SDxCentral
Join Login
SD-WAN 3 5G 6 MEC IoT 3 SDN 5 NFV 7 Containers 5 Cloud 8 Security 6 AI 2 Converged DC 2 SD-Storage 3 NPM/APM 1

Login to SDxCentral

Your login link has been emailed to you.

Or login with your password

Enter Your Password

Forgot your password? Login as a different user?
  • Directory
  • Reports
  • Webinars
  • eBooks
  • eBriefs
  • White Papers
  • Sponsored Content
  • Videos
  • Resources
  • Use Cases
  • Participate

Join SDxCentral and get information tailored to your particular interests everyday.

Join
Sponsored:
Citrix 4 Dell EMC 1 Linux Foundation 10 Lumina OCP OpenStack 11 Palo Alto Networks 1 Riverbed 1 Verizon 20 VMware 9

Intent-Based Security Gains Momentum at RSA

intent-based-security-momentum-rsa
Craig Matsumoto
Craig MatsumotoFebruary 17, 2017
8:41 am PT

SAN FRANCISCO — It isn’t a buzzphrase on par with “artificial intelligence” yet, but intent-based security has been gathering steam, as evidenced at this week’s RSA Conference.

Startups such as Illumio, Twistlock, and vArmour have staked their plans on intent-based security, and at least one established player, Fortinet, is steering its portfolio in that direction.

Related Articles

Ericsson Hired 500 Engineers for 5G
Ericsson Hired 500 Engineers for 5G
If 5G Is Coming, Why Are Operators Touting 4G Upgrades?
If 5G Is Coming, Why Are Operators Touting 4G Upgrades?
Pivotal Raises $555 Million, Makes New York Stock Exchange Debut
Pivotal Raises $555 Million, Makes New York Stock Exchange Debut
Cloud Foundry Remains Committed Cautious on Kubernetes
Cloud Foundry Remains Committed, Cautious on Kubernetes
iconectiv Brings Device ID Expertise to the Linux Foundation
iconectiv Brings Device ID Expertise to the Linux Foundation

What they’re talking about is the same concept of “intent” that’s being applied in software-defined networking (SDN) circles. Also known as the declarative model, intent is a way to simplify and automate network operations. It lets operators use normal language to tell the network what they want, leaving the network devices to configure themselves accordingly.

This would represent “the next step past SDN, where all the orchestration and policy is in place, but you can speak business language to the Fabric,” says John Maddison, Fortinet’s senior vice president of products. (He’s referring to the Fortinet Security Fabric, a combination of the company’s security products.)

But intent-based security isn’t quite the same as intent-based networking. Security differs from networking, in that “the security system really cares about the full state of a connection for its entire existence,” says Marc Woolward, CTO of vArmour.

Illumio got the jump on RSA, announcing in January the ability to tweak access control lists (ACLs) in Cisco and Arista switches and to support security groups in Amazon Web Services (AWS) and Microsoft Azure.

Here’s some of the other intent-based talk that was going around at the conference.

Fortinet’s Future Fabric

Fortinet, which has a broad portfolio and an installed base to deal with, plans to develop intent-based security in stages. “It’s going to take us a few years to get there even in a simplistic way, but we’ll get there,” Maddison said.

That timeframe comes partly from Fortinet’s ambition; its plans include creating the business language for communicating with the business architecture.

That would be the final step. For now, Fortinet has taken the initial step of improving network visualization. The FortiOS 5.6 software release, announced in January, lets operators see how elements such as switches, firewalls, and email systems are interconnected. It can also recommend changes; it might spot a node that’s out of compliance with regulatory rules, for instance.

Fortinet is also building APIs to include other vendors’ gear in FortiOS’ visualization capabilities, creating a more thorough picture of an enterprise’s security landscape.

Maddison said the next step would be to build in some automation — the ability to apply a policy that distributes itself across the fabric. After that, the company hopes to develop the language for communicating intent to the infrastructure.

vArmour’s Calculator

Other vendors have already begun developing automation for their intent-based architectures. That’s the case with vArmour, which has a couple of years’ worth of experience shipping its Distributed Security System (DSS), which applies microsegmentation to the network and enforces the appropriate policies.

