Hands-Off Security: Automating & Virtualizing the Enterprise Network

  /     /     /  
Publicated : 22/11/2024   Category : security


Hands-Off Security: Automating & Virtualizing the Enterprise Network


A series of recent tech events demonstrate that enterprises are increasingly using virtualized automation to improve their network-security posture – but perhaps no tool is perfect.



A few years ago, Brad Schaefbauer, Boeings cloud design and integration specialist, deployed a continuous-integration pipeline and virtual sandbox to fully automate what has long been the biggest network-security pain point to users and IT administrators alike -- patch management.
It was also done with a single virtualized cloud foundation.
Now, Schaefbauer says, this process has been scaled out across a multicloud environment spanning three data centers, with two cloud foundations per data center -- meaning no waiting time for patches and updates.
We have one thats production workload, and no people touch that ever. Its all completely robot[ic] pipelines; nobody can log into it, said Schaefbauer in a presentation at Cloud Foundry Summit last month. Thats a requirement. Thats a restriction. Theres no other way around it.
(Source:
Flickr
)
Such no-humans-allowed restriction combined with network redundancy purportedly bears with it yet additional benefit for both security and business continuity and disaster recovery (BC/DR) flexibility. Instead of experiencing full network outages, Schaefbauer said, Boeing sees its applications automatically fail over to other foundations -- even across data centers when necessary.
Balancing containers
Little surprise, then, that Schaefbauer went on to say that Boeing has plans to escalate its virtualized security efforts -- in particular, through containerization. Still, Schaefbauer expressed agility concerns.
Were going to have some applications that are Dockerized in Cloud Foundry, but whenever you Dockerize something, [there is always a] technical debt possibility, said Schaefbauer. We repave stuff every week [so] its never out of date.
Still, because of tenancy issues, multicloud and containerization often go hand in hand as a matter of balancing network agility and network security. Moreover, containers allow for better data migration and business continuity -- particularly in a multicloud environment.
What we see is that more and more enterprises are convinced -- or are getting convinced -- that they need… to move way faster [and] automate a lot of stuff, Daniel Hekman, head of business development at software and IT solutions firm Grape Up, told Security Now. [With a] multicloud approach, enterprises, if they want, can [easily migrate] from one cloud service provider to another.
We are seeing a shift to containerization, confirmed Terry Smith, a senior director at Penguin Computing, in an interview at the Bio-IT World Conference & Expo earlier this month. The whole [point of a] virtualization platform is to isolate jobs... We have to worry about those public instances where you have multiple tenants.
Here, Smith specifically pointed to the problems of possible privilege-escalation exploits in Docker. Granted, Docker
patched this vulnerability
nearly 18 months ago, but even assuming up-to-date patch management in a given enterprise, containers in general are renowned for having isolation issues -- especially if they are not run within hypervisors. Runtime-tailored mini-VMs known as unikernels hold substantial security and performance advantages over containers, but they do generally require more orchestration. (See:
Unknown Document 743449
.)
Properly picturing SD-WAN
All this is to say that virtualized automation cannot always be the be-all and end-all of optimized network security -- each virtualization mechanism bearing its own pros and cons list. For instance, in a recent interview with Security Now sister site Light Reading, Verizon Verizon Communications Inc. (NYSE: VZ) vice president of product management and development Vickie Lonker explained that, where SD-WAN is concerned, software-defined security and software-defined WAN optimization can be two different -- even competing -- things. (See:
Unknown Document 743449
.)
On this point, Joel Mulkey, Founder and CEO of Bigleaf Networks, is similarly emphatic that because SD-WANs primary unique selling proposition (USP) network optimization, trying to concurrently use it as a security solution is inherently problematic for network orchestration.
Most SD-WAN solutions want to be your security platform as well, Mulkey told Security Now last week at the MIT Sloan CIO Symposium, Use [your internal security] solutions... and use a dedicated SD-WAN solution.
Of course, not everyone agrees with this assessment of SD-WANs cybersecurity suitability. According to Shawn Hakl, vice president of business networks and security solutions at Verizon, SD-WAN is unique for its enormous practical and theoretical potential for customizing just the right blend of encryption, identity and access management, and packet optimization. (See:
Security Takes On Malicious DNA (Files)
.)
Perhaps it all depends upon whomever happens to be orchestrating the network. Mulkey, for his part, criticizes traditional SD-WAN strategy (at least, to the extent that anything related to SD-WAN at this point could be considered traditional) as running along the lines of a network engineer aiming to perfectly orchestrate the picture in [their] brain -- and failing.
The picture in your brain is not perfect, Mulkey warned with a smile. Think about other things, like security.
Related posts:
Automation Is a Key to Future Enterprise Security – Report
Endangered Virtualization Species Forced to Evolve
The Security of SD-WAN
—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hands-Off Security: Automating & Virtualizing the Enterprise Network