I have a very distinct memory about a conversation I had with a colleague in the mid-to-late 1990s about how NetWare worked. I told him that file and print services resided “in the network” but he couldn’t get his arms around this concept. He continually pushed back by saying things like, “well the printers and file servers have to be plugged into the network so isn’t NetWare just running on these devices?”
His assumption was somewhat accurate since NetWare did control physical file servers and printers. What he didn’t get however was that NetWare made physical network devices subservient to a global and virtual file and print services. Before NetWare (and similar technologies like Sun’s NFS), you had to have a physical connection to a device and/or control these connections on a device-by-device basis. Novell radically changed this by using software to abstract connections. This made it much easier to point users at local printers and file shares while applying central access controls for security and privacy.
Why am I strolling down memory LAN (author’s note: I am pretty proud of this pun)? Because we face a similar changing situation today with regard to network security and cloud computing. I contend that security has been a prisoner of the network over the past 20 years.
During this timeframe, large organizations deployed an army of network security devices to filter or at least inspect IP packets for security purposes. As organizations added more servers and more network traffic, they were forced to add more network security devices. This required a series of unnatural acts like moving traffic to and fro so it could pass by various security checkpoints. Security and network engineers also created security zones with physical and virtual network segmentation, and employed teams of people to create and manage ACLs, firewalls, WAFs, etc.
Not surprisingly, network security has become incredibly complex, cumbersome, and fragile as a result of layers upon layers of network imprisonment. It now takes a heroic effort from cybersecurity and network operations team to keep up with these challenges.
Fast forward to 2015 and there is a radical change occurring. IT initiatives like server virtualization, cloud computing, NFV, and SDN are game changers poised to break the tight coupling between cybersecurity and the network.
Now this breakup is still in its early stages and like the song says: Breaking up is hard to do. For example, ESG research reveals that 60% of organizations say they are still learning how to apply network security policies (and policy enforcement) to public/private cloud infrastructure. Furthermore, 60% of organizations say that their network security operations and processes lack the right level of automation and orchestration necessary for public/private cloud computing infrastructure (note: I am an ESG employee).
As painful as this separation is today, CISOs and network engineers must understand that there may be a network security rainbow on the horizon. Just as NetWare turned file and print into a productive and operationally-efficient virtual network service, there are a number of technology trends and innovations that could enable CISOs to virtualize and distribute network security services across the entire network. For example:
- Foundational technologies like SDN, NFV, Cisco ACI and VMware NSX.
- Cloud security monitoring tools from HyTrust, ThreatConnect, and SkyHigh Networks as well as cloud connectors for ArcSight, QRadar, RSA, and Splunk.
- NetWare-like network security services software from CloudPassage, Illumio, and vArmour.
- Network security orchestration tools from firms like RedSeal and Tufin.
- Virtual editions of leading physical network security products from vendors like Check Point, Fortinet, Juniper, and Palo Alto Networks.
A few years ago, VMware declared that organizations could actually improve their cybersecurity positions by embracing server virtualization. While this seemed like blasphemy at the time, VMware was absolutely right. And the addition of the technologies and trends I mention above makes this statement even more possible. In order to get there however, CIOs, CISOs, and networking professionals have to think differently. Rather than try to emulate physical network security in the cloud, cybersecurity and networking staff must embrace virtual network security services, learn how to use them, and understand how to use them to improve security efficacy and operational efficiency.
Back in the 1990s, NetWare transformed file and print services and introduced an army of skilled IT professionals with CNE certifications. Over the next few years, we will see a similar revolution as security sheds its physical network shackles and assumes a role of virtual network services.