What the software defined data centre means for IT security

If you don't understand what the benefits of a software-defined data centre are how are you going to know how to secure it asks Kevin Linsell.

What the software defined data centre means for IT security
What the software defined data centre means for IT security

It's no secret that the data centre industry is evolving rapidly. Large scale, inflexible and expensive physical hosting solutions are no longer common thanks to virtualisation and we've almost all bought into cloud – so today's forward thinkers are now looking to the Software Defined Data Centre (SDDC) to further transform the way they utilise data resources.

This change presents its own interesting challenges for security and SDDC; users need to be aware of the virtues, challenges and pitfalls of this emerging technology.

Security is about protection and defence, but it is also about assurance – giving your customers (both internal and external) the confidence that their data and systems are safe. To deliver either requires a thorough understanding of the technology – and in the case of the SDDC, the market is currently confused.

Disagreement about its definition is widespread. A recent survey by Adapt has revealed that although three out of five respondents (61 percent) claimed to be familiar with the SDDC concept, the majority were unable to explain its principal benefits: 13 percent thought it was all about performance, 20 percent said centralised management and 17 percent admitted they were unaware of its benefits.

If professionals are struggling to understand the SDDC, what hope do they have of managing it securely?

The SDDC is really about controlling storage, security, networking and computing from within software. Put simply, it's is a way of making the most economic use of traditional data centre resources. A software layer controls and manages infrastructure consumption, process and operation down to component level without human intervention. This enables applications to move seamlessly between environments, in and out of the cloud, from low to high performance without having to touch a single piece of hardware. It is this flexibility that will really make the SDDC the data centre of the future.

So, what does this mean for security? Our prediction is a more holistic approach with higher technical automation. As ‘software-defined' gathers momentum, new methods for managing and enforcing security policies will emerge with it. The Security Admin will need to define policies which allow the benefits of the SDDC to be realised while ensuring flexibility keeps within the bounds of security requirements. Removing the human element is only beneficial if the rules and policies defined are solid AND the right level of audit and review is in place.

We can expect to see a continued blend of hardware and software-based security, but a decreasing reliance on security hardware as access controls travel up the stack. The move towards this type of security is also about enabling devices and solutions to be driven by software. As a day-to-day example, instead of making changes to specific firewall rules to enable a new web server to be visible, the process of requesting a new web server will intrinsically cover the application, operating system, virtual server, storage, data protection and security changes in a single business operation.

There's no doubt the SDDC is the next big thing in IT. It is certainly due to replace ‘cloud' as the industry's favourite buzzword. However, it is clear from Adapt's research that the IT industry is still confused about the concept.   We also see that security standards have not really catered for the concept of SDDC and this is not likely to change any time soon, given that ISO 27001 and PCI DSS v3.0 have only recently been revised.

However, security professionals, whilst dealing with the threat landscape that currently exists, really need to get to grips with the concept of the SDDC so they are prepared to manage future business requirements.  Service Providers play a key role in supporting the education required, as only when SDDC is fully understood will security professionals be able to leverage its capabilities to support threat mitigation activity, reduce overall risk profile and deliver increased value to the business. Ultimately, the SDDC has the potential to make security more intrinsic and integrated within the IT estate, but there will still be a need for strong governance, control, testing and human accountability. 

This feels like familiar ground – and it is certainly not without precedent. The perceived risk and security fears that initially held back cloud adoption, despite its long list of benefits, are equally applicable to the SDDC – it is the role and duty of Service Providers to erode skepticism with education and demonstrable results to achieve a wider market understanding and acceptance.

Contributed by Kevin Linsell, head of service development, Adapt