Skip Links

Automate security orchestration across platforms, environments

IT Best Practices Alert By Linda Musthaler, Network World
February 08, 2013 11:58 AM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Network World - There are three megatrends that are colliding to make work a real challenge for the IT security professional. First of all are the disruptive changes enterprise environments have gone through over the last couple of years. There has been heavy adoption of virtualization and now we are contending with cloud computing and BYOD (bring your own device). All of these things make the enterprise environment much more dynamic.

Second, these technology shifts have vastly changed business leaders' expectations of IT, putting time pressures on IT groups. Businesses are now looking for IT to respond in hours or even minutes compared to what used to be days or weeks. Need to bring a new server online to support a new business application? It better be done today, not in a couple of weeks.

And third is the continuously evolving set of threats -- advanced persistent threats, malware, botnets, and even the recent problem with Java. In its 2013 Annual Security Report, Cisco says there has been a significant increase in security threats to IT infrastructure. According to Cisco, serious threats in 2012 increased 19.8% over what we experienced in 2011.

[ RECOVERY: The worst IT addictions (and how to cure them) ]

The confluence of these megatrends and the rapid-fire changes to enterprise computing have resulted in IT security professionals struggling to keep up with network security infrastructure. They are often forced to make a tradeoff between putting in all the controls necessary to protect the business, and letting the business run at the pace it wants with security controls that may have weaknesses or gaps.

Let's put this in context with the well-established change management process around security that IT has adhered to for the last 10 to 15 years. There are typically four steps to the process:

  1. Detect and understand that there's a change. For example, a server admin might create a virtual server. Then he needs to submit a change request that says, "I created a virtual server and I need it to have the access controls that are appropriate for my ERP server."
  2. Analyze the data and figure out what it means. A security person needs to know what changes to make and which devices are affected. Firewalls? Switches? Routers? Other devices?
  3. Craft the right security rules. Depending on the equipment involved, the security guy needs to develop the right rules. Most enterprise environments have at least two or three vendors doing different types of security enforcement, which means understanding how to talk to the different devices; for example, a Cisco ASA and a Juniper SRX.
  4. Deploy the changes to the affected systems. Making changes manually to all the necessary devices can take some time and be prone to mistakes.

If you think about the resource intensity of this established process, it just doesn't scale for today's environments.

Startup NetCitadel Inc. has created a new approach and new technology that brings automation and orchestration to address these problems. With its OneControl Security Orchestration Platform, NetCitadel centralizes network security intelligence across a variety of network environments and vendor equipment. [Also see: "Startup NetCitadel aims to orchestrate security management controls in virtualized nets"]

The OneControl Security Orchestration Platform is a virtual appliance that automatically orchestrates security intelligence by mapping context about physical, virtual and cloud environments to a range of security infrastructure and vendor devices. This platform addresses all four steps of the process outlined above.

Starting with the detection element of the process, NetCitadel uses APIs to connect to infrastructure management systems. For example, the VMware event bus would notify OneControl in real time that there's a new server, or OneControl can also automatically detect changes in the Amazon EC2 cloud. There's no manual process of waiting for the server admin to submit the change request and somebody picking up that change request.

Once OneControl detects a change, it looks at the business logic to understand what devices will be impacted. NetCitadel built in the ability to create relationships and define mappings of different information; for example, resource pool information from a virtualization system like VMware vCenter can be mapped to a security device like a Cisco ASA firewall.

The next step is to craft the security policies. OneControl has a library of device configuration translators that enable the solution to communicate to different devices and different kinds of platforms in their native languages across cloud, virtual and physical environments. The platform can speak the right version of the Cisco ASA language to the Cisco devices, and the right version of the Juniper language to the Juniper devices. In the future OneControl will support devices from CheckPoint Systems and Palo Alto Networks, among others.

The idea is to understand and define security policies in terms that are abstracted away from a particular individual security device. Instead of thinking of security policies in terms of a Cisco configuration or a Juniper configuration, NetCitadel allows IT administrators to think of security policies independently. Then they can decide which devices they want those policies to be run on. This gives the flexibility and capability of not being tied to a specific vendor.

And finally there's the deployment piece where the organization pushes the necessary changes out into a live system. With OneControl this process uses a deployment engine which can touch a lot of different devices across networking environments in real time all at once.

Going back to the example of creating a new virtual server, we can go from a highly manual process where a server admin creates a new server and it could take days or weeks to get that server's security policies online and functioning, to where the OneControl security orchestration platform can now service that request and have the security policies up and running in minutes. This takes the process from days or weeks down to minutes.

The only thing that an organization needs to install is the OneControl virtual appliance. All of the connectors and language translators are built into the appliance so users do not need to make any changes on their existing environment in order to have the OneControl solution dynamically update security devices with infrastructure information.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News