Gartner Blog Network

Software Defined Data Centers and Security–What’s in a Name?

by Neil MacDonald  |  January 29, 2013  |  2 Comments

Last fall, I wrote a research note for Gartner clients titled “The Impact of Software-Defined Data Centers on Information Security” that explored the impact of software defined infrastructure on security – and the evolution of information security infrastructure to become software-defined itself.

Today, I saw that NetCitadel had announced an offering in this emerging space and had used both the “software defined security” and “security policy orchestration” terms.

Many vendors have jumped on the “software defined X” bandwagon (just like “Cloud” a few years ago) including:

  • software defined networking
  • software defined storage
  • software defined security
  • software defined infrastructure
  • software defined data centers

But, what does “software defined” really mean?

A common misconception is that “software defined” means that everything is accomplished in software. That’s not correct. Even within software defined networking, ultimately something has to connect to a wire and forward packets in the data plane. The same is true with security policy enforcement.

Here’s what I propose: “Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on.

I believe to truly be “software-defined”, these foundational characteristics must be in place

  • Abstraction – the decoupling of a resource from the consumer of the resource (also commonly referred to as virtualization when talking about compute resources). This is a powerful foundation as the virtualization of these resources should enable us to define ‘models’ of infrastructure elements that can be managed without requiring management of every element individually.
  • Instrumentation – opening up of the decoupled infrastructure elements with programmatic interfaces (typically XML-based RESTful APIs).
  • Automation – using these APIs, wiring up the exposed elements using scripts and other automation tools to remove “human middleware” from the equation. This is an area where traditional information security tools are woefully inadequate.
  • Orchestration – beyond script-based automation, automating the provisioning of data center infrastructure through linkages to policy-driven orchestration systems where the provisioning of compute, networking, storage, security and so on is driven by business policies such as SLAs, compliance, cost and availability. This is where infrastructure meets the business.

If those are the four characteristics, what is the goal of software defined infrastructure?

To me, it’s the capabilities enabled by the 4 characteristics above that are really driving the interest in “software defined everything”:

  • Agility – speed to respond human middleware, speeding the ability of infrastructure to be provisioned.
  • Adaptability – ability to change infrastructure usage to dynamic meet dynamically changing requirements and changing context – such as location, sensitivity of the data being handled and so on. Also ability to adapt to changes in the infrastructure elements underneath without changing the models being managed (new hardware, new vendors, etc.)
  • Accuracy – by removing the human middleware component, reducing the chance for misconfiguration and mistakes by making infrastructure “programmable” and tieing this into automation systems
  • Assurance – confidence that what is deployed accurately meets your policy and compliance requirements

These 4 characteristics and 4 capabilities that arise from being “software defined” are the key to all software defined infrastructure, including security. So when you hear the hype about “software defined X”, see if it delivers against the above characteristics and capabilities.

Ignore the hype and navel-gazing arguments on the definition of “software defined”. It’s all about the capabilities enabled.

Category: cloud-security  next-generation-security-infrastructure  software-defined-data-center  virtualization-security  

Tags: adaptive-security-infrastucture  context-aware-security  next-generation-data-center  next-generation-security-infrastructure  reducing-complexity  software-defined-security  vmware  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Thoughts on Software Defined Data Centers and Security–What’s in a Name?

  1. Neil MacDonald says:

    I probably should add a fifth enabled capability:

    Alignment – by linking infrastructure provisioning to policy-driven orchestration systems that use business SLAs, imperatives, sensitivities, priorities, etc to program the infrastructure accordingly — using business polcies and priorities to govern infrastructure allocation and performance.


  2. Great article and provides clarity regarding software defined everything.

    Is VMware the only company living up to these definitions ?

    Is VMware providing all the products that have truly the characteristics and capabilities of a software defined everything ?

    Where do you think VMware stands in this software defined everything world ?

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.