Can cloud providers trust their orchestration software with security?

Even with orchestration software to automate security controls, many cloud providers find comfort in manual processes -- despite the inefficiencies.

Cloud orchestration software is the workhorse behind service providers' ability to provide rapid provisioning for an on-demand, self-service delivery model. But while orchestration has been wholeheartedly embraced in many parts of the data center -- virtual servers, networks and storage -- the emerging market for cloud security orchestration may face more cultural adoption challenges than technical ones.

Even if the market were flush with tools to fully orchestrate security policy changes and controls, not all cloud providers would be willing to take a hands-free approach to securing customers' cloud environments -- despite the inefficiencies. Not yet, at least. 

"It's maybe the touchiest topic within any data center," said an IT research director who works in the Innovation Center of a large global telecom company that offers cloud services, and who spoke on the condition of anonymity. "I think there's a feeling that people still want to look at a specific configuration and have a set of eyes on it before it's applied on any device … but you could argue that was true for servers at one point."

Whether the bias is fair or not, some elements of cloud service delivery are more equal than others. Cloud providers go to great lengths to ensure optimal performance and availability, of course, but an orchestration hiccup affecting either area brews far less dire consequences than one that affects security. A misconfiguration in an orchestration layer that results in downtime would likely result in some disgruntled tweets and compensation for violating service-level agreements, but an error that leads to a major security breach could snowball into a public relations nightmare and probably litigation.

People talk about cloud computing and being able to do things seamlessly from start to finish, but security becomes this part where people still say, 'We're going to do this manually.'

IT research director, global telecom company

"People talk about cloud computing and being able to do things seamlessly from start to finish, but security becomes this part where people still say, 'We're going to do this manually,'" the service provider IT research director said.

Although, in the world of dynamic resources and advanced persistent threats, security policy change and management is an area that may be most in need of a new kind of orchestration software, according to officials at NetCitadel, a Silicon Valley startup that recently came out of stealth mode and bills itself as a "software-defined security" player.

"We have an increased volume of changes [to respond to new threats] and a demand for doing things faster, and people are realizing their current, manual-based processes just can't keep up," said Mike Horn, CEO of NetCitadel, which simultaneously announced the launch of its first product, a security orchestration controller called OneControl.

Although the market for cloud security orchestration software is still developing, it appears startups don't yet have the market cornered. Early last year, security giant Symantec announced a partnership with VMware that resulted in several new orchestration functions for virtualized environments. One of the features included integrating Symantec's Data Loss Prevention software with VMware's vShield product to discover sensitive data in virtual data centers and automatically quarantine virtual machines that violated security policies. In September 2012, VMware released vCenter's Orchestrator plug-in for vCloud Director 5.1, adding some security orchestration features to its cloud platform.

Cloud security orchestration software attacks 'inefficiencies'

NetCitadel's OneControl virtual appliance, which is being marketed to both enterprises and cloud providers, takes a cue from the architecture of software-defined networking (SDN), moving the security intelligence to a centralized controller, Horn said. In addition to improving the speed of provisioning, the goal is also to eliminate human error, he said.

NetCitadel's security orchestration software automatically coordinates and executes the following functions:

  • Detection of new resources or policies;
  • Analysis of how those changes affect security devices;
  • Creation of new configuration updates that adapt to those changes; and
  • Simultaneous, instant deployment of updates on a large scale.

Providers can also create and define reusable "objects" that represent a network, server or service to be reconfigured dynamically based on "contextual" information about applications and workloads, rather than static policies tied to specific virtual local area networks (VLANs). 

The controller is designed to be vendor-neutral, but it currently supports only Cisco Systems' IOS and ASA firewalls, Juniper Networks' SRX and SSG gateways, and Linux iptables-based firewalls in VMware or Amazon Web Services environments. The company plans to add support for more security vendors and cloud platforms, including OpenStack, Horn said.   

"We built our own language to enact security policies, and the reason we've done that is there's no universal policy language that relates to all the various [vendors'] security devices," said Anthony James, vice president of product marketing at NetCitadel, adding that the controller can scale up to hundreds of thousands of devices.

The IT research director at the global telecom provider has been testing OneControl to see how it can complement the company's SDN strategy -- a major area of focus, he said. Among the controller's more-impressive features are faster provisioning, multi-vendor support, improved security policy management and automated audit trails, he added, requesting anonymity because he could not speak publicly about the product while his company was still testing it.

"Because [the cloud is a] multi-tenant environment, there is a mix of virtual and physical firewalls, and there are layers of them sometimes," he said. "If you're able to create a path across all those layers … that is really going to be a big plus for any cloud services provider."

Although he has tested OneControl in "fairly limited" use cases, the product so far "does what they claim it does," he added. He would like to see a more complete picture of how it could integrate with SDN technology, but already sees the security orchestration software's potential and is confident that providers will eventually overcome their skepticism over security automation.

"Here's another inefficiency in the data center that's going to be eaten away by software," he said.

Cloud providers are more likely to use OneControl to orchestrate their own security devices, NetCitadel's Horn said, but the controller has other use cases. It can also be used in hybrid cloud scenarios to function as a "link" between the customer's and provider's environments, automatically synchronizing any changes on one side with the other, James said.

The software license, which starts at $25,000 for up to 25 security devices, requires the licensing of additional software "modules" for virtualization and cloud environments -- each starting at $5,000. Software licensing is available as an annual term subscription and is based on the number of supported security devices.

Let us know what you think about the story; email: Jessica Scarpati, site editor.

Dig Deeper on Telecommunication networking

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The issue for me isn't one of should SPs (and enterprises for that matter) trust solutions like this.

The issue is quite how they think they will achieve even close to security compliance without some degree of automation, orchestration and thinking about security in this era of workloads being incredibly dynamic and flexible in their nature.

If the security cannot be handled at least semi automatically with discovery, threat detection etc as a constantly running process, and is left to rely on human input too much, that is a far bigger risk.

Tony Lucas