Friday, January 29, 2016

Software Defined Security not in 2016

So, I'm wondering why Software Defined Security didn't take off the way the SDx of most everything else did.

Was on a call recently with one of the big analyst organizations.  When asking a very specific question about Software Defined Security, it became very apparent that any of the promises of circa 2014 should be forgotten.

Let's take a stroll down memory lane for a refresher:

  1. Simplicity
  2. Automation
  3. Scaleability and Flexibility
  4. Cost Effectiveness
  5. Increased Security


Which got me to thinking why.  I took the next 15 min at my whiteboard and came up with this.  It's not all inclusive, it's just what I could come up with quickly.

Value Chain Mapping Security Entrypoints

Mobile Device Management isn't working out so great when it places itself above the user experience.  I'm just going to come out and say, it didn't work.

Then, looking at the variety of combinations of "layers of security" applied to secure an application delivery, simplicity is simply out the door.  Some of these (identified in red), require a specialist.

Automation, while possible, covers the aspect or profile of the security control mechanism.  Putting an automation wrapper around all of it, well that's just gruesome.  The best methods available today are layered automation by mechanism with some of these still requiring zero-touch provisioning capability.

With where and how these different security functions need to be applied, scaleability needs to be in relationship to something.  What can you choose as the focus when these functions all apply at different levels and locations?

Flexibility pretty much follows scaleability.

Cost effectiveness.  Now, if you apply the cost of maintenance of devices, operating systems, security applications, application delivery frameworks, people, programmers and the application itself.  This just doesn't look like it is going to be easy to optimize.

The final item really requires the attack surface reduction to absolute minimums.  We're running new applications, on new and old software, on new and old operating systems, with new (and old) flaws and exposures. Increased Security has to be in relationship to something, like the absolute elimination of attack points in the application delivery.  Easy enough to do if you don't want the application to work, not so easy when there are zero day exploits announced all the time.  Exploits that take advantage of possibilities not even envisioned when the software was designed for any of the devices or software relationships in the path.

The contention here is that the application delivery model has to change before Software Defined Security can holistically assume the advantages applied to other constructs of the SDx model.

In any case, I don't believe 2016 or 2017 will be the year of Software Defined Security.

No comments:

Post a Comment