Last fall, I wrote a research note for Gartner clients titled “The Impact of Software-Defined Data Centers on Information Security” that explored the impact of software defined infrastructure on security – and the evolution of information security infrastructure to become software-defined itself.
Today, I saw that NetCitadel had announced an offering in this emerging space and had used both the “software defined security” and “security policy orchestration” terms.
Many vendors have jumped on the “software defined X” bandwagon (just like “Cloud” a few years ago) including:
- software defined networking
- software defined storage
- software defined security
- software defined infrastructure
- software defined data centers
But, what does “software defined” really mean?
A common misconception is that “software defined” means that everything is accomplished in software. That’s not correct. Even within software defined networking, ultimately something has to connect to a wire and forward packets in the data plane. The same is true with security policy enforcement.
Here’s what I propose: “Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on.
I believe to truly be “software-defined”, these foundational characteristics must be in place
- Abstraction – the decoupling of a resource from the consumer of the resource (also commonly referred to as virtualization when talking about compute resources). This is a powerful foundation as the virtualization of these resources should enable us to define ‘models’ of infrastructure elements that can be managed without requiring management of every element individually.
- Instrumentation – opening up of the decoupled infrastructure elements with programmatic interfaces (typically XML-based RESTful APIs).
- Automation – using these APIs, wiring up the exposed elements using scripts and other automation tools to remove “human middleware” from the equation. This is an area where traditional information security tools are woefully inadequate.
- Orchestration – beyond script-based automation, automating the provisioning of data center infrastructure through linkages to policy-driven orchestration systems where the provisioning of compute, networking, storage, security and so on is driven by business policies such as SLAs, compliance, cost and availability. This is where infrastructure meets the business.
If those are the four characteristics, what is the goal of software defined infrastructure?
To me, it’s the capabilities enabled by the 4 characteristics above that are really driving the interest in “software defined everything”:
- Agility – speed to respond human middleware, speeding the ability of infrastructure to be provisioned.
- Adaptability – ability to change infrastructure usage to dynamic meet dynamically changing requirements and changing context – such as location, sensitivity of the data being handled and so on. Also ability to adapt to changes in the infrastructure elements underneath without changing the models being managed (new hardware, new vendors, etc.)
- Accuracy – by removing the human middleware component, reducing the chance for misconfiguration and mistakes by making infrastructure “programmable” and tieing this into automation systems
- Assurance – confidence that what is deployed accurately meets your policy and compliance requirements
These 4 characteristics and 4 capabilities that arise from being “software defined” are the key to all software defined infrastructure, including security. So when you hear the hype about “software defined X”, see if it delivers against the above characteristics and capabilities.
Ignore the hype and navel-gazing arguments on the definition of “software defined”. It’s all about the capabilities enabled.
Category: Cloud Security Next-generation Security Infrastructure Software Defined Data Center Virtualization Security Tags: Adaptive Security Infrastucture, Context-aware Security, Next-generation Data Center, Next-generation Security Infrastructure, Reducing Complexity, Software Defined Security, VMware