Software-Defined Shifts: Networking and Security
Several common threads almost always surface in my conversations with CIOs, CTOs, and architects across the Americas. In recent years, those conversations have centered around challenges operating in a highly distributed, multi-cloud and increasingly mobile world, all while facing increasing market pressures for greater agility.
When it comes to agility, consider the time it takes to provision network and security for a new application or service. In meetings with hundreds of CxOs, I have found the average benchmark to be anywhere from two weeks to two months for workloads provisioned in the IT data center. In addition, many lament the complexity associated with their security architecture, often saying something like:
“We have many firewall rules that we have no idea what they do. We are afraid to delete them because we don’t know what they might break!”
To summarize, the status quo within the data center is slow and complex to the point that it’s as fragile as an advanced game of Jenga. Accidentally remove an old but important firewall rule, and critical services can come tumbling down.
If that’s not bad enough, consider the new challenges presented by cloud and mobile. Data is accessed in a variety of ways, often by different applications on different devices. Enforcing consistent networking and security policy across multiple clouds is daunting as well.
Ultimately, traditional approaches cannot be used to solve today’s challenges. To safely evolve your security strategy, consider focusing on three pillars: agility, simplicity, and ubiquity.
Let’s start with agility. All major cloud pioneers have achieved high rates of agility through delivering an entire infrastructure stack through software. In the year 2016, waiting around for hardware provisioning and maintenance simply takes too long compared to the agility pressures that every organization faces. Shifting to a software-defined delivery model isn’t just aspirational, it’s historical. If all of the household name cloud companies are operating in a software-defined context, then simply put – history is on the side of software-defined shifts. It’s inevitable. Naturally, this creates friction within the IT organization as teams look to preserve their existing skillsets, but IT roles can and will evolve. You can start this evolution by introducing a software-defined network and security stack into your data centers, even if just in the lab to start. That said, take caution to ensure that the solution you choose can operate across any hardware and is architected to operate across any major cloud in the future. Bruce Davie did a great job articulating the breadth of our commitment to these challenges in this blog post. When deployed private clouds are seen as “too slow,” the most common culprit is slow, ticket-based network and security provisioning on physical hardware. The solution to your private cloud agility problem exists. All that is needed is to take the first step.
Applications and content are becoming more and more globally distributed, encompassing IaaS, PaaS, and SaaS services, private data centers, branch offices, computer endpoints, mobile devices, and even automobiles. If that’s not complex enough, consider the number of connected intelligent devices emerging in the Internet of Things (IoT).
Traditional security architectures and approaches were good in their day, but are ill-equipped to handle the breadth of today’s connected objects. When faced with such daunting challenges, it’s only human to not know where to even begin. That said, a small step in the right direction would be to step away from security models based on IP addresses—an approach employed by practically every enterprise today. Instead, look to solutions that secure named objects (such as a VM, container, or mobile application) via a globally unique identifier (GUID). That way, even if the object is redeployed somewhere else, its security context will follow. This can allow you to implement a global zero-trust security model with an architecture that could deliver end-to-end encryption for data in motion and at rest.
Security innovations are occurring at light speed, and today’s threats don’t give you the luxury to wait for a “perfect” solution before taking the first step. Start today but looking to apply a modern micro-segmentation solution to just a single app. That allows your organization to begin building skill sets to operationalize these new security models without impacting existing applications.
A humorous answer that I often hear when asking clients about which continuous integration tool their developers prefer is “One of each!” You don’t have to imagine a world where there is no consistency between how security policies are enforced across multi-data center and cloud deployments, because you live in that world today. I’m not recommending that you search for an all-encompassing single pane of glass, because in reality, they are as real as the loch ness monster. So when it comes to centralization, pick your battles and centralize IT functions where it is achievable and there is clear business value. That said, you can work toward a unified network and security policy fabric that spans multiple data centers and clouds. That vision is key to our VMware NSX strategy.
In addition, business applications are rarely Windows-only, but also include Mac, web, mobile. In that vein, you should also look at multi-cloud identity solutions that allow you to centralize identity and policy across all applications and content. Simply providing single sign-on for business apps (regardless of the type of app) is a highly visible win that you could achieve this year that would provide immediate business value.
Just because the technology world is becoming more complex doesn’t mean that our IT solutions need to as well. Continuing to bolt-on to legacy approaches may keep you running another day, but will not afford you the needed agility and privacy business units expect today, and what’s needed to keep you in business tomorrow.
Learn about virtual cloud networking, the new software-based approach to networking and security..