Programmable Networks – Or the Parkour of Security?

|October 4, 2016 0
Mosquitoes in particular and Bugs in general, can be handled in many ways. Gossamer curtains, Incense sticks, Repellent Vaporizers, and even Skin ointments. But can we say – To each his own?

Pratima H

INDIA: They didn’t know it back then but things were so easy for them. Construct gigantic iron gates; lay down intimidating moats and if you like to still jazz it up, sprinkle sharp spears all over the entrance. There you had it – elephants, intruders, armies – out and deterred.

But the world had to toss over. Smart foes found new and sneaky ways to creep inside the tallest and sturdiest of forts.

___________________________________________________________________________________________________________

Like Arun Parameswaran, Managing Director, VMware India captured on the margins of a study the company sponsored on corporate data security practices – there is a segment of enterprises that is aware that people and systems can be easily bypassed or blindsided if the business lacks an ubiquitous IT architectural plan that cuts across all levels of compute, network, storage, clouds and devices. In this research conducted by The Economist Intelligence Unit (EIU) it was unraveled that Indian businesses are under increasing risk from serious cyber-attacks, with 33 per cent of the respondents expecting to be targeted within 90 days.

In terms of critical risks that came up here, one can spot ‘unknown cyber threats that move faster than their defenses’, ‘resources and data that may unknowingly reside in the cloud’, and yes, ‘employees who are careless or untrained in cyber-security’.

Threats are fast, they do not arrive from the gate, and they can jump, climb, crawl, and perhaps and even evaporate anywhere. Towering walls do not terrify them anymore but maybe that’s why war strategists thought of Ninjas.

Defence – covered in black, agile and invisible as thin air, and able to adapt to any situation or threat.

Abstraction, agility, and programmability – that’s what networks can be changed to.

In the post-Software-Defined-Everything world, the core attributes of software have finally touched the reigning corner of hardware in an enterprise – routers, switches and networking gear.

Still, when Anand Patil, India Lead – SDDC Sales at VMware talks of the dangers of east-west traffic in a world where people easily feel complacent after posting a security guard at the main gate, one gets intrigued.

Let’s assume Ninjas are the new status-quo; does that mean they are dependable? That they do not intimidate their masters? That they can leap across tall and converged complexes with as much confidence as they flit about over individual bungalows? Won’t they be a good costume to hide in if the attackers wanted to? If they can vanish fast and alone, how do you manage them as an army?

In a long chat, Patil tackles many such doubts and explains micro-segmentation, virtualization, convergence etc from a security context. Jump on.

Why are we talking of networks, virtualisation and security in the same breath?

VMware started helping enterprises to set up private clouds and challenged how three core IT pieces – Compute, Storage and Networks were addressed. On the Compute side, we brought in management, provisioning and fault tolerance. We later started applying that to the storage side as well. Now the strategic piece of networking is being taken care of with the same mindset. The entire construct of SDDC (Software Defined Data Centres) is more automated, agile, fault-tolerant and secure.

Data Centres have changed a lot. Does security and networking change between converged and hyper-converged infrastructures? How does one compare VCE and EVO models?

We work with our partners to build SDDCs on a number of choices of infrastructures. For us, both the ends of the spectrum exist. We work with all options and it all boils down to functionality. What matters is how and what applications run on the top of the hardware and the software part becomes critical. Some of the goals can be achieved through the application and some through the networking layer.

Software is interesting. But won’t more abstraction and more programmability mean more vulnerability on the security side?

Today, software pretty much differentiates a business. You look at Tesla, GE or a forward-thinking bank and you can see that what differentiates them is not a car, a machine or a transaction but the software that empowers it. Almost every company today is a software company, a digital business and they need to have a strategy for hosting applications and testing software. That’s also where infrastructure becomes key on the ground of differentiation. Hosting applications is important and the infrastructure beneath them has to be agile and secure.

Agility and security can easily turn into contradictory goals. Or not?

They may sound contradictory but there is a connection between them. Agility helps in making fast changes and responding to business requirements. But there is no reason to do that without enough security. As long as you automate a function properly and data centres are able to take care of necessary configurations for that; the two goals can be mutually helpful. One can create layer of abstraction between hardware and software to run multiple instances of applications. That can be done in a way that it can scale down, up, automate, add capacity etc in a way that the underlying hardware does not matter.

What connects networking and security in this model?

Just placing a guard at the gate in a housing society is good for perimeter security. But when we focus on north-south traffic, we forget the existence of east-west traffic. Once inside the gate, anyone can move anywhere. Once a threat enters inside the data centre, what then?

Recent threat patterns show that attackers first focused on low-priority targets, sat there for a while, sensed data and flows and then moved to high-priority areas. This is where we want to change things with solutions like NSX by virtualising network function into software – and take security as close to an application as possible. So that inside a data centre we guard not just the perimeter but every application layer. Even if an application is on the same piece of hardware, it will have to go through checks.

How does that work?

We have basically extended the abstraction concept to networking and got away from dependence on hardware. We create a layer in between physical infrastructure and applications which assists businesses to detect and respond to cyber-attackers that were taking advantage of new gaps or exposed frontiers. VMware NSX has been designed as a completely new operational model for networking that forms the foundation of the software-defined data center. It builds networks in software, allowing data center operators to achieve levels of agility, security and cost savings. This was previously not possible through physical networks.

Is that notion working? Would governing VMs (Virtual Machines) be easier than looking after routers and switches? Are enterprises adopting this direction?

Look at what Bharti achieved when it took the shift from monolithic to commodity hardware and employed a replication model that attaches security policies to a module. Companies like Bharti and SBI have reduced provisioning times considerably with the new approach. We have seen customers across multiple verticals adopt this route and gain from it. Network virtualisation is now a critical component of SDDC at VMware. We are witnessing a lot of traction. With a $600 million annual sales run rate for NSX, and about 1700 customers worldwide with a number of 400 that have gone into production; the adoption road is bright.

Where does micro-segmentation come into play?

It’s about how to direct, abstract and allow traffic inside the complex called a data centre. Because of the application-architectures of today, east-west traffic is trickier than the north-south one and that side of control has become critical. When we virtualise a network, we attach security policies on the VMs and put a software firewall within the kernel. Now any traffic is subject to scrutiny.

Does that not interrupt goals of end-to-end encryption and provisioning?

It is still transparent with agentless security on servers. It improves performance with high-order security inspection inside the packets. The traffic does not know it is being watched. It’s like an inconspicuous bystander watching traffic at a toll road.

Any apprehensions that programming networking can lead to?

Incidentally, networking is that one piece in IT that has not changed fundamentally in the past few years while almost everything else has. It’s still very hardware-dependent, looks the same for box to box and have teams specialized to take care of it the old ways. We are now talking about a paradigm shift – Look at a screen and not at the box. That will take a lot of re-shaping and change of mindset but VMs can soon be the templates to look at networking in an aggregate sense.

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.