Security must change as IT departments adopt the dual mega-trends in networking: cloud services and mobility. These trends open up opportunities for cost savings and new revenues. But given the increased threats to cyber-security, these trends will also require new approaches defining and enforcing security.

Today, IT departments use a variety of technologies to establish a security perimeter that protects assets such as data, compute resources and bandwidth against threats such as undue disclosure, modification, or disruption. These technologies range from perimeter protection devices, such as appliance-based firewalls, to the application of cryptographic protection of data.

With IT departments embracing cloud-based services and enabling mobile workforces, some of the traditional approaches to enforcing security, such as employing appliance-based security perimeter protection, are no longer sufficient. Cloud-based services lift the compute and storage capabilities from dedicated hardware/software platforms to virtual machines (VM) running on generic servers. VMs can be dynamically started and stopped, suspended for extensive periods of time and even moved to geographically distant compute farms. Furthermore, mobility adds to this complexity, because security policies must be applied to a much larger universe of devices that can be connected in any global location.

As IT departments investigate how to update traditional security controls in this new world of cloud and mobility, they must redirect their security enforcement from a perimeter-based model to one that focuses on applications and the VMs running them. The new model can be called a perimeter-less security regime. It can also be called a software-defined security regime since it must be virtualized along with the applications and data it secures. And a successful perimeter-less, software-defined security regime will have the capability to accomplish two primary goals: centralize policy and distribute enforcement.

perimeter-less security

Operators running mobile networks have implemented centralized security policies with distributed enforcement over the last decade as they have rolled out mobile voice and text services globally and been required to deal with, for example, roaming and radio network sharing between operators. This success can now be carried into more complex mobile cloud networks.

Policy defines the security goals of a given computer system, including authorization and data confidentiality requirements. Centralizing policy allows IT departments to define a single consistent set of policy statements that are then applied across the entire system. Establishing this kind of centralized security policy control should also allow IT departments to align mobile cloud security policies with separate security policies that are currently implemented in dedicated appliances.

Distributed enforcement allows the IT department to virtualize security enforcement functions and to attach security enforcement to mobile VMs – in short, to enforce the policies where they are closest to the asset to be protected.

Implementing perimeter-less security with centralized policies and distributed enforcement requires a flexibility and agility that is lacking in most current network architectures and Operations Support Systems and Business Support Systems (OSS/BSS). It is likely that software-defined networking (SDN) architectures will play a major role in the orchestration of security policies for these new networks.

One of the first SDN use cases is service chaining, which defines the ordered set of edge appliance functionality (including security) application per service and per user. The goal is to automate the provisioning of service chains and to reduce the provisioning time from days and weeks to minutes and hours. New initiatives are also looking at the challenge of how cloud-based services can co-exist with the growing trend of end-to-end traffic encryption. SDN will allow security to be attached to individual applications and VMs. Northbound interfaces will also allow the SDN controller to maintain synchronization with centralized security policies. These two aspects – flexible security per VM and policy synchronization – are critical to perimeter-less security.

Managing perimeter-less security will require much more agile network and business management than is available in current OSS/BSS systems. Cloud management systems provision and manage multiple and mobile VMs (and attached security) in accordance with business and charging agreements, and these cloud managers will be the source for the centralized security policies. These systems will also manage the distributed VMs and associated security. Working together with SDN controllers, cloud management will enable perimeter-less security and scalability.

SDN and cloud management offer the flexibility, scalability and agility necessary to implement effective perimeter-less, software-defined security in the new cloud and mobility IT reality.