SDN to bring new round of internecine office wars to IT shops
Security to agile chaps: You want me to lock that down HOW EXACTLY?
Software-defined networking (SDN) will give IT teams a new reason for internecine conflict, as those looking to build automated, software-defined data centres come up against the hard-headed trust nobody pragmatism of security teams.
So says Gartner's Eric Ahlm, a research director at the analyst firm, who today delivered a session titled “The Impact of Data Center Automation on Security” at the IT Infrastructure, Operations & Data Center Summit in Sydney today.
“When I look at security technologies, they are not designed to have external things tell them what to do,” Ahlm said. “They are designed to be isolated systems” for lots of good reasons. Of course SDN is all about having a control plane tell hardware what to do, as often as it wants to in the name of agility and more effective resource utilisation. For security teams accustomed to taking great care over even the smallest configuration change, SDN therefore represents a challenge.
Data centre operations teams that drink the SDN – or Sdx – Kool Aid aren't going to stand for security teams that move at their current pace. They'll therefore demand security tools that are easier to automate and require less oversight.
Security teams will need to catch up once they do so. Today, security teams know where assets are, what they're doing how to monitor them and how to make sure they can collect data for compliance and forensics purposes. But once a modern data centre puts security controls onto different machines at different times, uses burst capacity to transcend on-premises capacity when required, moves around through a few clouds and then retreats back to on-premises operations security teams are going to need to learn new tricks.
Ahlm sees two ways around the potential conflict.
In one scenario, security teams retain the role of choosing and maintaining controls, but change their selection criteria so that future purchases don't get in the way of SDN and other data centre automation tools.
In the other, server teams get to choose their own security tools and security teams concentrate on monitoring, audit and investigation.
Which may not be the worst fate, because Ahlm also said that SDN offers security pros some interesting new possibilities. One scenario he floated posited detection of unusual activity that could represent an attack. SDN could allow a change in network configuration that is transparent to the attacker but redirects them away from their target and into a honeypot set up for capture of forensics data. Or perhaps suspicious-looking traffic could be dynamically routed through extra security controls, for a little extra cleansing and comfort.
That kind of SDN-powered security enhancement should make sure security teams aren't cut out of SDx conversations entirely, but Ahlm feels organisations building new-style data centres will need to ensure their different teams find ways to work together, as fighting won't help anyone to do their jobs. ®
- Black Hat
- Cisco ACE
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- End-user computing
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Virtual machine
- Zero trust