Software Defined Security: Is it Achievable?

Cloud based security is about securing the data, yet compliance requirements are often about securing the environment, such as PCI’s requirement for web application firewalls, which protect web servers and perhaps applications and imply protection of data.  But they do not directly protect data. How can a Software Defined Data Center implement a form of Software Defined Security automatically to meet not only compliance requirements, but security around a particular mote of data?

Compliance not Quite Security

We should start of by stating that compliance is not security, nor is security compliance. Compliance is a minimum set of measures that have been decided upon by a committee. That minimum set of measures may be for auditing purposes or they may be for security purposes. In many cases compliance, with the exception of PCI, is not very proscriptive and depends mainly on the good behavior of everyone involved and the possible ability to stem bad behavior as quickly as possible either legally or electronically.  PCI however has proscriptive measures such as you will have a Web Application Firewall (WAF), but does not say how that firewall should be configured, nor can it as each web application is different as is each environment. HIPAA as another example requires everyone who could potentially touch sensitive data to sign a document that they are aware of this possibility and the risks of touching and releasing it outside of the organization. Others require coming up with complex hard to memorize passwords when we should be using passphrases that are long and easy to remember.
Neither of these are really true security, but compliance is a starting point. As the CloudAudit project has discovered, most of the compliance objectives cannot be codified but require human intelligence to properly interpret the data. This is what makes compliance within a cloud difficult. There is lack of visibility, but that visibility cannot be 100% auto-generated yet.

Secure Thy Data

Unlike compliance, the main thrust of security within a cloud is to secure the data either by multiple layers of fail-safe security measures for availability, but also use of tools that will check the integrity of the data as well as impose confidentiality. These terms availability, integrity, and confidentiality often apply to data as failing-safe (defense-in-depth), digitally signing, and encryption of data. Yet, each of these security measures should be invisible to normal users. In other words, security should NOT impede the use of the data for legitimate needs. However, given how security is imposed to day, we get hung up on defense-in-depth and often impose draconian measures to ensure it. We also in inadvertently please security measures in the wrong place so that even if the data was encrypted at rest, it is no longer encrypted in motion. Due to this lack we often impose other security measures that impact not only the people process, but the deployment and business processes. In essence, we move from protecting the data to protecting the environment thinking it will protect the data.
But in a hybrid cloud that environment could span 1000s of miles with several bastions outside your control, so we need to once more add even more security measures that throttle down usability in an attempt to get control once more. As such we do not make good use of existing cloud security measures, perhaps due to the problem of compliance we cannot see into the cloud environments to even understand the current security measures.

Software Defined Security

A software defined data center requires automation of security tasks, in other words Software Defined Security. Without a way to define the security we are lost. But those measures often depend not only on hard to codify compliance requirements, but also on security measures within a cloud that we can not see. Lastly, security is not necessarily part of any business logic. Business logic says for example,

“We have 10 new products coming out by December for the holiday sales rush, we need to maintain inventory for that season as well as offer a few discounts if the items are bought off our site vs other locations.”

Where in that statement does security get mentioned, it does not, why because the business is not driven by security. This is also one reason security is often a bolt on. But let’s see if we can interpret the requirements from the natural language business logic.

• What is the data to protect? Inventory and a web data (“maintain inventory”, “off our site”)
• We need a Web Application Firewall (“off our site”)
• We need to protect Personal Identifiable Information (“off our site”), which also implies PCI compliance
• We need to protect customer data (“off our site”)

And a host of other things I have not listed. So how can we do this using a software defined mechanism? In other words, how can we orchestrate security measures. In many cases, we can do this today, but are we doing it properly, can security ever be 100% automated? Security can be against well-known attacks, but not against unknown attacks. Which means we fall back onto compliance, but as we stated previously compliance is not about security.
What are the rules for security that will dove tail with business logic to protect the business, the data, and the business’s customers? This is the missing component of software defined data center. Security can be automated as Puppet Labs has proven, but can those measures be automatically tied to business logic, hybrid clouds, and protect the data while providing compliance without human intervention? Can this security be invisible until needed instead of overly draconian?