The company was recently awarded a patent for a way to link containers to a predefined set of security templates, so that containers could be created with security policies attached. That should make it simpler to apply policy to microservices even as those services change, Woolward said.

Going a step further, vArmour has been working on a way to compute policies based on what’s been happening in the network. It’s not unique; Illumio can do this, as can Cisco with its Tetration product, Woolward says.

By observing a sample of network activity, vArmour can figure out what’s there — it can tell which node is a web server or a database, for instance — and build graphs of the rules being applied in that environment. From there, vArmour calculates a zero-trust policies for the network. (This compares particularly well with Tetration, Woolward says, because the graph is lightweight, whereas Tetration records all activity in the network.)

It’s a machine-learning process, and it’s not perfect. A lot depends on the timing of DSS’ network scan; it might not notice the existence of standby servers, for instance. It’s meant to create a policy for humans to check.

This policy computer returns a numeric rating for the network’s security and can update that number in response to tweaks, letting developers try out what-if scenarios. That can be a motivator. “As soon as you publish your code coverage numbers to developers, the numbers go up. Human nature, right?” Woolward says.

Containers and Intent

Intent-based security is also the latest obsession of Ben Bernstein, CEO of container-security startup Twistlock.

Intent and containers are a natural fit, because containers, which house an application along with dependencies such as libraries, “know exactly what processes they’ll be running,” he says. “We can look for what the developer meant to run.”

Security could, for instance, build a whitelist of permitted activities “based on what we can tell from the design” of the application, Bernstein says. For example, if a container includes Ubuntu, MongoDB, and configuration code, it’s probably hosting a database.

Even if a container isn’t built from pieces — if the application inside was freshly written — the container format tends to make it easier to discern the developer’s intent. Simplicity is a factor here; containers are meant to be immutable, and they leave out functions such as DNS that are important but aren’t directly part of the application, Bernstein notes.

More generally, Bernstein sees the rise of intent-based security and networking as a logical next step for the cloud. The public cloud is already declarative as far as developers are concerned; they ask AWS or any other provider for CPUs and storage, and they get it, without having to muck with configuration details.

It’s a declarative model that Bernstein sees spreading as the cloud’s role grows.

“Developer is cloud. I believe developer and the cloud will become one and the same,” Bernstein says.

Share: 1

Article Categories:

News

Craig Matsumoto

About Craig Matsumoto

Craig Matsumoto is managing editor at SDxCentral.com, responsible for the site's content and for covering news. He is a "veteran" of the SDN scene, having started covering it way back in 2010, and his background in technology journalism goes back to 1994. Craig is based in Silicon Valley. He can be reached at craig@sdxcentral.com.

Comments

  1. Steve ChalmersSteve Chalmers says

    February 17, 2017 at 3:00 pm

    Hmmm…instead of traditional networking in the data center, could we just populate white list forwarding tables (between containers, not just between systems) based on what the security model tells us?

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Join SDxCentral™ to receive exclusive access.

Sign Up Now!

New Report: 2018 Future of the Converged Data Center

2018 Future of the Converged Data Center is available for free download. In this FREE Report, find out why CI and HCI are the hot new platforms in 2018, and understand their relevance to enterprise, cloud and service provider data centers.

About SDxCentral

  • About Us
  • Editorial Team
  • Editorial Calendar
  • Work With Us
  • Careers at SDxCentral
  • Support
  • Legal
  • Contact Us

Engage With us

This material may not be copied, reproduced, or modified in whole or in part for any purpose except with express written permission from an authorized representative of SDxCentral, LLC. In addition to such written permission to copy, reproduce, or modify this document in whole or part, an acknowledgement of the authors of the document and all applicable portions of the copyright notice must be clearly referenced. All Rights Reserved.

© 2012-2018 SDxCentral, LLC, All Rights Reserved. SDNCentral™, the SDNCentral logo, SDxCentral™, SDxCentral logo, SDxNews™, SDxTech™, SDx™, the SDx logo, and DemoFriday™ are trademarks of SDxCentral, LLC in the U.S. and other countries.

  • Terms of Service
  • Privacy

Please enter your Business Email to view this asset:

We are requesting you provide a valid business, education, non-profit or government email address not from free or temporary email providers or ISPs. If you feel that our filters are incorrectly disallowing your email, please contact us at support@sdxcentral.com.