Is SDx the model for IT security?
Is this the year when software-defined anything (SDx) becomes the template for federal agency IT security? It’s been knocking at the door for a while, and the spending outlook for government IT in President Barack Obama’s recent budget proposals could finally be the opening it needs.
In calling for a 35 percent increase in cybersecurity spending to $19 billion, the White House also proposed a $3.1 billion revolving fund to upgrade legacy IT throughout the government. Venting his frustration, and no doubt that of many others in the administration and Congress, Obama talked about ancient Cobol software running Social Security systems, archaic IRS systems and other old, broken machines and software at federal agencies.
That’s not a new story. Agency IT managers will readily tell you about the problems they have with trying to maintain legacy technology and the way that sucks up funds and manpower. They say they have too little time to focus on what they feel their jobs are really about, which is delivering better services to their users.
Security is just one item among many they must address, but it’s become a much more urgent one after a 2015 that saw major breaches at the Office of Personnel Management and elsewhere. That point was driven home again this year when the IRS revealed that over 100,000 attempts using stolen Social Security numbers had succeeded in generating the personal identification numbers used by tax payers to electronically file and pay taxes.
The revolving IT Modernization Fund in the White House budget proposal would pay for projects that will be prioritized based on the extent to which they lower the overall security risk of federal IT systems. The savings achieved by shifting to more cost-effective and scalable platforms will be recycled back into the fund.
Cost-effectiveness and scalablity are among the main advantages that proponents put forward for SDx architectures, along with agility in response to security threats. As threats become more targeted, more sophisticated and more numerous, protecting networks gets more difficult. With IT staff overwhelmed by just the legacy systems they have to keep running, organizations face much greater risk of damage from those attacks.
By simplifying infrastructure management with the software overlay that software-defined networking (SDN) brings, IT and security managers get a much better way of identifying when they are being attacked and a faster and more focused way of responding.
In a poll conducted earlier last year, ESG Research identified a significant percentage of enterprise security professionals who said they would use SDN to address network security across a wide range of different scenarios.
Researchers at the Idaho National Lab have already developed a proof-of-concept that uses SDx to emulate the use and security of the laboratory’s business systems. It’s already delivered “amazing outcomes” and demonstrates how SDx can be used to improve security, repeatability of processes and consistency in results, they said.
The future will only bring more security challenges for government, as the Internet of Things takes hold. That will introduce thousands of new avenues that attackers will use to try and penetrate networks. Given the kind of benefits that the IoT is expected to bring to government organizations, the trick will be in securing networks without limiting the facility of IoT.
One approach that won’t work is simply throwing the solution du jour at the problem, which has been the traditional answer. Bolting on more point-to-point, single-purpose devices simply won’t scale fast enough to deal with vulnerabilties and will be too costly. Those devices are also themselves proving more vulnerable than people thought, with Cisco joining Juniper and Fortinet in the list of manufacturers whose advanced firewalls apparently suffer from potential software problems.
Right now, the only viable solution in this brave new world of security seems to be through some kind of software-defined approach. It’s not a silver bullet by any means, and it must be part of an overall approach to security. IT and security professionals must also be convinced that it will provide for the kind of subtleties and granularity needed to weed out modern threats.
If -- and in an election year, it’s a big if -- Obama’s budget proposals make headway in Congress, SDx could prove the best way to tackle the security problems that otherwise threaten to overwhelm government.
Posted by Brian Robinson on Feb 12, 2016 at 10:46 AM