Hands-Off Security: Automating & Virtualizing the Enterprise Network

A few years ago, Brad Schaefbauer, Boeing's cloud design and integration specialist, deployed a continuous-integration pipeline and virtual sandbox to fully automate what has long been the biggest network-security pain point to users and IT administrators alike -- patch management.

It was also done with a single virtualized cloud foundation.

Now, Schaefbauer says, this process has been scaled out across a multicloud environment spanning three data centers, with two cloud foundations per data center -- meaning no waiting time for patches and updates.

"We have one that's production workload, and no people touch that ever. It's all completely robot[ic] pipelines; nobody can log into it," said Schaefbauer in a presentation at Cloud Foundry Summit last month. "That's a requirement. That's a restriction. There's no other way around it."

(Source: Flickr)

Such no-humans-allowed "restriction" combined with network redundancy purportedly bears with it yet additional benefit for both security and business continuity and disaster recovery (BC/DR) flexibility. Instead of experiencing full network outages, Schaefbauer said, Boeing sees its applications automatically fail over to other foundations -- even across data centers when necessary.

Balancing containers
Little surprise, then, that Schaefbauer went on to say that Boeing has plans to escalate its virtualized security efforts -- in particular, through containerization. Still, Schaefbauer expressed agility concerns.

"We're going to have some applications that are Dockerized in Cloud Foundry, but whenever you Dockerize something, [there is always a] technical debt possibility," said Schaefbauer. "We repave stuff every week [so] it's never out of date."

Still, because of tenancy issues, multicloud and containerization often go hand in hand as a matter of balancing network agility and network security. Moreover, containers allow for better data migration and business continuity -- particularly in a multicloud environment.

"What we see is that more and more enterprises are convinced -- or are getting convinced -- that they need… to move way faster [and] automate a lot of stuff," Daniel Hekman, head of business development at software and IT solutions firm Grape Up, told Security Now. "[With a] multicloud approach, enterprises, if they want, can [easily migrate] from one cloud service provider to another."

"We are seeing a shift to containerization," confirmed Terry Smith, a senior director at Penguin Computing, in an interview at the Bio-IT World Conference & Expo earlier this month. "The whole [point of a] virtualization platform is to isolate jobs... We have to worry about those public instances where you have multiple tenants."

Here, Smith specifically pointed to the problems of possible privilege-escalation exploits in Docker. Granted, Docker patched this vulnerability nearly 18 months ago, but even assuming up-to-date patch management in a given enterprise, containers in general are renowned for having isolation issues -- especially if they are not run within hypervisors. Runtime-tailored mini-VMs known as unikernels hold substantial security and performance advantages over containers, but they do generally require more orchestration. (See: Unknown Document 743449.)

Properly picturing SD-WAN
All this is to say that virtualized automation cannot always be the be-all and end-all of optimized network security -- each virtualization mechanism bearing its own pros and cons list. For instance, in a recent interview with Security Now sister site Light Reading, Verizon Verizon Communications Inc. (NYSE: VZ) vice president of product management and development Vickie Lonker explained that, where SD-WAN is concerned, software-defined security and software-defined WAN optimization can be two different -- even competing -- things. (See: Unknown Document 743449.)

On this point, Joel Mulkey, Founder and CEO of Bigleaf Networks, is similarly emphatic that because SD-WAN's primary unique selling proposition (USP) network optimization, trying to concurrently use it as a security solution is inherently problematic for network orchestration.

"Most SD-WAN solutions want to be your security platform as well," Mulkey told Security Now last week at the MIT Sloan CIO Symposium, "Use [your internal security] solutions... and use a dedicated SD-WAN solution."

Of course, not everyone agrees with this assessment of SD-WAN's cybersecurity suitability. According to Shawn Hakl, vice president of business networks and security solutions at Verizon, SD-WAN is unique for its enormous practical and theoretical potential for customizing just the right blend of encryption, identity and access management, and packet optimization. (See: Security Takes On Malicious DNA (Files).)

Perhaps it all depends upon whomever happens to be orchestrating the network. Mulkey, for his part, criticizes traditional SD-WAN strategy (at least, to the extent that anything related to SD-WAN at this point could be considered "traditional") as running along the lines of a network engineer aiming to perfectly orchestrate "the picture in [their] brain" -- and failing.

"The picture in your brain is not perfect," Mulkey warned with a smile. "Think about other things, like security."

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.