What Software-Defined Security Could Mean for the Channel

The IT industry is entering the era of software-defined infrastructure, starting with software-defined networks (SDNs). SDNs were quickly followed by the emergence of software-defined storage (SDS)—which, together with SDNs, are the foundation for the software-defined data center.

Given those advances, it’s only a matter of time before the industry sees the emergence of software-defined security (SDS)—a technology whose time has come, the folks at the Cloud Security Alliance (CSA) say.

“We think software-defined security is now quite feasible and very necessary,” said Junaid Islam, founder of Vidder, a provider of a cloud-based service for securing network perimeters. “This approach would both lower costs and be more secure.”

To turn that vision into a reality, the CSA has launched the Software Defined Perimeter project, which is being spearheaded by Bob Flores, the former CTO of the CIA who is now CEO of Applicology, an IT consulting firm.

SDS would be more secure because many breaches are a direct result of misconfigurations of security products. The technology would set the stage for not only managing those devices at a higher level of abstraction, but also for automating the management of those devices via the cloud.

CSA wants to first work with vendors to create a reference architecture for SDS at the network perimeter level and then extend the reach of that architecture to cover other areas of security in multiple phases. In the meantime, CSA plans to develop a road map outlining the various stages of the Software Defined Perimeter project that will be completed over the coming year.

As is often the case with that level of disruptive IT innovation, the rise of SDS would represent both peril and opportunity for solution providers in the channel. On the plus side, SDS would make it simpler and less time-consuming to deploy security products and services.

The downside of SDS, however, may come in two forms. On one level, it would make it a lot easier for more solution providers to manage and deploy security as a service. Ultimately, that level of increased competition would drive pricing for what are usually seen as high-margin security services. Perhaps even more troubling for existing providers of managed security services is the whole notion that security management will simply become a feature of the larger software-defined data center.

The issue that solution providers will have to navigate is how willing customers will be to continue to manage security as a distinct discipline. It’s tempting to reduce the cost of IT by slip-streaming the management of security within a larger IT management framework. But when organizations do that, solution providers point out, the inherent conflicts of interest that occur when security is managed by the IT management team: The same people deploying IT in the first place become the ones responsible for vouching for its security.

It will still take time for this vision of software-defined IT infrastructure to become a universal reality. As it is, multiple competing technologies are emerging for the software-defined data center, and no agreement is in sight as to what approach to SDN or SDS may actually become the de facto standard. The result is that solution providers have a lot of time to adjust their disparate practices to the eventual emergence of software-defined infrastructure that one day will lead to the convergence of systems, network, storage and security management.

“There’s a lot of experimentation going on in terms of managing infrastructure at a higher level of abstraction,” said Nicola Morini Bianzion, managing director for SAP solutions at Accenture. “But I think it’s going to be more than a year before we see these solutions being actually deployed.”

Michael Vizard has been covering IT issues in the enterprise for 25 years as an editor and columnist for publications such as InfoWorld, eWEEK, Baseline, CRN, ComputerWorld and Digital Review.