The Shift to Software-Defined Security
What's behind the shift to software and service-centric operating models and solutions for enterprise security?
- By Greg Ness
- September 18, 2017
The writing is on the wall. Increasing demands on enterprise networks are forcing IT, security, and networking teams to change from hardware to software and service-centric operating models and solutions.
Cloud Is Driving New Security
There has been a substantial shift in thinking from a few years ago when most information security professionals saw the cloud as less secure. The cloud is now seen as transformational rather than as a potential security posture trade-off. This threatens security hardware and infrastructure players, who have benefited from rising cyberthreats and growing, increasingly connected networks. Several may have peaked in 2014/2015 when cloud enterprise workloads were mere outliers. These days, it looks like tough sledding for security vendors tied to hardware for critical enforcement capabilities.
The cloud may prove to be the driver of security transformation. Cloud infrastructure is being architected for new, emerging demands, especially related to horizontal and vertical scale and security. Cloud environments will increasingly adopt software and service-centric security solutions that can scale globally and seamlessly, without location-specific constraints.
In addition, digitalization will add to cloud delivery pressures and force IT into more software and services and away from hardware-defined tradeoffs. This, combined with buyer consolidation and commoditization, will make infrastructure-as-a-service (IaaS) and managed service providers powered by software-defined capabilities much more influential than traditional hardware vendors. Due to these factors among others, software-defined technologies are predicted to skyrocket in the coming years.
Traditional Security Can't Keep Up
In these evolving times, traditional access control technology has remained stagnant and preoccupied with endpoint posture checks on a LAN-by-LAN basis. Security teams are forced to focus more resources on maintaining larger access control lists and more complex access policies as networks grow. As networks embrace partners and clouds, process creep erodes security further by requiring more procedures to maintain an existing and increasingly obsolete security posture. The net effect is a security paradox: more security processes can result in weakened protection. At a certain point security processes can grow exponentially even when a network is changing slowly.
In addition, enterprises are confronting an increasing number and variety of breaches, proving how porous traditional security is against certain types of attacks, especially identity theft.
In this new reality, security teams fall behind if they don't develop a more powerful approach to access control. With the exponential growth of access points, the control of access at the perimeter is the most effective approach for protecting critical services. However, traditional perimeter security architectures fail to block untrusted users and devices from the network, forcing security teams to address breaches reactively, which is less efficient and more costly.
A Software-Defined Perimeter Approach to Access Control
Access control technology needs to evolve to more easily scale across diverse networks, including the cloud, and make better access decisions based on more advanced trust criteria. Trusted access control powered by software-defined perimeter (SDP) and trust assessment technology allows security teams to protect complex, hybrid networks with a single layer of protection. SDP technology confines access to application-specific tunnels that are opened to specific services as trust is determined.
A software-defined perimeter has significant advantages.
Traditional solutions, for example, typically require high up-front costs and single vendor switch networks, as well as specialized skills. The hardware-based deployment also does not scale onto IaaS or hybrid networks, requiring another solution to manage cloud security.
The SDP model secures access from the device/user to a specific application server, all centrally managed. The concept relies on rendering an organization's infrastructure "invisible." SDP then delivers access to authorized resources only, verifying user and device variables before granting access to an application. SDP enables granular access policies based on both user and device profiles that are taken in context at the time the specific access is requested. Another advantage is that SDP can protect applications regardless of where they reside -- on premises, in a hybrid cloud, and even in a public cloud.
Both the implementation time and the cost are much lower with SDP than with traditional network access control. By reducing the surface that needs to be protected to specific applications, it's easier to apply very tight controls through SDP's advanced techniques.
Looking forward, the industry can first expect to see the shift to software and service-centric operating models and solutions within organizations with high security, compliance, and operating demands because they will be among the biggest benefactors. Organizations under siege from attacks and expanding security processes can finally shift away from reaction fatigue and take the strategic advantage.