Automate security orchestration across platforms, environments

IT security professionals sometimes have a tough choice: put reins on the business until all necessary security controls are in place, or let the business run at the pace it wants with security controls that may have weaknesses or gaps? A new security orchestration platform from NetCitadel aims to resolve that conflict by automating security changes across multiple platforms and within physical, virtual and cloud environments.

There are three megatrends that are colliding to make work a real challenge for the IT security professional. First of all are the disruptive changes enterprise environments have gone through over the last couple of years. There has been heavy adoption of virtualization and now we are contending with cloud computing and BYOD (bring your own device). All of these things make the enterprise environment much more dynamic.

Second, these technology shifts have vastly changed business leaders' expectations of IT, putting time pressures on IT groups. Businesses are now looking for IT to respond in hours or even minutes compared to what used to be days or weeks. Need to bring a new server online to support a new business application? It better be done today, not in a couple of weeks.

And third is the continuously evolving set of threats -- advanced persistent threats, malware, botnets, and even the recent problem with Java. In its 2013 Annual Security Report, Cisco says there has been a significant increase in security threats to IT infrastructure. According to Cisco, serious threats in 2012 increased 19.8% over what we experienced in 2011.

[ RECOVERY: The worst IT addictions (and how to cure them) ]

The confluence of these megatrends and the rapid-fire changes to enterprise computing have resulted in IT security professionals struggling to keep up with network security infrastructure. They are often forced to make a tradeoff between putting in all the controls necessary to protect the business, and letting the business run at the pace it wants with security controls that may have weaknesses or gaps.

Let's put this in context with the well-established change management process around security that IT has adhered to for the last 10 to 15 years. There are typically four steps to the process:

  1. Detect and understand that there's a change. For example, a server admin might create a virtual server. Then he needs to submit a change request that says, "I created a virtual server and I need it to have the access controls that are appropriate for my ERP server."
  2. Analyze the data and figure out what it means. A security person needs to know what changes to make and which devices are affected. Firewalls? Switches? Routers? Other devices?
  3. Craft the right security rules. Depending on the equipment involved, the security guy needs to develop the right rules. Most enterprise environments have at least two or three vendors doing different types of security enforcement, which means understanding how to talk to the different devices; for example, a Cisco ASA and a Juniper SRX.
  4. Deploy the changes to the affected systems. Making changes manually to all the necessary devices can take some time and be prone to mistakes.

If you think about the resource intensity of this established process, it just doesn't scale for today's environments.

Startup NetCitadel Inc. has created a new approach and new technology that brings automation and orchestration to address these problems. With its OneControl Security Orchestration Platform, NetCitadel centralizes network security intelligence across a variety of network environments and vendor equipment. [Also see: "Startup NetCitadel aims to orchestrate security management controls in virtualized nets"]

The OneControl Security Orchestration Platform is a virtual appliance that automatically orchestrates security intelligence by mapping context about physical, virtual and cloud environments to a range of security infrastructure and vendor devices. This platform addresses all four steps of the process outlined above.

Starting with the detection element of the process, NetCitadel uses APIs to connect to infrastructure management systems. For example, the VMware event bus would notify OneControl in real time that there's a new server, or OneControl can also automatically detect changes in the Amazon EC2 cloud. There's no manual process of waiting for the server admin to submit the change request and somebody picking up that change request.

Once OneControl detects a change, it looks at the business logic to understand what devices will be impacted. NetCitadel built in the ability to create relationships and define mappings of different information; for example, resource pool information from a virtualization system like VMware vCenter can be mapped to a security device like a Cisco ASA firewall.

The next step is to craft the security policies. OneControl has a library of device configuration translators that enable the solution to communicate to different devices and different kinds of platforms in their native languages across cloud, virtual and physical environments. The platform can speak the right version of the Cisco ASA language to the Cisco devices, and the right version of the Juniper language to the Juniper devices. In the future OneControl will support devices from CheckPoint Systems and Palo Alto Networks, among others.

The idea is to understand and define security policies in terms that are abstracted away from a particular individual security device. Instead of thinking of security policies in terms of a Cisco configuration or a Juniper configuration, NetCitadel allows IT administrators to think of security policies independently. Then they can decide which devices they want those policies to be run on. This gives the flexibility and capability of not being tied to a specific vendor.

And finally there's the deployment piece where the organization pushes the necessary changes out into a live system. With OneControl this process uses a deployment engine which can touch a lot of different devices across networking environments in real time all at once.

Going back to the example of creating a new virtual server, we can go from a highly manual process where a server admin creates a new server and it could take days or weeks to get that server's security policies online and functioning, to where the OneControl security orchestration platform can now service that request and have the security policies up and running in minutes. This takes the process from days or weeks down to minutes.

The only thing that an organization needs to install is the OneControl virtual appliance. All of the connectors and language translators are built into the appliance so users do not need to make any changes on their existing environment in order to have the OneControl solution dynamically update security devices with infrastructure information.

Ken Dobbins is the service manager at Kenettek Network and Systems Services, a managed service provider and hosting service that caters to small and medium businesses. In the past year, Kenettek has begun to offer more disaster recovery services as well as VMware and Microsoft hosting for customers. The company is a Juniper shop, using the JUNOS SRX platform. Dobbins heard about NetCitadel developing a cross-platform security orchestration solution and requested to be a beta tester. He has used OneControl for about six months.

"The biggest benefit of OneControl is that it has simplified my job," says Dobbins. "Without it, I would spend more time than I care to doing port management and static NAT control and dynamic NAT control. It has brought a true level of automation that I've never really experienced before in the Juniper world. I have worked with similar products for Cisco but never anything in the Juniper world or especially the cross platform world like this."

Dobbins say he gets a more holistic view of his infrastructure using OneControl. "I have my monitoring solutions. They allow me to see routing tables, IP status, interface status," says Dobbins. "But I couldn't see the actual level of what was forwarded where, or if there was something open, or if there was a problem with a policy without going into the router. Now we keep very strict details of what the policies are supposed to be and OneControl allows us to see a single view if there is an issue with anything. It also keeps a very strong audit log of the changes that occur so I know, not only when somebody makes a change, but also when an automated change occurs."

Kenettek is in trials with Amazon EC2 for cloud hosting. Dobbins actually chose this cloud because of NetCitadel's integration with EC2 and the ability to automate firewall management in that environment. "Using OneControl to maintain security with our cloud instances will save us a lot of time," says Dobbins. "Also, I really like the fact that it does not install anything into the routers. It explicitly uses the router's native language and connects to it using SSH. It's basically running the same commands that I would ordinarily be typing, but I don't have to do it manually."

NetCitadel can help accelerate cloud adoption by integrating security controls with cloud systems so that an organization can now get the security policies that follow applications and workloads no matter where they are deployed in the cloud. This reduces the challenges that have arisen in the past around being able to deploy either internal or external cloud and having the confidence that security controls are in place.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.

______________________________________________________________

About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies