Issue link: http://cp.revolio.com/i/915954
THE DATA CENTER JOURNAL | 17 www.datacenterjournal.com segmentation across their logical, soware-defined bound- aries. Owing to this lack of segmentation, protecting each application is difficult and infection can spread unimpeded. For example, workloads such as containers can support a collection of service functions, also called microservices, that come and go instantly, allowing malware to infect before any traditional prevention system or forensic technique can identify the threat. To make matters worse, cybercriminals are taking advantage of this environment by designing more-sophis- ticated malware to spread laterally (east to west) across the newly exposed attack surfaces in the data center or extended WAN. Examples include ransomware, IoT botnets, exploit kits, spyware, keyloggers and point-of-sale malware. In addi- tion, thanks to the dynamic nature of cloud-based applica- tions, this new breed of malware can leave no identifiable trace or signature, oen causing damage before the threat is recognized. To summarize, traditional security measures are limited in their ability to visualize and isolate (i.e., segment) cloud- based applications and secure the resources within their boundaries in a scalable way. Figure 2 below is an abstracted view of the "ephemeral" logical layer and the shared-resource layer of a cloud-based architecture. sofTware-defined securiTy soluTions Traditional security measures have focused mostly on the network or data center perimeter. L7 FWs, intrusion- prevention systems (IPSs) and detection tools such as an IDS are inadequate to combat these new threats. Even security information and event management (SIEM) systems need more per-application context to operate successfully in cloud-based architectures. e following summarizes the weaknesses of traditional security approaches to combat threats in an SDN or SD-WAN: • Traditional tools lack the ability to dynamically iso- late and protect each application and their workloads in the network • Traditional tools have limited per-application contex- tual visibility and detection controls that can identify threats in real time in such a dynamic environment • Operationally, it's difficult to implement and scale se- curity measures in the enterprise network to protect each application across its entire life cycle. To address these challenges, traditional security mea- sures must be complemented with insights that follow and track the ephemeral nature of a cloud-based architecture. e right solution is to employ the tools and principles of soware-defined networking (SDN). Over the last few years, enterprises have rapidly adopted SDN technology to automate networking in their cloud-based infrastructures. More recently, they've realized the importance of using these same principles for security. With SDN-based security or soware-defined security, the enterprise can create specific per-application security policies that are automated and that will follow and scale with the dynamic nature of the cloud-based architecture. A soware-defined security solu- tion should offer four main features: prediction, prevention, detection and response. ese features align with Gartner's Adaptive Security Architecture. Figure 2