The Changing Face of Security in an SDDC

Traditional security models depend on physical devices deployed on the perimeter of a private data center and are therefore blind to the complex security-related activity inside virtual infrastructure

As per Wikipedia, Software-defined data center (SDDC) is a vision for IT infrastructure that extends virtualization concepts such as abstraction, pooling, and automation to all of the data center’s resources and services to achieve IT as a service (ITaaS). In a software-defined data center, “all elements of the infrastructure — networking, storage, CPU and security – are virtualized and delivered as a service.”

Despite the many benefits that companies can and are achieving by adopting Software Defined Data Centers (SDDCs), virtualization throws up many new security and compliance challenges. Legacy physical data center security architectures are rigid and complex. “Traditional” security depends on physical devices deployed on the perimeter of the private data center. These physical devices rely on state full inspection and are therefore blind to the complex security-related activity inside virtual infrastructure, whose networks they can’t see.

This complexity is combined still by the need of deploying a large number of dedicated appliances to enforce any reasonably defense-in-depth protection set up, forcing security, load balancing, and gateway services to co-exist and work seamlessly along -a task that seldom delivers. New software defined security approaches, by contrast, introduces simplicity to the world of network security. Here, security enforcement is based on logical policies not tied to any specialized security appliance. This is achieved by abstracting and pooling security resources across boundaries, independent of the physical location of the asset.

Some of the key characteristics of Software Defined Security are:

Abstraction

Security is abstracted from the “physical” boundaries like fixed resources (CPU, memory, disk space) and replaced with logical flexible controls, Here making security just another service or logical resource to the virtual infrastructure and control through security policy orchestration is the goal of abstraction. Now without the concern for the underlying physical hardware capabilities, common security processes can be deployed repeatedly.

Elasticity & Automation

The need for elasticity arises as in the software defined environment, the ability to quickly provision new virtual servers, move them across physical assets is mandated without disrupting the service. Automation ensures that surges in demand triggers server provisioning events and here security policy enforcement by role based controls can assure only privileged access users can make modifications. Software defined automation gives instant reaction to security events, notifications & quarantine policy as applicable. This is in contrast to traditional models, of manual action & administration.

Shared Resources & Control Orchestration

Software defined architecture is designed to integrate a range of network security controls into a “single pane of glass” for effective analysis & control. Orchestration is critical for compliance requirements and numerous security events can be integrated to real time policy driven system. This can minimize security overheads over shared resources and mitigate “Storm” events. Achieving this over traditional data center based approaches is expensive and complex.

These characteristics are unique to new Software defined security approaches and are difficult, complex and expensive to attain with traditional security appliances.