Powerful, innovative tools are increasingly emerging over the Internet based on various as-a-service models across diverse providers and technology stacks. An emerging requirement for security, policy, and identity tools is to be able to consistently run across diverse and fast changing services composed across multitechnology offerings.
I’m going to tell you which of the many competing IT models is going to be the big winner as the next wave of enterprise IT is enabled by a generation of software-defined solutions. Is it containers, virtual machines, open source, proprietary, public cloud, hybrid cloud, serverless, or hyperconverged? The answer is: all of the above. Enterprise IT wants to adopt new innovations and must continue to support existing infrastructure. They need a constellation of overlapping, redundant network connected, as-a-service providers to round-out the modern IT tool palette. Today the fundamental security relationships and enforcement technologies exist within specific cloud/OS/hypervisor frameworks being deployed, and as a result there is no interoperability or consistency of identity, role-based capabilities, group membership, resource sharing, service connections, etc., across the silos of disparate technology platforms being used simultaneously.
For example, assume the following modest goals for an enterprise:
- Wants to use multiple public container providers for cost, availability, and compartmentalization diversity
- Wants to insure smallest possible attack surface
- Wants infrastructure transparent to users
- Needs to minimize errors and recurring admin cost
- Needs to support massive scale
Using only the services and application program interfaces (APIs) available from the public cloud providers, this is currently not possible. The problem is that the security, identify, and policy “features” are provider specific and there is a complex combinatorial challenge required for an individual Enterprise to support the APIs of the multiple providers.
It is essentially impossible to do a comprehensive end-to-end security audit, for example, across all of these diverse technology silos using the current set of tools.
For example, one could make an investment in securing applications using the Amazon Web Services (AWS) Identity and Access Management (IAMS) APIs, only to find that there is no API compatible service available on Azure, for example. And there is essentially zero reuse of the original investment because integration will be required with Azure’s Active Directory service and APIs. Furthermore, non-Windows applications within Azure may require other types of integration to reliably interoperate within their assumptions about what are native identity and access tools. Yes, there are emerging platform-agnostic solutions for identity and access, but they are not nearly ubiquitous. Also, there are no similar integrating solutions for other aspects of security and control. Ultimately the “right” solution appears to be creating a platform agnostic layer of enterprise security and privacy tools that transparently allow dynamic movement among providers who sit lower in the stack. The strategy here is to avoid the provider and technology lock inherent in using proprietary APIs for higher level services. Use public providers only for the mature, commodity services that are fungible.
There is a huge and classic opportunity to deliver a solution that provides needed enterprise policy enforcement across a diverse and ever-changing landscape of infrastructure technology cleverness.
Investors have recognized this area for innovation and are sponsoring a new class of startups who can provide some automation and abstraction across this broad landscape. Just as VMWare and hypervisors revolutionized the practices of IT providers and kept the center of power within the application team, rather than the infrastructure operating team, there is an opportunity to provide a new virtualization layer to keep proprietary and confidential enterprise controls separate from the providers of physical, virtual, micro-segmented, and compartmentalized services.
In the early days, there were two primary approaches being pursued to realize some kind of portability across increasingly diverse and differentiated providers of network connected resources. One class of solutions is based on embedding the security and policy tools within the application/service instances in a way that allows them to be heterogeneous and multiprovider. Runtime application self protection (RASP) is an acronym used to describe this class of solutions. In this architecture, the security/policy features become part of the distributed application itself, and the vendors provide multiple language bindings and drivers to allow easy integration on a per-application basis. The other primary approach is based on providing a portable layer adapted to multiple execution environments (hypervisors, container schemes, serverless, etc.). In this approach, the framework “wraps” distributed applications that are designed to run as singletons and are completely unaware of the value-added framework supporting scale-up, scale-down, auto-healing, load-balancing, and more. The class of new ventures exploring the RASP-style application embedded tooling includes companies like Contrast Security, Signal Science, and Tcell. The platform adaptation class of solutions are being promoted by emerging ventures such as vArmour, Ilumio, and NanoSec. NanoSec Founder and CEO Vishwas Manral shared with me that “control of security and privacy must be kept in the hands of enterprise operators and platform adaptation is the only scalable way to make it available consistently across all the systems in a modern IT shop.”
The migration from servers as pets, to composable application services from the public Internet will be as long and complicated as it is inevitable, and it’s not yet clear what individual steps will look like. However, it is a safe bet that no single technology will win and that the ability to dynamically adopt and migrate across the evolving service APIs will be critical to attaining the agility that is needed for the accelerating network-based services ecosystem. For this reason, we should expect to see a major new category of enterprise security software solutions emerge to allow the desirable diversification and consistency across providers, while allowing the enterprise to have complete ownership and ultimate control over the policies and behaviors that are enforced against connected systems.