Building the business case for SDN
Security threats are not only escalating, they are changing in nature. The days of the virus and annoying spam malware are over, we live in a different world where cyber threats and attacks are significant global and political challenges.
So said Gareth James, Network & Security Specialist, VMware Sub Saharan Africa. For companies, there are risks to overcome, in terms of both financial losses and damage to their brand. Despite additional types of protection being added at the edge of data centre networks, from advanced firewalls to intrusion prevention systems, attacks are still managing to penetrate the perimeter and breaches are still happening on a regular basis.
He said this is one reason Gartner cites 'Adaptive Security Architecture' as one of the Top 10 Strategic Technology Trends for 2016. "The complexities of digital business combined with an emerging 'hacker industry' significantly increase the threat surface for any organisation."
This new security landscape requires a new solution, which is where software-defined networking (SDN), and network virtualisation come in. According to James, these technologies have evolved from being merely new and innovative to a core priority for businesses who are serious about security.
He describes SDN as bringing the operational model of a virtual machine to a data centre network, transforming the management of the network and security operations to deliver better visibility and control for the network manager.
"Crucially, it encourages the use of micro-segmentation - moving from a 'hard perimeter' style of protection to a more granular security model, tied to individual workloads. Think of the different security models as a boat versus a submarine: the former with one central, fairly vulnerable hull which, when breached, is completely exposed versus the latter with compartmentalised air-locks throughout that ensure specific sections can be locked off quickly if required, or automatically if there is a fire."
According to him, SDN can have a big impact on businesses, as it offers adequate protection against today's sophisticated threats, and lowers the chance of having data, operations and IP exposed when traditional perimeter defences fail. However, he says convincing the business of the need for SDN isn't always easy. "The challenge facing IT departments is that these issues become deeply technical, very quickly - they're all too easy for the rest of the business to ignore, until a breach happens and it's too late."
To change this, James said IT needs to dramatise the issue, and escalate it throughout the company, making a solid business case for investing in SDN to those at the top of the business. He says there are three steps IT can take to do this.
Firstly, to establish the need for a culture of trust. "Many companies have begun using infrastructure that they don't own and don't control, with minimal assurance of its verification. There's a role for the IT department to champion the necessity of a trusted environment, one where employees know that they can trust their new forms of infrastructure to be available and to safely manage the integrity of their data."
Secondly, he advises to communicate solutions, not obstacles. He says a cyclical effect often occurs, where people are so busy, it becomes difficult to break from the cycle of being busy. Network virtualisation as part of a broader automation strategy can help IT create both the time and resources needed to actively find solutions the business needs but requires support from the top down. "The obligation on IT though is to be able to ask for the right support to make it happen."
Finally, he says to prepare teams the right way. In reality, there is no need to re-skill roles for the SDN world, as the process is more of a 'tune up' for teams, so less of an investment for the broader business.
An example, he says, would be firewall administrators that still retain and leverage their existing experience and knowledge of writing policy to secure application communication flow. "However, instead of relying on existing manual policy definitions based on IP addresses or port numbers which result in a policy push, they can focus now on templates that automatically apply based on characteristics of the workloads being deployed regardless of the IP address."
This dramatically lowers the complexity and or number of rules to manage, and allows the firewall team to ditch the onerous and often inaccurate task of manual policy maintenance. Similarly, server virtualisation changed the role of the server administrator, but in most cases it enhanced their role - SDN can also do the same for the firewall admin, James explains.
He says these will undoubtedly be starting points of more in-depth conversations, but there is the need to persist. While there will be initial upfront investment required to modernise enterprise security, it's a nominal figure compared to the costs incurred, both financial and to the organisation's reputation, should the company fall victim to a breach.