Among all the changes that fall under the digital transformation umbrella, perhaps one of the most fundamental is the shift to the software-defined enterprise.
The idea is simple: instead of manually setting up and configuring the operational production environment, reduce all aspects of its configuration and deployment to one form of metadata or another: scripts or recipes or other configurations. Now, to make any kind of change in production, simply adjust the script, push a button, and let automation take over.
Expecting an entire enterprise production IT environment to be fully software-driven is still largely in the future, but there are two areas that large organizations are finding to be important starting points on the road to the software-defined enterprise: software-defined networking and DevOps.
The rapid maturation of public cloud computing has driven the software-defined networking industry, as cloud providers require fully automated network configuration capabilities.
Such demand has been driving innovation at network equipment providers, who now offer increasingly mature software-defined networking capabilities to a diverse enterprise market.
In contrast, the need to deploy better software more quickly has been driving DevOps, first at web scale companies, but now across most large enterprises as well.
DevOps requires a rethink of the traditional, siloed organizational model for IT, instead leveraging automation to better facilitate the cooperation and eventual merging of development, operations, and quality assurance teams.
While organizational and concurrent cultural transformations are at the heart of the DevOps movement, automation is an essential enabler, as one of the important goals of DevOps automation is for deployment and configuration scripts or recipes to control every aspect of the production environment – in other words, software-defined infrastructure.
From DevOps to SecDevOps
This race to the software-defined enterprise is not without issues, however. As organizations move forward with either software-defined networking or DevOps, they soon run into a challenge: security.
Security, of course, should be a top priority for any software deployment – but DevOps’ emphasis on continuous delivery can push security to the back burner. Treating security as an afterthought, however, throws a wrench into the vision of software-defined infrastructure.
The importance of security to any software development effort seems obvious. So why do so many DevOps teams give it short shrift? Governance efforts in general, including security and compliance activities, are hot-button issues for DevOps teams, as traditional governance approaches introduce bottlenecks, slowing down the development lifecycle.
The result is often conflict between the DevOps people and the security and compliance teams, as the former call for moving quickly and the latter rightly call for adequate controls. For many organizations moving to DevOps, therefore, this friction impedes their ability to achieve their desired deployment velocity.
The solution to such conflicts is to leverage automation-driven, next-generation security as part of the accelerated software lifecycle – in other words, software-defined security.
Today, protecting sensitive enterprise data in environments that are largely out of the enterprise’s control – such as the public cloud – has largely driven innovation in software-defined security. With the rise of DevOps, however, software-defined security must become an integral part of the approach – leading to the notion of SecDevOps, as some people are now calling this combination of priorities.
In fact, automating security and compliance controls must be an integral part of all DevOps activities. The recipes for deploying the infrastructure should include all security and compliance configurations, so that every deployment is properly secured, yet still software-defined.
DevOps personnel must include security and compliance activities early in the software lifecycle just as they include testing – and in fact, they should incorporate security and compliance tests into the automated test regimen.
SecDevOps thus shifts security considerations ‘to the left’ (that is, toward the beginning of relevant iterations), and furthermore, seeks to automate policy enforcement following the continuous integration/continuous delivery models that DevOps teams are becoming accustomed to following.
Application-Level Control
The software-defined enterprise requires software-defined networking and software-defined security as well as SecDevOps – but just how different are these priorities?
The network is in fact part of the production infrastructure, and thus separating how network teams secure the network from how application security teams deal with application-level security is a false dichotomy – and in the security world, false dichotomies lead to vulnerabilities.
The better way to think about the role security plays in the software-defined enterprise is as a unified, holistic approach for managing, configuring, and testing security across the entire infrastructure – from the application layer all the way down to the network. After all, security must be comprehensive to be effective, as attackers are only too happy to probe for the gaps.
The crypto-segmentation from Certes Networks is an example of how to bring the agility and speed of software-defined security to networking, as an integral part of SecDevOps.
While segmentation at the network level affords a measure of security, defining such segmentation with software-based controls instead affords an additional measure of flexibility and control. To this end, Certes Networks brings segmentation up to the application layer.
As a result, crypto-segmentation policies and controls are now a part of the same comprehensive, automated security regime as the rest of SecDevOps.
The Intellyx Take
Traditional IT security has always depended on hardware – firewalls and other network devices in particular – to protect the organization. However, making changes to hardware is always slow and cumbersome.
Furthermore, as enterprises become software-defined, digital organizations, traditional hardware-centric security becomes a less effective and thus less important part of the overall security profile.
As a result, software-defined enterprises must rethink security, just as they must rethink networking, software development, and operations. Security cannot become a boat anchor, slowing down the organization – and even more importantly, today’s businesses cannot afford to shortchange their investments in effective, comprehensive security.
Embracing software-defined security to evolve network security and make it agile enough for SecDevOps is now a must-have. Crypto-segmentation is an essential element of this new vision for comprehensive IT security.
Copyright © Intellyx LLC. Certes Networks is an Intellyx client. Intellyx retains full editorial control over the content of this article. Image credit: GotCredit.