How secure is programmable infrastructure?

According to Dimension Data, the industry is still neglecting to ask some crucial questions about security. Exactly how vulnerable is a programmable infrastructure? And if it carries a higher risk than a hardware-dominated environment, what can software-defined security do to make it less so?

According to Dimension Data, the industry is still neglecting to ask some crucial questions about security. Exactly how vulnerable is a programmable infrastructure? And if it carries a higher risk than a hardware-dominated environment, what can software-defined security do to make it less so?

By Paul Carvill, Network Business Development Manager – Dimension Data, for ITnation Mag

Software-defined networking has been touted as one of the greatest technology changes yet to hit the ICT industry since the move from mainframes to desktops. But local area, wide area, and data centre networks won’t be the only parts of the ICT infrastructure impacted by this change. The general trend is towar- ds software dominance in all areas, and for good reason. Software-based systems promise more flexibility, scalability, and automation. In fact, the idea is that the entire ICT environment should become instantly and remotely programmable, because it’s a more efficient and effective way of meeting the needs of a dynamic, virtualised computing world.

Yet, according to Dimension Data’s Paul Carvill, Network Business Development Manager, the industry is still neglecting to ask some crucial questions about security. Exactly how vulnerable is a programmable infrastructure? And if it carries a higher risk than a hardware-dominated environment, what can software-defined security do to make it less so?

The rise of programmable infrastructure

Paul Carvill points out that, although in its early stages, programmable infrastructure is fast becoming a reality in the ICT industry. ‘We’re already seeing orchestrated and automated technologies in the data centre, as well as software-defined LANs and WANs that better support the applications and technologies that run on them. There’s also been some discussion in the market about programmable mobility solutions and security infrastructures.’

« Now the infrastructure is dominated by the application layer, which has to remain open. This is a problem for security, as it leaves the infrastructure open to unauthorised access. »

The move towards programmability is mostly driven by the open source software movement – as represented, for example, by Open Stack – as well as orchestration tools that are becoming more widely used. The rise of DevOps technology can also be mentioned. In essence, this enables the infrastructure to be programmed for a particular business outcome while it runs. The same team therefore develops software as well as operates the environment – hence the term “development operations”. Facebook, for example, does in the region of 30 infrastructure upgrades per day using DevOps technology, a pace unheard of in a hardware-dominated environment.

« We need to understand what the threats and risks are, and what they mean to specific organisations. »

So, we are already starting to move to a much more agile way of operating ICT infrastructures and this is enabled by software. There will always be a need for hardware, but we expect the hardware layer to become gradually “thinner” over time in all areas of the infrastructure.

Questions of security and risk

‘It’s true that programmable infrastructure is still in its infancy,’ says Paul Carvill. ‘It’s therefore riskier because the industry can’t yet gauge the full extent of the threats against which it would be vulnerable.

Much of the technology we’ve seen to date hasn’t been developed and deployed with security in mind. In fact, software-defined infrastructure as a broader movement hasn’t involved security considerations from the outset. The security industry is lagging behind and needs to be educated. We need to understand what the threats and risks are, and what they mean to specific organisations.
In the traditional world of security, we used hardware in the form of network ports as a way of locking down the hatches. If your network ports were closed, you’ve isolated the infrastructure against threats, much like the drawing up of a castle bridge. That’s changed. Now the infrastructure is dominated by the application layer, which has to remain open, else the organisation’s business suffers. This is a problem for security, as it leaves the infrastructure open to unauthorised access.
In the last six to seven years, the way in which we assess application security has evolved. Not too long ago, this was a very new area for us; now it’s within our DNA. We need to understand the application layer really well because programmable infrastructure will reside squarely within this realm; yet mistakes and vulnerabilities will resonate through the entire stack – from the application layer down to the network – bringing potentially severe consequences to what may seem like a small change or weakness.’

Securing programmable infrastructure

In deploying any new technology – whether it’s in mobility, the cloud, or software-defined networks – the basic security principles still apply. Programmable infrastructure is indeed an important technology trend but, while it will have a major impact, the security aspects that organisations need to consider will stay constant.

This underlines the importance of a consistent approach to a security architecture framework. Obviously, differences and variations may be necessary in the finer detail, such as the specific tooling you’ll employ. But the broader approach and process remain the same.
Information security is all about the data and the three cornerstones of data security are confidentiality, integrity, and availability. These three cornerstones are still relevant in securing your programmable infrastructure. Policy is the first step. If you are considering a programmable infrastructure, you need to update your security policy to include that. Then you need to consider the appropriate security controls to protect the infrastructure. In software-defined infrastructure, the control is moving from hardware to software. The attack surface therefore grows because software-based systems can be configured remotely. So you’d need to implement more security around access to the software, to prevent, for example, the insertion of unauthorised or malicious code.

However, the industry still needs to define and determine how best to do that. The focus until now has been using software-defined networks to move data faster and easier. Not much thought has yet been given to how to do that more securely. The result is that we are not sure yet how much bigger the attack surface has grown.

How a programmable security infrastructure will help?

Programmable infrastructure may open up interesting new opportunities to help secure this type of environment? Paul Carvill says: ‘Security technologies are set to become programmable themselves. In fact, we’re already seeing security products such as firewalling and intrusion prevention in software form.

« At the moment, there’s no easy way of securing a virtual machine. »

This allows us to program the tool, provision it, deploy it, and automate
it in the most appropriate way, as and when it’s required. Keep in mind that the virtual machine is fast becoming the building block of modern computing – not the physical server anymore. At the moment, there’s no easy way of securing a virtual machine. You can secure the entire network and segments of the data centre, but it’s very difficult to provide a very granular level of security for the virtual machine.

If you have security technology in software, you can apply security policy per virtual machine so that it’s immediately firewalled and protected from intrusion. Then the security settings can also be moved along with the virtual machine, no matter whether you’re moving it into or out of a data centre, or even into the cloud.

« It’s important, however, to brave this new software-defined world with the right security provider at your side ».

Several leading security vendors are already starting to adopt this rationale. That is encouraging because securing such a fast-moving, dynamic environment has been very problematic and cumbersome in the past. Software-defined security will help create not only an extremely agile and flexible infrastructure, but also a highly secure one.

Another benefit that a software-based security environment would have is the ability to secure a particularly sensitive data flow across the network, such as credit card or social security information. You would then be able to apply differentiated encryption to secure that piece of traffic, and leave the rest of the data in clear text. You may even be able to send that stream of data across a completely separate network link that is more private and secure. This will allow you to control your network traffic and apply your security policy in a much more effective and efficient way.

‘It’s important, however, to brave this new software-defined world with the right security provider at your side,’ concludes Paul Carvill. ‘Look for a partner with a thorough understanding of this type of environment and its particular threats and risks. Your partner should also have cross-disciplinary skills in order to consider and understand the implications of implementing programmable infrastructure across all areas of the environment, not only in the particular area in which it will function. Most of all, it’s important to follow a carefully planned and orchestrated way of migrating to ensure you maintain your data security and integrity at every step of the journey towards deploying a programmable infrastructure.

« Software-defined security will help create not only an extremely agile and flexible infrastructure, but also a highly secure one. »

If you are interested in hearing more about this topic, you can register for our lunch session “Drive business agility with SDN” that will take place on 21st May 2015 in Luxembourg. Follow us on LinkedIn, Twitter or Facebook for the registration details.

For a 10-minute SDN readiness self-assessment go to dimensiondata. com.

Lire les précédents articles