Whether it’s cloud, BYOD, or just highly mobile applications deep inside the data center demesne, the reality today’s security professionals operate in is volatile.
Applications, users, devices, and data are constantly in flux; even IP addresses, once solid points of light in an otherwise dark data center, are on the move. Security policies, whether focused on network or application access, user or application-generated data, must be dynamic and flexible enough to keep up to the constant myriad of changes. To not do so risks havoc and frustration when users can’t access applications or check e-mail, or find their mobile device suddenly devoid of all data due to an unintentional policy violation.
Modern security policies must necessarily focus on securing data and applications without relying on topological constraints that may or may not exist in the future (or in the next five minutes, for that matter). As applications cross the data center-cloud boundary and also migrate onto mobile devices, such constraints only serve to confuse and complicate attempts to lock down resources. Rather it is increasingly the case that security policies must match user, location, device and resource to determine whether or not access should or should not be granted.
Traditional solutions relying on fixed topology to provide security services are as out of place in today’s virtualized, mobile world as a vegan at a steakhouse. Firewalls and simple web access control solutions rely too much on network variables and flowchart-based policies that may appear flexible, but are merely a thin veneer of easier configuration of the same, hard-coded policies that break when a new variable is encountered.
Programmability, touted as one of the more beneficial aspects of software-defined networking, is as applicable to security as it is to the network. Programmability of security policies enables greater flexibility with a higher degree of granularity than previous incarnations of security policies. The flexibility inherent in being able to apply security policies or make decisions based on external data far outstrips that of static identity store query access. While certainly being able to extract from Active Directory or LDAP attributes about a user is useful and an important piece of the overall puzzle, being able to extract from any source that can provide the information necessary is even more beneficial to crafting the types of policies that are truly robust and active themselves.
Programmability in the network isn’t just for configuring switches and routers or processing packets. It’s a higher-order function that enables agility in the data path on which security necessarily interposes itself. By taking advantage of programmability in the data path, security policies can become more active, more flexible and more able to deal with anomalies that are not attacks, but rather changes in access patterns caused by the increasingly mobile world in which users operate.
Lori MacVittie is senior technical marketing manager at F5 Networks (www.f5.com).
Edited by Stefania Viscusi