Hands-Off Security: Automating & Virtualizing the Enterprise Network

A series of recent tech events demonstrate that enterprises are increasingly using virtualized automation to improve their network-security posture – but perhaps no tool is perfect.

Joe Stanganelli, Attorney & Marketer

May 31, 2018

4 Min Read

A few years ago, Brad Schaefbauer, Boeing's cloud design and integration specialist, deployed a continuous-integration pipeline and virtual sandbox to fully automate what has long been the biggest network-security pain point to users and IT administrators alike -- patch management.

It was also done with a single virtualized cloud foundation.

Now, Schaefbauer says, this process has been scaled out across a multicloud environment spanning three data centers, with two cloud foundations per data center -- meaning no waiting time for patches and updates.

"We have one that's production workload, and no people touch that ever. It's all completely robot[ic] pipelines; nobody can log into it," said Schaefbauer in a presentation at Cloud Foundry Summit last month. "That's a requirement. That's a restriction. There's no other way around it."

(Source: Flickr)

(Source: Flickr)

Such no-humans-allowed "restriction" combined with network redundancy purportedly bears with it yet additional benefit for both security and business continuity and disaster recovery (BC/DR) flexibility. Instead of experiencing full network outages, Schaefbauer said, Boeing sees its applications automatically fail over to other foundations -- even across data centers when necessary.

Balancing containers
Little surprise, then, that Schaefbauer went on to say that Boeing has plans to escalate its virtualized security efforts -- in particular, through containerization. Still, Schaefbauer expressed agility concerns.

"We're going to have some applications that are Dockerized in Cloud Foundry, but whenever you Dockerize something, [there is always a] technical debt possibility," said Schaefbauer. "We repave stuff every week [so] it's never out of date."

Still, because of tenancy issues, multicloud and containerization often go hand in hand as a matter of balancing network agility and network security. Moreover, containers allow for better data migration and business continuity -- particularly in a multicloud environment.

"What we see is that more and more enterprises are convinced -- or are getting convinced -- that they need… to move way faster [and] automate a lot of stuff," Daniel Hekman, head of business development at software and IT solutions firm Grape Up, told Security Now. "[With a] multicloud approach, enterprises, if they want, can [easily migrate] from one cloud service provider to another."

"We are seeing a shift to containerization," confirmed Terry Smith, a senior director at Penguin Computing, in an interview at the Bio-IT World Conference & Expo earlier this month. "The whole [point of a] virtualization platform is to isolate jobs... We have to worry about those public instances where you have multiple tenants."

Here, Smith specifically pointed to the problems of possible privilege-escalation exploits in Docker. Granted, Docker patched this vulnerability nearly 18 months ago, but even assuming up-to-date patch management in a given enterprise, containers in general are renowned for having isolation issues -- especially if they are not run within hypervisors. Runtime-tailored mini-VMs known as unikernels hold substantial security and performance advantages over containers, but they do generally require more orchestration. (See: Unknown Document 743449.)

Properly picturing SD-WAN
All this is to say that virtualized automation cannot always be the be-all and end-all of optimized network security -- each virtualization mechanism bearing its own pros and cons list. For instance, in a recent interview with Security Now sister site Light Reading, Verizon Verizon Communications Inc. (NYSE: VZ) vice president of product management and development Vickie Lonker explained that, where SD-WAN is concerned, software-defined security and software-defined WAN optimization can be two different -- even competing -- things. (See: Unknown Document 743449.)

On this point, Joel Mulkey, Founder and CEO of Bigleaf Networks, is similarly emphatic that because SD-WAN's primary unique selling proposition (USP) network optimization, trying to concurrently use it as a security solution is inherently problematic for network orchestration.

"Most SD-WAN solutions want to be your security platform as well," Mulkey told Security Now last week at the MIT Sloan CIO Symposium, "Use [your internal security] solutions... and use a dedicated SD-WAN solution."

Of course, not everyone agrees with this assessment of SD-WAN's cybersecurity suitability. According to Shawn Hakl, vice president of business networks and security solutions at Verizon, SD-WAN is unique for its enormous practical and theoretical potential for customizing just the right blend of encryption, identity and access management, and packet optimization. (See: Security Takes On Malicious DNA (Files).)

Perhaps it all depends upon whomever happens to be orchestrating the network. Mulkey, for his part, criticizes traditional SD-WAN strategy (at least, to the extent that anything related to SD-WAN at this point could be considered "traditional") as running along the lines of a network engineer aiming to perfectly orchestrate "the picture in [their] brain" -- and failing.

"The picture in your brain is not perfect," Mulkey warned with a smile. "Think about other things, like security."

Related posts:

—Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Read more about:

Security Now

About the Author

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights