Five steps to creating a secure software defined environment

Five steps to creating a secure software defined environment
Five steps to creating a secure software defined environment

Today, many companies see their once protective corporate network perimeter starting to crumble. Some would say that the secure perimeter is already gone due to a variety of factors including botnet malware that tunnels port 80 with encrypted traffic, ubiquitous wireless access from coffee shops and other possibly unsecure locations, BYOD programmes, and consumerisation of IT.

As a result, security is needed everywhere within the software-defined data centre. It is no longer a single appliance that does everything, but a series of tools linked by a common policy. Security policy is implemented at the core of the network, within the virtualised network and at the edge.

For years, security involved layering perimeter defences and physical technology infrastructure that drove up operations and IT costs. But advanced, innovative technologies are driving IT leaders to step outside the conventional plaster approach.

The traditional “hard exterior, soft interior” network security model has become outdated – as we move into a software-defined world, the idea that physical hardware can suitably protect all of an organisations data – akin to going into a modern day battle with troops dressed in chainmail armour. In response, some companies have started to compartmentalise their networks and data centre by reclassifying their data based on need-to-know access.

Configuring networks manually, even with intelligent administrative tools such as Provider One, are too slow to deal with the dynamics of today's need to configure a network on the fly, securely. Only a software defined network (and operating environment) can achieve this.

Here we outline the five key steps organisations can take to secure their environment in a software-defined world:

1.      Cloak your endpoints and go undetectable: Hackers attempt to locate devices on a network by broadcasting network messages, where even a negative reply can tell them what they want to know: the IP addresses of systems they can further probe for vulnerabilities. A cloaking strategy is based on the idea that by hiding all endpoints completely from attackers, there's no vector to target. Hiding is easily achieved by modifying packets as they travel from ISO layer 3 (IP) to layer 2 (transport). Such modified packets are successfully routed in layer 2 but are meaningless unless they are re-constituted at the receiving host while they travel from layer 2 back to layer 3. This darkens endpoints on the network, making them undetectable.

2. Segment your data centre by using Communities of Interest: Best practices in data segmentation involve establishing communities of interest (COIs), in which the users and devices within each community have finite and predetermined visibility and access to different servers and applications. COIs are not defined forever; they are created and closed ad-hoc. The best option for this is to create flexible software defined VPN channels. Such software defined (VPN-type) networks create instant secure communications in an insecure environment. Software defined reconfiguration must be automatic and a matter of seconds.

3. Isolate disparate networks: Configuring and maintaining separate physical networks is prohibitively expensive and difficult to support, and relying upon telecommunications provider networks cannot assure security. Organisations need an ability to create a communications tunnel cloaked from those who are not part of a COI, and regional isolation creates the effect of cryptographically isolating each COI member.

4. Move mission-critical workloads to a more secure cloud: Mission-critical workloads require both high availability and high security, and if either one is in question, a new approach might be required. With today's solutions, private clouds can deliver the same availability attributes as a public cloud except it does so more securely from within your data centre, providing “just in time” resources that can be shared between COIs but remain secure and isolated from each other. IT resources are converted into a flexible, metered, self-provisioned service delivery that remains under your own security control.

5. Convert existing computing devices into secure communication tools: The challenges involved in fusing network security into any software-defined network deployment are not unique to a vendor or technology. The truth is there is much new ground to be broken in both security and software defined networking in 2015, and no single vendor or technology has defined the outer limits of what is possible. Security has to be an intrinsic attribute of any network change, not a prerequisite or afterthought. To respond to sudden market changes, or last minute requests, organisations often need to be able to establish ad-hoc networks quickly, efficiently and securely. Installing large numbers of stand-alone VPN connections is not the answer. They can adopt an approach akin to COI, in one that leverages existing information (such as the MS Active Directory) to create a secure tunnel. A customised, dedicated and portable device can then enable a remote user to boot up and establish a “clean and secure session” linking back to the organisation's own network.

While the traditional approach to security has been to build a larger fortress using traditional technologies, in the software defined world this approach is replaced by a much better approach to defend against today's increasingly sophisticated cyber-threats.

The software-based approach, such as those adopted by Unisys Stealth, facilitates software configurable ad-hoc endpoint-to-endpoint encryption of sensitive data-in-motion, making it suitable for mission-critical environments as organisations build a 21st century security strategy that compliments their 21st century business.

Contributed by Dr Gerhard Knecht, global head of information security services and CISO at Unisys.