The road to security is one that is ever changing, but the path inevitably proceeds up the stack into new and transforming datacenter concepts. In today’s ecosystems, there exists a challenge and opportunity to implement security across a number of access points including the latest emerging technologies in virtual networking, software defined-networking, and beyond. In a sit-down on theCube at VMworld 2012, Christofer Hoff, Chief Security Architect of Juniper Networks, describes the state of security challenges in these environments, and what key elements are in store for security in the future datacenter.
Hoff notes that no big splashy moves in the security space have emerged yet in light of the transition of VMware’s virtualization datacenter play to cloud. Also the Nicira acquisition by VMware is a notably brilliant move and is set to change the underpinnings of virtual networking. The security industry hinges their solution sets on the foundation of networking elements; therefore the ramifications for the security space are grand. The answer according to Hoff, is to approach with a focus on security that is designed to protect the application and information in the first place. This means getting as close to the application information as possible. The introduction of software-defined networking, greater separation of workloads, data and a non-static environment makes for an interesting challenge, and the point of security service insertion becomes a critical focus. Hoff notes that a movement towards tighter, better, more broadly defined access points are required, going beyond API standards. The bolt-on approach to security will prove to be insufficient and fragmented without a shift towards a more integrated security model. A big problem with this is the lack of agreement on how to define and standardize this integration at the API level and across the stack at the points of service insertion. The direction that the Nicira story takes will dictate how the security industry integrates the future changes and will likely be playing by some new rules.
Hoff briefly discusses the developer environment and distinguishes that not all development can be lumped together. The focus and intent of the application in mind are critical to consider, for example, some applications are designed for a specific environment and may require a feature such as network awareness, while another may not have any such elements. The definition of development versus application is critical to understanding this, and requirements ultimately dictate whether they cross over at all. Security integration requires that as an industry, recognizing that fragmentation is a huge disadvantage, and that there is an opportunity to embrace the architecture of software defined networking, benefitting from a unified vision. Security can then be engineered as a rewrite that addresses the way in which security operations and the ecosystem interact. With a more fluid, automated vision for security, the benefits of utilizing this service layer approach can be applied consistently across the virtual layer, cloud environment, SDN, and so on.