Software defined networks (SDNs) drive efficiency and agility, and make businesses more scalable and flexible. And they are becoming increasingly popular. The global data center and enterprise SDN market grew 82% in 2015 .
However, despite their rising popularity, SDN can also drive fear, thanks to loss of visibility and control. In a networking model in which IT teams and managers have little to no physical visibility into their networks, how does security work? If you can’t see into the network, how do you control and manage it?
Taking back control
One useful way of approaching SDN visibility is the plane/car analogy. Lots of people are anxious about flying while very few are anxious about driving a car – even though statistically, the plane is far safer. It’s about control. In the driving seat, we feel in control, while as a passenger in a plane we don’t. It’s an unfamiliar environment, with little visibility.
SDN security is not dissimilar. IT managers are frequently working with networks that they didn’t actually build and configure – networks that they can’t see.
Yet the reality is that SDNs can be more secure than on premise networks, thanks to their greater agility, adaptability and higher levels of automation. In turn, managers can spend more time defining their security policies, and less time enforcing them with cumbersome manual processes.
Securing the SDN
The basics of security in SDNs are the same as in any other network environment. You need to know what’s happening within your network through rigorous monitoring. You need to properly manage all changes, put risk analysis at the heart of your security posture, maintain the notion of ‘least privileged’, segment the network according to business critical applications, and maintain governance and compliance requirements.
Securing the network perimeter varies according to whether you’re using a public cloud (in which case it’s up to the provider) or a private cloud (in which case it is up to your own security team).
Inside the SDN is where things get more interesting. Here are some of the options:
- Virtual firewalls , which offer the advantage of familiarity but also force network traffic through a single ‘choke’ or access point – an old-fashioned approach.
- Host agents that utilize existing host-based firewalls . They work across clouds and provide some advanced functionality, but add cost and management overhead.
- Cloud provider security groups or “distributed firewall ”, which provide abstracted firewalls at the network fabric level. These are extremely granular and are usually free, but they are also different for every cloud provider and they currently lag behind commercial firewalls when it comes to advanced features such as application and user based policies.
Automation, automation, automation
But whatever option or combination of options you choose, there is one element that should never be ignored – automation. When Gartner asked businesses about their primary motivation for deploying cloud infrastructure as a service (IaaS), the winning factor – by a significant margin – was agility. It is crucial, therefore, that security does not become the bottleneck that prevents fast, agile deployments (and decommissioning processes) in a cloud environment.
Yet, by 2019, according to Gartner, 80% of all cloud breaches will be due to user misconfiguration as well as mismanaged credentials or insider theft, rather than provider based vulnerabilities, which illustrates that the biggest potential vulnerability in SDN is user error rather than an inherent lack of
This is where automation comes in. Making manual changes to network and security processes policies every time a new application is deployed or a new server added is a cumbersome, error prone process in on-premise networks. But in a hybrid cloud environment making changes manually quickly becomes downright impossible. A security policy management solution that automatically calculates, implements and documents all change processes, from connectivity discovery right through to security policy decommissioning, is therefore essential for SDN.
Ringing the changes
SDN network is undoubtedly different to that in an on premise environment. Businesses that take the same approach in both environments are doing it wrong.
However, basic security principles remain the same in SDN environments, and with the right automation tools and processes, cloud security can be handled with the same visibility and control as they are in on premise networks. There’s no need to be blind in SDNs.