Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Software Defined Data Centers and Security–What’s in a Name?

by Neil MacDonald  |  January 29, 2013  |  2 Comments

Last fall, I wrote a research note for Gartner clients titled “The Impact of Software-Defined Data Centers on Information Security” that explored the impact of software defined infrastructure on security – and the evolution of information security infrastructure to become software-defined itself.

Today, I saw that NetCitadel had announced an offering in this emerging space and had used both the “software defined security” and “security policy orchestration” terms.

Many vendors have jumped on the “software defined X” bandwagon (just like “Cloud” a few years ago) including:

  • software defined networking
  • software defined storage
  • software defined security
  • software defined infrastructure
  • software defined data centers

But, what does “software defined” really mean?

A common misconception is that “software defined” means that everything is accomplished in software. That’s not correct. Even within software defined networking, ultimately something has to connect to a wire and forward packets in the data plane. The same is true with security policy enforcement.

Here’s what I propose: “Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on.

I believe to truly be “software-defined”, these foundational characteristics must be in place

  • Abstraction – the decoupling of a resource from the consumer of the resource (also commonly referred to as virtualization when talking about compute resources). This is a powerful foundation as the virtualization of these resources should enable us to define ‘models’ of infrastructure elements that can be managed without requiring management of every element individually.
  • Instrumentation – opening up of the decoupled infrastructure elements with programmatic interfaces (typically XML-based RESTful APIs).
  • Automation – using these APIs, wiring up the exposed elements using scripts and other automation tools to remove “human middleware” from the equation. This is an area where traditional information security tools are woefully inadequate.
  • Orchestration – beyond script-based automation, automating the provisioning of data center infrastructure through linkages to policy-driven orchestration systems where the provisioning of compute, networking, storage, security and so on is driven by business policies such as SLAs, compliance, cost and availability. This is where infrastructure meets the business.

If those are the four characteristics, what is the goal of software defined infrastructure?

To me, it’s the capabilities enabled by the 4 characteristics above that are really driving the interest in “software defined everything”:

  • Agility – speed to respond human middleware, speeding the ability of infrastructure to be provisioned.
  • Adaptability – ability to change infrastructure usage to dynamic meet dynamically changing requirements and changing context – such as location, sensitivity of the data being handled and so on. Also ability to adapt to changes in the infrastructure elements underneath without changing the models being managed (new hardware, new vendors, etc.)
  • Accuracy – by removing the human middleware component, reducing the chance for misconfiguration and mistakes by making infrastructure “programmable” and tieing this into automation systems
  • Assurance – confidence that what is deployed accurately meets your policy and compliance requirements

These 4 characteristics and 4 capabilities that arise from being “software defined” are the key to all software defined infrastructure, including security. So when you hear the hype about “software defined X”, see if it delivers against the above characteristics and capabilities.

Ignore the hype and navel-gazing arguments on the definition of “software defined”. It’s all about the capabilities enabled.

2 Comments »

Category: Cloud Security Next-generation Security Infrastructure Software Defined Data Center Virtualization Security     Tags: , , , , , ,

2 responses so far ↓

  • 1 Neil MacDonald   January 29, 2013 at 7:39 pm

    I probably should add a fifth enabled capability:

    Alignment – by linking infrastructure provisioning to policy-driven orchestration systems that use business SLAs, imperatives, sensitivities, priorities, etc to program the infrastructure accordingly — using business polcies and priorities to govern infrastructure allocation and performance.

    Neil

  • 2 Girish Gurudutt   February 8, 2013 at 9:25 am

    Great article and provides clarity regarding software defined everything.

    Is VMware the only company living up to these definitions ?

    Is VMware providing all the products that have truly the characteristics and capabilities of a software defined everything ?

    Where do you think VMware stands in this software defined everything world ?