Security Driving SDN Uptake

Software Defined Networks are here. In just a couple of years they have moved from theory and are now part of every CIO's planning. And that means a significant rethink is needed when looking at security. With many critical functions moving off proprietary hardware towards open platforms where core functions are abstracted to software, the way networks are managed and secured is changing.

Martin Casado is the CTO of Networking at VMware and the inventor of OpenFlow. He was the keynote speaker at the recent NetEvents Cloud innovation Forum held in Saratoga, California. He says that the move towards SDN was initially driven by the likes of Google and Facebook and Amazon.

"These very, very technical companies with some of the most technical expertise on the face of the planet came up with their own architecture. And if you look at what that trend looks like, basically, what they did is they said, I'm going to move functionality that has traditionally been in the network, and I'm going to move it to software. So things like security, things like security, things like fault isolation, things like billing, things like visibility and debugging, instead of being traditionally put in hardware in the network, they were moved into software," he said.

Interestingly, Casado said that the security is actually a key driver in the uptake of SDN. He believes that about 40% of the actual adopters that are paying money for SDN network virtualisation are doing it as a security use case.

"So before I went to Stanford, I actually did computer security," Casado explained. "I did kind of operations, where I would actually break into things. And let me tell you, a data centre has almost no controls in it at all. Like, 80% of our spend is on the perimeter, and that's a Maginot Line. So if I can pay somebody off or I can put on a black mask and I can break into the building and I can install some code on a server or I can remotely exploit a server, if I get in the data centre, I'm done. That's because that's where all the data is, and there's almost no controls within the data centre".

SDN allows data centre architects to segment operations so that interactions between systems inside the data centre can be better managed and secured.

"So, for example, for every application I can create a virtual network. I can give it its own security services. I can give it its own L4 through 7 services, and if it gets compromised, the attack gets localised to just that," Casado explains.

Security, in Casado's view, is a balancing act between isolation and context.

"The question we've been asking is, can you build a Goldilocks layer that goes ubiquitously throughout the data centre that provides both context and isolation?".

Given the penetration of virtualization – Casado speculated that about 70-80% of enterprise workloads are virtualized – then the hypervisor becomes a vehicle for providing that context, as information passes from one domain to another, and isolation so that unexpected data is not passed between domains or systems.

"If you could use the hypervisor to both peer into the application to pull out meaningful context, like users and applications and what things are doing but also protect that visibility and provide protection and enforcement, you kind of have this optimal place, where you have both this visibility and context and the isolation," he said.

One of the challenges, in our view, that comes with moving key functions into software and away from hardware is that the time between development and deployment is greatly reduced. The can create an appetite for rapid changes. Although this has a significant benefit in that it can drive innovation it can also result in errors being put into production more rapidly.

Casado says that this can be overcome.

"I think you should have a root of trust that's formally verified. I think it should be in software, because if there's a bug, I want to be able to fix it on the fly instead of shipping a new box, so I think software is actually inherently more secure for exactly that reason. So here's what I would like to do. When you get your hypervisor from me, there's a stack there that's 10,000 lines that I've formally verified that gives you a root of trust. It will use hardware TPM [Trusted Platform Module] and it will give you a root of trust. And then if you care about very secure things, you use that root of trust to build your very secure things, and if you don't use very secure things, you can do whatever the hell you want".

As well know, and as Casado agrees, there is no perfect security. Even in the 'Goldilocks layer' he alluded to, there can be problems. However, Casado used the metaphor of making your bed to highlight how security might be managed in future.

"I don't believe in perfect security. I'm not a Pollyanna. I always think of it like this, so this morning, when I made my bed. So you get up and you make your bed and you're putting your blanket on. There's always that last bump, and you then you take that bump, and instead of getting rid of the bump, you kind of move it over to the wall, it looks nice by the wall, or you move it over the pillow. So I think this is a lot of security. I don't think you get rid of security vulnerabilities. You just move it to a place that you know how to protect. You kind of move that bump somewhere".

Anthony Caruana attended the Cloud Innovation Forum in Saratoga, California as a guest of NetEvents.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags amazonsocil mediaattacksGoldilocks layersoftware defined networksSDN network virtualisationVMwareFacebookMartin CasadoSDNGooglesecurity

More about Amazon Web ServicesCSOEnex TestLabFacebookGoogleinventorVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place