Why security need not stifle agility
- Published: Friday, 03 April 2015 10:14
Many CIOs are struggling to realise the full benefits of their increasingly virtualized IT estates, largely due to the strains of staying secure. But Reuven Harrison says it doesn’t have to be this way...
Over the past decade, businesses have been virtualizing ever more of their IT architecture. At first, CIOs were primarily attracted by the huge efficiency improvements and reduced need for capital expenditure. But as cloud computing has evolved and matured, firms are increasingly eying the main prize: the potential to attain unparalleled levels of business agility.
Being able to deploy resources such as servers, storage and connectivity on demand, and scale them up (and down) at will, has resulted in IT departments shifting more and more systems and applications over to private and (to a lesser extent) public clouds. And as firms move inexorably towards a fully software-defined environment – where systems are not only virtualized, but every part of them can be managed, monitored, configured, optimised and secured centrally and automatically – virtual nirvana seems tantalisingly close.
But we’re not there yet. Large, established businesses still typically have a piecemeal legacy of business-critical systems. Clearly they can’t make a wholesale transition to a fully software-defined environment overnight. The 'hybrid IT’ landscape that predominates today – where some technology is virtualized and some isn't – is likely to remain the norm for some time. It’s all very well being able to deploy a server in seconds, but what if this has to connect to a legacy database on a physical network that needs to be manually configured and secured? Inevitably, this is going to cause a bottleneck.
Indeed, many systems need to interconnect across a complex web of segmented networks, both virtual and physical. So the kind of bottleneck described above isn’t limited to the odd application – it’s a challenge that proliferates across the IT environment, continually putting the brakes on firms’ drive to attain the levels of agility they hoped virtualisation would deliver sooner not later.
And businesses are crying out for greater agility. They are demanding ever more changes to systems and applications, ever more frequently. CIOs desperately want to implement those changes at the speed the business seeks, but equally they have a requirement to minimise security risks, ensure sensitive information is adequately protected and guarantee the firm doesn’t break compliance requirements.
Furthermore, a single change to one application may well require numerous configuration changes to other systems and parts of the network. And as the size and complexity of systems and networks grows, so does the number of changes. Some larger organizations are faced with the daunting task of making hundreds of manual changes to IT systems every day – which is bound to increase the chances of human errors and omissions creeping in and compromising security or compliance. For an increasing number, then, manual configuration of systems is more than just a challenge: increasingly, it’s becoming impossible.
The risk of a serious attack is no idle threat, either. We see increasing stories in the press and online about dire breaches of customers’ personal or financial details, the theft of organizations’ intellectual property or attackers leaking internal emails and other operational documents in a bid to discredit or embarrass companies. And by 2020, analyst Gartner predicts that 30 percent of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals.
Firms that fall prey to serious attacks rarely fare well in the aftermath. Mistakes are laid bare and pored over by commentators. Customers vent their anger on social networks. Competitors milk the victims’ misfortunes for their own advantage. And it often doesn’t take long for any loss of reputation to hit an organization where it really hurts: its bottom line.
For many, then, security is seen as a necessary trade-off against agility. The less you have of one, the more you can have of the other. When you have to configure multiple firewalls, applications and systems manually, that’s undoubtedly true. In today's hybrid IT landscape, organizations have to implement any configuration changes with extreme care and diligence, and this is why many aren't yet realising the full agility benefits of their clouds.
The solution rests in automation. Automating complex network changes can guarantee security and compliance policies are enforced across the entirety of an organization's IT estate without the headache of having to do it manually.
First, organizations tell a network orchestration tool all of their compliance and security policies. This can include both global policies and those that only apply to particular jurisdictions or systems. Next, it hooks into the configuration and control mechanisms of an organization’s disparate systems, devices and networks: irrespective of whether these are based on virtual or physical kit.
It then maps out how all the different elements of the system and its interactions, giving a holistic view of the company’s IT and network environment along with a single point of control. Finally, when any changes are made to one part of the network, the software can automate the configuration and connectivity settings of all the organization’s networks, firewalls and security systems to ensure every part of the system remains compliant with their policies.
Not only does this minimise an organization’s risk of suffering a damaging security or compliance breach, it simultaneously allows it to realise the true agility benefits of its virtualised environment today by extending the benefits of automation to their legacy estate. Of course, they could still wait until they’ve moved everything to the cloud. But by then, rivals who implemented orchestration tools earlier will probably be soaring way above them.
Reuven Harrison is CTO and co-founder of Tufin. With more than 20 years of software development experience, he led all development efforts during the company’s initial fast-paced growth period. He is responsible for the company’s future vision, product innovation and market strategy. Under Reuven’s leadership, Tufin’s products have received numerous awards and wide industry recognition.