The move to software-defined everything: how secure is programmable infrastructure?

Software-defined networking has been touted as one of the greatest technology changes to hit the ICT industry since the move from mainframes to desktops. But local area, wide area and data centre networks won’t be the only parts of the ICT infrastructure impacted by this change.

The general trend is towards software dominance in all areas, and for good reason. Software-based systems promise more flexibility, scalability and automation. In fact, the idea is that the entire ICT environment should become instantly and remotely programmable because it’s a more efficient and effective way of meeting the needs of a dynamic, virtualised computing world.

However, the industry is still neglecting to ask some crucial questions about security. Exactly how vulnerable is a programmable infrastructure? And if it carries a higher risk than a hardware-dominated environment, what can software-defined security do to make it less so?

>See also: Clearing the smoke on the software-defined data centre

The rise of programmable infrastructure

Although still in its early stages, programmable infrastructure is fast becoming a reality in the ICT industry. Orchestrated and automated technologies are increasingly being applied to the data centre, as well as software-defined LANs and WANs that better support the applications and technologies that run on them. 

The move towards programmability is mostly driven by the open-source software movement – as represented, for example, by Open Stack – as well as orchestration tools that are becoming more widely used. 

Also, the rise of the DevOps approach means infrastructure can be programmed for a particular business outcome while it is running, meaning the same team is developing software and operating its environment simultaneously.

While there will always be a need for hardware, it is likely the hardware layer will become gradually ‘thinner’ over time, resulting in a more agile, software-based way of operating ICT infrastructures.

As the programmable infrastructure industry is still in its infancy, it is not in a strong position to gauge the full extent of the threats it is likely to face. Much of the technology introduced to date has not been developed and deployed with security in mind and, from its outset, software-defined infrastructure as a broader movement has placed little emphasis on security considerations. This suggests a need for education, helping the industry understand better what the threats and risks are and what they mean to specific organisations.

Traditionally the security industry has used hardware, in the form of network ports, as a way to ‘batten down the hatches’. If network ports are closed, the infrastructure is completely isolated against external threats. Now, however, the infrastructure is dominated by the application layer, which has to remain open at all times to prevent the organisation’s business from suffering.

This creates a problem for security, as it leaves the infrastructure open to unauthorised access. As programmable infrastructure resides squarely within the application layer, these security concerns will need to be addressed.

>See also: Dissecting the software-defined data centre

Securing programmable infrastructure

The deployment of any new technology, whether in mobility, the cloud or software-defined networks, needs to maintain a consistent approach to security. While programmable infrastructure is an important new technology trend, and one that is likely to have a significant impact, the security aspects will see the broader approach and process stay constant.

While differences and variations may be necessary in the finer details, such as the specific tooling that providers will employ, a generally consistent approach to a security architecture framework is essential.

Ultimately, this is because information security is all about the data. The three central points of data security are confidentiality, integrity and availability, all of which are just as relevant to programmable infrastructure as to its predecessors. 

Companies considering deploying a programmable infrastructure first need to update their security policy to accommodate the new technology, and then consider the appropriate security controls to protect the infrastructure.

Software-based systems can be configured remotely, and because software-defined infrastructure means a move from hardware to software it is essential to prevent, for example, the insertion of unauthorised or malicious code from outside sources.

As the industry’s main focus to date has been to move data more quickly and easily, rather than securely, it remains uncertain how much larger the security threat has become.

However, programmable infrastructure is also likely to open up interesting opportunities to help secure this type of environment. Security technologies will increasingly become programmable themselves, with some security products, such as firewalling and intrusion prevention, already functioning as software. This means a security tool can be provisioned, deployed and automated as and when it is required.

This is driven by the industry’s rapid shift towards using virtual machines rather than physical servers. At the moment, there is no easy way of securing a virtual machine, with operators choosing to secure the entire network or segments of the data centre.

However, security technology in software form can be applied per virtual machine, firewalling each one individually, and in doing so protecting it from intrusion. An added advantage is that those security settings can easily be moved along with the virtual machine, whether into or out of a data centre, or even into the cloud.

Another benefit of a software-based security environment is the ability to secure a particularly sensitive data flow across a network, such as credit card details or personal information, on demand and according to existing security policy. 

Differentiated encryption could be used to secure that particular piece of traffic, leaving the rest of the data in clear text. That data stream could even be sent across a completely separate network link that is more private and secure still.

Several leading security vendors are now adopting this rationale. While many attempts at securing such a fast-moving, dynamic environment have previously proven problematic and cumbersome, software-defined infrastructure offers an opportunity for an agile, flexible platform that does not compromise on security.

 

Sourced from Danny Yeowell, Dimension Data

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...