna, Gap Inc, General Dynamics, Intuit, Principal Financial Group, Salesforce, Tesla, Visa, Wells Fargo, et al at ONUG. The basis for S-DSS was the lacking security model for a software-defined world that could apply to a broad range of use cases other than micro segmentation. Two design principles drove the emergence of the S-DSS framework/architecture and multiple use cases.
- – Software-defined infrastructure must possess a common language to define declaratives and policies that can be consumed up and down the IT stack, physically and virtually.
- – Software-defined infrastructure must be able to instantiate an “internet-facing workload” in a software-defined datacenter that provides protection equivalent to today’s physically isolated networks.
These design principles guided the ONUG IT executives to define S-DSS in such a way that security policies are bound to workloads independent of how those workloads are created; that is, whether the workload runs within a virtual machine (VM), container, application, applications based upon microservices, unikernels, or bare metal servers. Further, security policy are to be portable, meaning policy can be written in one place and deployed in multiple locales, where workload policy enforcement is distributed close to said workload. Verification and auditability of security policy must be enabled to measure the ability of network workloads to ensure the confidentiality, integrity, and availability of the services they are delivering. Thus, the minimum set of requirements for cloud-based applications and hybrid cloud deployments within a software-defined infrastructure – in other words, for Software-Defined Security Services – includes a security policy bound to workloads, policy portability, distributed enforcement local to that workload, and verification.
S-DSS is designed to protect workloads running in private data centers and hybrid clouds. Now, with the vendor community fully engaged, products and services are starting to emerge. Just look at the security products from Juniper, vArmour, Illumio, Aporeto, Avocado Networks, and CIX as S-DSS offerings. Even existing security companies such as Palo Alto Networks, Cisco, and Checkpoint are getting involved, as are the cloud providers. Security concerns are always at the top of the list of requirements for hybrid cloud, and S-DSS offers the most comprehensive solution to protecting portable or mobile workloads.
Because S-DSS offers security services natively within a software context, it increases speed to deploy and reduces operational spend. This is realized by requiring policies to be bound to workloads, such as virtual machines, containers, applications, services, or micro-services. Now infrastructure DevOps engineers can write security policy once and deploy it in multiple places, where workload policy would then be enforced. In short, S-DSS is infrastructure agnostic. To ensure that security policy is being met and that it’s in conformance to various regulations and statutes, S-DSS requires that a SecOps must be able to measure the ability of network workloads to ensure the confidentiality, integrity, and availability (the Security Triad) of the services they are delivering.
The S-DSS framework is manifesting into a controller-based approach to security, where interfaces are defined for private datacenter infrastructure and cloud-specific security controls. These interfaces will enable the S-DSS ecosystem to emerge and help to usher in a new security model for the software-defined cloud-based era. As a community we need a better user approach to security that mitigates threats while workloads become agile thanks to the transition toward a cloud-based software-defined infrastructure accelerates. There will be plenty of demonstrations and discussions around this topic at ONUG Spring and Fall this year as the ONUG Community showcases the S-DSS ecosystem. You can download the first S-DSS paper here.
Nick Lippis is an authority on corporate computer networking. He has designed some for the largest computer networks in the world. He has advised many Global 2000 firms on network strategy, architecture, equipment, services and implementation including Hughes Aerospace, Barclays Bank, Kaiser Permanente, Eastman Kodak Company, Federal Deposit Insurance Corporation (FDIC), Liberty Mutual, Schering-Plough, Sprint, WorldCom, Cisco Systems, Nortel Networks and a wide range of other equipment suppliers and service providers.
Mr. Lippis is uniquely positioned to comment, analyze and observe computer networking industry trends and developments. At Lippis Enterprises, Inc., Nick works with entrepreneurs evaluating new business opportunities in enterprise networking and serves as an independent investor and advisor.