Network Abstraction: Setting the Stage for the Future of Network Security Automation

As networking and network security professionals, we are all faced with challenges. While every company has its unique set of issues, if I had to categorize the main challenges our customers face, I would break them out this way:

  • Complexity and Criticality: Networks have always been complex systems to manage, but nowadays networks have also become critical for delivering business solutions. Not only are these systems more complex, but companies are more reliant on them than ever.
  • Limited Resources:  As the number of projects increases, the workload on network and security teams is constantly growing. At the same time, teams are often undergoing downsizing and outsourcing.
  • Constant Change:  The reliance of business on IT, combined with the dynamic, competitive nature of modern business is accelerating the pace of change. Every day we process dozens of change requests to enable new access, new services and new applications that need to occur ASAP.
  • Security, Risk & Compliance: While trusted to maintain a working network and deliver uninterrupted business services, network security teams are also required to protect corporate assets and reputation. This demands tighter and stricter means of control and compliance.

These challenges, more often than not, present a tradeoff. You can't chink away at one without causing another one to spike.  For example:  You want to improve and tighten security and compliance controls? No problem. Increase the SLA - it will give the security team enough time to review every change request but it will also slow down the rate of change. Want to avoid the bottleneck? No problem. Hire more security engineers.  No budget? OK, just sample the rule bases rather than reviewing each and every rule.

But a closer look reveals a common denominator to the problems above - they are all related to the computerization of business.

The last decade has manifested an exponential growth of computerization which has forced businesses to rethink their IT architecture in order to keep up with the pace and remain competitive (see also "Consumerization"). While some aspects of IT have already been automated to cope with the accelerated pace of business, such as user management, server management and application release management, network change automation is still lagging.

It is now time to implement network automation and to bring this IT silo up to speed with the other ones. But it in order to automate a network, some magic is required.

Unlike servers and users which are mostly standalone items, networks are complex systems with a lot of interdependence.  An effective network automation solution, must take a holistic approach. It must be able to implement changes across multiple subnets and technologies from different vendors with minimal human intervention. It should also be able to take security factors into consideration and to deliver continuous compliance.

At Tufin, we call this magic the "network abstraction layer". It's a network model that includes routing, NAT, security policies, layer 2.5 configurations, virtualization, load balancing and more, all hidden away from an end user who can make a simple request: "allow these two systems to communicate with each other".

A good network abstraction layer enables a computer to design network changes accurately and securely - this is the future of network automation.

We all know there are no silver bullets. But we do have incremental wins, and the network abstraction layer is one that addresses each challenge listed above in a meaningful way, and without causing any spikes. Last week, there was a major ATM hack in the US, and that is sure to be overshadowed soon enough by some other security incident.

We hear about security failures all the time - Why not take a minute to recognize progress?