Software Defined Security: Automated security in the cloud
By Dr. Abir Awad
Current generation cloud infrastructure is complex and heterogeneous in nature and its management often requires frequent human intervention. The dynamic scaling nature, rapid virtual machine deployment, and open multi-tenant architectures of the cloud also amplify the associated security issues. This creates an environment, in which local misconfiguration can create subtle security risks for the entire infrastructure and it drives the need for automation and orchestration of cloud security controls. Software-defined security (SDSec) is a new approach to improving security within next-generation cloud environments. It delivers network security enforcement with software instead of traditional physical security controls, inherently simplifying the world of network security. Abstraction, automation and orchestration are not the only benefits of software-defined security, eliminating the dependencies on hardware also means that security can be deployed in tandem with the changing levels of virtualized cloud infrastructure.
SDSec is a similar technology of Software Defined Network (SDN) insofar that the security control plane is separated from the security processing and forwarding planes. This concept has attracted the attention of many organisations and several solutions have been recently proposed for security automation in both commercial and academic domains. The following are examples of commercially available products:
CheckPoint solution: is software defined protection that partitions the security infrastructure into three interconnected layers; enforcement, control and management layers. These work together to deal with threat prevention, access control and data protection.
Intel security controller: enables automated and dynamic security provisioning policy synchronisation protection and remediation for software defined infrastructure built on VMware NSX. It has virtual antivirus, IPS, sandboxing, firewall, web filtering and data loss prevention.
CloudPassage Halo: allows host intrusion detection (file integrity monitoring, configuration security monitoring and log-based intrusion detection), network authentication and management for firewall configurations.
Catbird: is a software-defined security system for virtual infrastructure. It allows protection of private clouds and virtual Data Centers, and is available for both VMware and OpenStack.
Many researchers also consider SDSec as a promising solution and this has been the subject of some European-funded projects (e.g. https://www.secured-fp7.eu/ which is studying the architecture of a security gateway). Other researchers have developed an open-source SDN Controller (SE-Floodlight) which is an implementation of an SDN security policy enforcing mediation service in an OpenFlow stack. A working group called "Software Defined Perimeter Working Group" has also been launched by the Cloud Security Alliance (CSA) in December 2013 to create a security model to stop all forms of network attacks including DDoS, Man-in-the-Middle, etc. using the same idea of separating control plane and data plane.
This is achieved by an approach deploying perimeters preserving the invisibility and inaccessibility to “outsiders,” and combining device authentication, identity-based access and dynamically provisioned connectivity.As one can guess, when applied to the cloud, this calls for automated deployment as well as analysis mechanisms, which in turn requires a cloud assurance policy language to express security goals for such environments. Where possible, configuration changes should be statically checked against the policy prior to implementation on the infrastructure. While many policy-driven security management systems exist, not many, however, tackle the requirements of a virtualized infrastructure. This is an open research opportunity since virtualization technology is becoming increasingly common in datacentres.
Software-Defined Security is one of the most promising approaches for the development of a cloud security solution, which can run without the traditional physical security middle-boxes. It can identify malicious traffic, infected hosts or network intruders and it isolates them through quarantine or redirection to a honeypot. The security abstraction, together with the unification of the security and policy definitions as well as their enforcement (even in dynamic and virtualised environments), independently from the underlying hardware and communication platform, are the main advantages of Software-Defined Security.SDSec is also a part of the Software-defined datacentre (SDDC), which is an extension of the virtualization concepts of abstracting, pooling, and automating all of the datacentre’s resources and services. Here, all the elements of the infrastructure i.e. networking, storage, security etc., are virtualised and delivered as a service. Software Defined security is, however, still a marketing term and is at an early stage of development.
Despite much current investment to automate the different security controls in the cloud, an intelligent, security solution, that automatically protects and mitigates the threats is still only an aspiration. Such a solution is a goal worth striving for, bearing in mind that the worldwide SDN market and all related applications for the enterprise and cloud service providers is expected to grow from $960 million in 2014 to over $8 billion by 2018.