The SDN Journey Part 10 – Securing Software Defined Networks by Jim Metzler.
This is the tenth in a series of thirteen blogs that are designed to help IT organizations on their path to Software Defined Networking (SDN) adoption. This blog will discuss Securing Software Defined Networks.
There are two complementary ways to look at SDN and security. One of those ways is to look at what can be done to secure an SDN and the other way is to look at how SDN can enable IT organizations to implement better security. To better understand what can be done to secure an SDN I interviewed Mauricio Sanchez. Mauricio is the Director of Security, Standards and IP for HP’s Advanced Technology Group.
One of the questions I asked Mauricio was whether or not SDN represents significantly more risk than does a traditional network architecture. Mauricio stated that some people have taken a “sky is falling” mentality relative to the impact of SDN on security but that he doesn’t subscribe to that mentality. He suggested that people need to take a step back and look at security on a case-by-case basis and that the security of any network is influenced more by the security posture of the company implementing the network than it is by the network architecture.
I also asked Mauricio about the type of functionality that is HP providing to secure a software defined network. Mauricio said that HP’s philosophy is to build security into all of its products and that HP strives to ensure that the architecture and design of all of its products are secure from the day they are implemented. He added that while it is important for HP to embed security functionality such as the right encryption and the right authentication into their products, it is up to the customers to leverage that functionality.
In closing the interview I asked Mauricio to recommend best practices relative to securing networks – whether those networks are a traditional network or an SDN. Mauricio emphasized that implementing effective security is not just about implementing products but that it is also about implementing the appropriate processes. He concluded his comments by suggesting the IT organizations need to examine their current security related processes with the goal of identifying how they can improve those processes.