The Next Cloud Frontier: The Security Layer in the Stack?

Dave Shackleford

December 03, 2014

The Next Cloud Frontier: The Security Layer in the Stack?

Based on what we’re seeing with organizations implementing heavily virtualized infrastructure, followed by private clouds, hybrid clouds, and all things in-between, it’s a logical conclusion that IT organizations are moving toward a Software-Defined Data Center (SDDC).

What exactly is a software-defined data center?

In my last two posts in this series, I’ve covered hardware abstraction and virtualization, and new technologies like software-defined networking, where data and control planes are separate. Organizations extrapolating this to represent the entirety of a data center environment; everything is virtualized and abstracted.



Storage, networking, applications, servers, and more are now hosted and facilitated by hypervisors, which leads to some new concepts we have to weigh in making design and security decisions:

  • Everything is now linked to the hypervisor(s). Rather than just being a central technology in consolidation and basic private cloud architecture, the hypervisor is now functionally linked to every other technology in the entire data center. For this reason, it’s critical to ensure hypervisor security is in place at all times, and planned adequately during the initial design phases.
  • Automation is a core element of the SDDC. Automation tools are used to configure and monitor hardware, as well as all aspects of the virtualized technologies in use within the SDDC. Once automation tools become a critical element of how your entire data center operates, the risk profile for these tools changes significantly.
  • Orchestration allows policy definitions to drive the implementation of automated resource provisioning and management. Security and orchestration haven’t been hanging out at the same parties to date, which means that very few security controls work with orchestration tools and frameworks, or adequately address the entirety of automated and orchestrated workflows throughout asset lifecycles.
  • Everything’s connected. It may be difficult, if not impossible, to extricate one set of controls and functions from another, which may lead to failure scenarios based on one component being updated and causing interoperability issues or other issues with different components. For example, if a virtual storage fabric or switch is updated, this may have performance or compatibility impacts on the hypervisor or virtual networking elements.
  • More and more security products will be software, too. As discussed previously, that means that security controls will now require resources in the shared hardware environment, and availability and redundancy are now front and center for security and operations teams to discuss when planning to implement controls.

In a SDDC environment, should security simply be treated as another layer in a software stack? If so, where should it go?

There are many different ways to approach these questions, with different benefits and drawbacks depending on your perspective and particular needs and technologies.

First, there’s the new buzzword of the day, “Software-Defined Security” (SDS), which represents the use-case where security is now another virtualized asset or set of components, with traditional protection mechanisms and better integration with virtualized assets. Intrusion detection systems, anti-malware tools, firewalls and network access controls, and many other traditional security functions can now be virtualized and implemented in a virtual or cloud environment…but does this constitute “software-defined”? I’d say no, in fact it does not.

A true software-defined layer of the stack should enable agile IT operations, flexibility in meeting new and changing needs in the environment, and also tie into the overarching principles of automation and orchestration mentioned earlier. Most virtual security tools and appliances are simply virtual models of their former physical selves, with very few true adaptations that make them real, integrated layers of the data center software stack.

In the next, and final post in this series, I’ll cover a different approach, one that would create true Software Defined Security.




Dave Shackleford

Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the author of the Sybex book "Virtualization Security: Protecting Virtualized Environments", as well as the coauthor of "Hands-On Information Security" from Course Technology. Recently Dave coauthored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

View all posts

You might also like