Leveraging Security Policy Orchestration to “Bake Security in” to SDDC Environments

I recently briefed with Tufin™, a vendor providing solutions for security and infrastructure configuration and management. While there are a number of competitors in this space, all with various strengths, Tufin's latest release of its Security Policy Orchestration Suite™ includes support for VMware™ NSX.  This is significant for those looking to build software-defined data centers (SDDCs) because Tufin can now support and centralize security policy orchestration across physical and virtual networks across the entire data center, via a single interface.

For those of you not familiar with SDDCs, they are data centers in which all elements of the infrastructure—processing, networking, storage, and security—are delivered as services to the computing stack through virtualization.  This move works to further improve operational efficiencies by increasing IT agility for service implementation and change management. Delivering these functions as automated, integrated services lowers operational overhead and promotes higher computing and networking density and utilization, thus increasing the ROI on the existing infrastructure and lowering capital expenditures.

SDDC Security Issues

As organizations move to the SDDC, the demands on security increase. To deliver security across each level of the infrastructure and the virtual stack, security has to be a modularly definable service. This can be done by creating security policies (controls) assigned to each part of the computing stack, from applications to the network and transport and ultimately storage.

Security services must integrate with the virtual environment beginning at the hypervisor level to provide controls between north/south associations - communications between virtual machines sharing the same hypervisor on the same physical system. The security service must then be able to reach out to other components of  the stack to manage security policy between each of the other assigned computing and data transport components

The Tufin Orchestration Suite™ provides a unified mechanism for visibility and control of SDDC services to administrators and security teams. Centralized visibility and holistic security management of each SDDC component is key to successful SDDC implementations and other highly virtualized environments that require cloud-like performance. Traditional data center security architectures were not designed to support the highly granular, micro-segmentation requirements of SDDC services because each of the services must be managed as components of the larger ecosystem.

Security Policy Orchestration enables the migration to SDDCs by analyzing and verifying design, provisioning, and auditing of security and network infrastructure changes from the application layer down to the network layer. The Tufin Orchestration Suite centrally manages infrastructure components, assigning and enforcing a unified security policy for north/south configurations and in the east/west communications across different machines, physical locations, and configurations.

The Benefits of Security Policy Orchestration

This enables Security Policy Orchestration to oversee data center security from a single control point across physical and virtual environments to meet critical operational and compliance needs. Another core benefit it delivers is the ability to support, track, and visualize and enforce policy changes as well as while maintaining business agility.

“Elasticity” and “on-demand” are not terms associated with waiting a week or even days for changes to be made. Change verification and testing are key factors that must occur despite the complexity and scale that exist with larger enterprises, particularly those managing private and hybrid and cloud providers themselves. Beyond supporting the underlying infrastructure components, the applications laid on top of that infrastructure must work. When deploying a new application, Security Policy Orchestration provides the capability to perform end-to-end application connectivity simulation to ensure that the requested change operates across the components as expected and that the application will be operational. Rolling these capabilities together means that, on the front side, organizations that migrate to the SDDC can enable security for those on-demand, highly resilient, and elastic computing environments, while on the back end they get even more services, such as the following:

  • Application discovery and availability monitoring
  • Service dependency mapping
  • Change design and workflow automation
  • Network topology and policy analysis
  • Policy optimization and violation guidance
  • Policy violation notificationVirtualization and cloud are not going away, and for that reason, the SDDC won't either. CIOs and operations managers must learn how to squeeze every ounce of capability out of their management processes and systems to attain the service delivery timelines and stability their business customers are demanding, making Security Policy Orchestration capabilities a key toolset to consider.

For additional information migrating to the SDDC click here to see Tufin's white paper.

White Paper