“My data center perimeter is eroding; cloud and SaaS have left gaping holes. Existing security and application delivery controls are becoming obsolete. Defense-in-depth is a thing of the past. Start over with new, unproven technologies… in the face of ever-increasing threats? Oh, and note to self: Update resumé before there’s a breach.”
Clouds present a quandary for Fortune 1000 IT managers. Business stakeholders demand agile application platforms, but data center governance – enforcing security , managing application delivery, and ensuring compliance – is paramount, and today’s defenses don’t readily lend themselves to cloud or SaaS (software-as-a-service).
Enterprises already have trusted data center governance, just not always where it is needed. It’s built with best-in-class solutions custom tailored to each enterprise’s unique requirements. As threats morphed, new technologies were added, layering upon previous defenses. This strategy has succeeded for two decades, resulting in extreme brand loyalty for proven vendors and total aversion to replacing them. Must cloud and SaaS be its undoing?
The networking industry has responded in predictable ways. P2V (physical to virtual) rules the day, as it has since the dawn of virtualization. Physical servers beget virtual servers, physical switches beget virtual switches, physical to virtual firewalls, load balancers, and so on. But is this the promise of software-defined networking (SDN)? Recreating virtual versions of physical devices? Are we really building tomorrow’s networks with repackaged versions of yesterday’s technologies?
There is a better way. Cloud security and application delivery are actually switching problems. Existing data center governance needs to be extended around these new application platforms. But how is this possible, without re-implementing policy and distributing it everywhere? The answer lies in remembering what enabled software-based forwarding in the first place.
In the old days, as networking equipment evolved from simple hubs and repeaters, a new paradigm emerged: supervisory modules and linecards. Supervisory modules examined packet contents, then programmed linecards to do the switching. Linecards only had to know which packets to forward to the supervisor. Most traffic could be locally switched, enabling hardware performance with software flexibility.
Let’s explode that paradigm to macro scale. In the diagram below, think of the headquarters data center as a supervisory module. Service switching represents linecards, implemented as virtual machines or service overlays or software extensions in leaf/spine switches. The backplane connecting the two is the data center interconnect of hybrid clouds.
Service switching dissects flows, forwarding only certain packets through centralized governance. Like its hardware precursor, most traffic can be locally switched, maximizing user experience. The complexity of policy remains centralized at headquarters, but its effect is extended around new application platforms.
Imagine if applications could be deployed near users, on demand, with full enterprise governance. Imagine SaaS secured as if it were inside the enterprise perimeter, public clouds forwarding identical to enterprise data centers, along with so-called “integrated” systems also not needing appliances. The possibilities are endless. Enterprise data centers truly become virtual, not limited to a facility, but instead serving content from anywhere.
New types of switching have always enabled application evolution. The move from mainframe to client/server required Ethernet switching, as users grew to divisions or whole companies. Richer content forced multiple tiers of servers, driving IP switching from aggregation to edge. Service switching can overcome today’s challenges, leveraging in-place governance with new delivery models.
The essence of SDN is to decouple control from data and centralize its function. Service switching’s control plane is enterprise governance – not just the equipment, but also people and processes. This is not to imply that all security and application delivery should be centralized, any more than it should be fully distributed. A hybrid approach is needed, with distribution to scale, elasticity for resilience, and continuity as leverage. This last point is crucial; any innovation had best not be discontinuous. Otherwise, be ready for the long haul and have very deep pockets. Enterprises usually take a decade or more to replace proven governance technologies.