This article was originally pubished on SecurityWeek.
“Patriotism is the last refuge of a scoundrel.”
— Samuel Johnson
For the past 30 years, the entire computing industry has lived through well-understood upgrade cycles. Over time, applications became more powerful and in turn consumed more and more processing power and bandwidth. There is no better historical example than the “WinTel” partnership, where new processing power would be rapidly matched by new operating systems, new applications, forcing IT buyers to acquire new gear to get the latest and greatest computers.
But the world has now changed. We are evolving to agile, cloud-based computing models—where resources can be consumed on-demand and as-needed. This puts pressure on the decision between buying infrastructure versus renting compute and network cycles. This same decision model completely impacts security, which increasingly must work across both data center and cloud environments.
We the Containers
Not only do security managers need to contend with on-premise vs. public cloud computing decisions, they now need to support the microservices and container movement, pioneered by companies like Docker and Mesosphere. Container technologies change the role of infrastructure in the application cycle, making the latter dramatically more temporal and efficient. Security must be equally fast and agile.
As computing becomes more dynamic and distributed, it has to adapt. Traditional data center and cloud security was part of the infrastructure itself (e.g., firewalls, IDS, and network-segmentation approaches like ACLs, VLANs, security groups, and host-based security). Security was written and managed in the language of the network. However, when a container spins up for 3-5 minutes – or even seconds – does it make sense to spend days and weeks reconfiguring the network to secure it?
While the application once competed for the infrastructure, the infrastructure must now compete for the application. The same is true for security. Security must compete for the application.
Ask not what your infrastructure can do for your security, but what security can do for your infrastructure
It is both naïve and wrong to ignore the role infrastructure plays in protecting data. Trusted networks trump untrusted networks. However, should security be a reason to upgrade networks or stay with proprietary compute architectures? What tradeoffs occur when tying your security so tightly to your infrastructure?
Simply upgrading the network is not the answer to agile computing, particularly in situations where hybrid infrastructures are in use and businesses may or may not control the infrastructure layer. Security professionals must ask themselves:
- How do you keep up with the speed of change when your infrastructure only turns over every two to five years?
- What happens when you do not own the infrastructure?
- How do you work in heterogeneous environments, across different infrastructures?
We must all hang together or assuredly we shall all hang separately
The biggest challenge network security faces in the data center is the lack of context of the data it is protecting. Without visibility into the computing layer itself—with the processes, services, and communications occurring on the atomic unit of an application, the workload—it is difficult to understand when threats occur and how much data center attack surface really is exposed to bad actors.
Infrastructure security must work in concert with more application and data center technologies and processes. Indeed, coordination among these elements can provide a higher level of visibility and trust to applications. Rather than think of a single perimeter, think of a range of perimeters, potentially coordinating with each other— a collection of intelligence assets that work in concert like an Air Force, Army, and Navy. There are different levels of sophistication involved in different kinds of breaches. Defense must work at different layers.
Security is unlikely to be the argument for upgrading infrastructure. But infrastructure must work with other security systems in the environment that actually protects the data itself.
Author’s note: Since the political season has started early here in America, I thought I would borrow a page from the political sloganeering world.