Software-defined Security?

Security continues to be a major hurdle for server virtualization and cloud computing so we are likely to hear a lot of cybersecurity buzz coming out of VMworld this week.Leading up to the show, I’ve heard a few people pushing a new marketing term into the mix – Software-defined Security (SDS?). Now I certainly get why this term makes sense in terms of product branding. Software-defined Networking (SDN) is all the rage, especially after the Cisco ONE/COPE announcements along with the ridiculously over-priced Nicira acquisition by VMware. When the industry jumps on a concept, it’s natural for everyone to pile on so those attending VMworld should expect a fair amount of selling of the SDS term. I won’t be at the event this week, but I for one am not buying it. It’s not just that I’m getting older, cynical, and more conservative. I don’t like this new term because:• It doesn’t fit. In networking, SDN has a specific focus on making the network control plane programmable through APIs and protocols. OpenFlow goes even further by centralizing these functions through a server-based controller. Regardless of how you pull off SDN, you still need physical switches and ports that speak SDN. In other words, SDN is a new networking architecture, not just the movement of software from physical to virtual.• It ignores physical security technologies. Remember when Check Point firewalls were regularly hosted on Sun servers? When this became too complex and couldn’t scale, large organizations replaced venerable Sun boxes with network appliances. Yes, we will need virtual security technologies capable of tagging along with mobile workloads, but these controls must complement rather than replace existing physical safeguards.• Market realities trump marketing rhetoric. While the SDN buzz continues, the fact is that VMware’s $1.25 billion acquisition for Nicira was at least 10 times more than the entire SDN market. How big is the software-defined security market? Not very big at all.Aside from service providers, I don’t see a lot of adoption of virtual security technologies, even in large IT shops. Why? Few organizations are anywhere near the dynamic IT model of Amazon, Google, or Znyga, so they continue to rely on network segmentation (subnets, VLANs), physical server zones, and network security controls. In fact, network security vendors like Check Point, Crossbeam, and Juniper are selling lots of high-end multi-service network security boxes that support this model. The term Software-defined security is likely to get a lot of air cover this week and may even catch on with industry pundits and CMOs. Even if SDS gains media popularity, I recommend that vendors tone down the rhetoric when they speak with actual security professionals and CISOs. These folks want pragmatic solutions not marketing hype.