In the July 20 Virtualization and Cloud Security Podcast, we were joined by Kevin Myers. Kevin is a network architect for IP ArchiTechs. Kevin and I had an interesting conversation about the convergence of networking and security. It started out as an offhand comment about how firewalls can act as routers. They have always been able to, but now they are much more robust. For Kevin’s service provider customers, this simplifies the network quite a bit. Simplifying the network is the goal of many people. Whole industries have been created just to do this.
Simplifying the network is only one goal; securing the network is the other. By using a firewall as a router, you can add rules to direct traffic as necessary. If you use BGP style routing, the application can actually direct traffic as required. For web-scale shops, this is a must. As Kevin stated, there is a need for the network to light up as needed. There should be no need for a network engineer to assign a VLAN, etc. That should be part of the application. Granted, we look at applications slightly differently, but the thought is where we need to go. We are not there yet.
Political debates are still happening between networking and security, security and virtualization, and networking and virtualization. We have not even added in the cloud yet. Then, things get going quickly. The best shops are those that are highly regulated, as it forces these teams to work together to meet ever-increasing regulatory compliance. This is a good starting point for talking security, but it is not the end goal. There is a growing need for common APIs and common tools to help with those APIs.
No longer can security involvement be manual; there is no one-off implementation. The more we standardize within an organization, the better off we are. That is the crux of the matter: standardization. Most organizations have not standardized their networking. They may think they have, but have these teams standardized configurations across virtual and physical network constructs? Is the network deployment and security policy driven? At the moment, only some are. Most of the big clouds have very standard deployments. It is the only way they can survive.
Now, you may be thinking, “But I run an enterprise with several one-off projects.” Well, perhaps, but the kit delivered, whether virtual or physical, can be a standardized block of compute, network, storage, memory, and graphics. This is the reason for Vblocks and how well they are doing. We are striving for standardization. We are not there yet.
No matter how you automate or orchestrate, there needs to be a standard output, one everyone understands. If we can move to a boilerplate deployment, we can standardize security controls, compliance goals, and many other aspects of security. Any deviation from the standard could be detected easily. However, even as we do this, we are struggling with scale for another aspect of our security environment: encryption. In order to scale encryption, we need to scale our key management system (KMS). A KMS has to be as available as DNS. However, could we actually use DNS for these purposes?
Yes and no. DNS could work using a private DNS server, but not a public one. Have a listen to find out why, but suffice it to say that DNS is a good model to use. This means that we as security folks should be talking to those who roll out DNS, who architect it. It will help us with critical infrastructure. Perhaps one day this will also be solved.
How standardized is your security? Your network? Your environment?