So, I'm wondering
why Software Defined Security didn't take off the way the SDx of most
everything else did.
Was on a call
recently with one of the big analyst organizations. When asking a very specific question about
Software Defined Security, it became very apparent that any of the promises of
circa 2014 should be forgotten.
Let's take a stroll
down memory lane for a refresher:
- Simplicity
- Automation
- Scaleability and Flexibility
- Cost Effectiveness
- Increased Security
Which got me to
thinking why. I took the next 15 min at
my whiteboard and came up with this. It's not all inclusive, it's just what I could come up with quickly.
Mobile Device
Management isn't working out so great when it places itself above the user
experience. I'm just going to come out
and say, it didn't work.
Then, looking at the
variety of combinations of "layers of security" applied to secure an
application delivery, simplicity is simply out the door. Some of these (identified in red), require a
specialist.
Automation, while
possible, covers the aspect or profile of the security control mechanism. Putting an automation wrapper around all of
it, well that's just gruesome. The best methods available today are layered automation by mechanism with some of these still requiring zero-touch provisioning capability.
With where and how
these different security functions need to be applied, scaleability needs to be
in relationship to something. What can
you choose as the focus when these functions all apply at different levels and
locations?
Flexibility pretty
much follows scaleability.
Cost
effectiveness. Now, if you apply the
cost of maintenance of devices, operating systems, security applications, application delivery frameworks, people, programmers and the application itself. This just doesn't look like it is going to be easy to
optimize.
The final item really requires the attack surface reduction to absolute minimums. We're running new applications, on new and old software, on new and old operating systems, with new (and old) flaws and exposures. Increased Security has to be in relationship to something, like the absolute elimination of attack points in the application delivery. Easy enough to do if you don't want the application to work, not so easy when there are zero day exploits announced all the time. Exploits that take advantage of possibilities not even envisioned when the software was designed for any of the devices or software relationships in the path.
The contention here
is that the application delivery model has to change before Software Defined
Security can holistically assume the advantages applied to other constructs of
the SDx model.
In any case, I don't
believe 2016 or 2017 will be the year of Software Defined Security. #mapping