Intent-Based Network Security Automation and Orchestration
So far in looking at intent-based network security, we're covered:
In this post, we're going to cover automation and orchestration. We actually just started analyzing the results from our State of the Firewall 2018 research; while the full report isn't ready yet, we can tell you this: the majority of organizations are not automating processes related to change management.
That's kind of stupefying at one level, because we constantly hear about the need for automation when we visit with IT security team leads at trade shows. It might be that enterprises take a long time to change, or it might be a lack of proper resources. But as automation gets to scale across multiple industries, it needs to be a key factor in your network security planning too.
You must be impartial to the enforcement point
With intent-based security, we automate the translated controls discussed in the last blog into any security infrastructure -- irrespective of what makes up an enforcement point.
Enforcement points may vary between platforms (cloud, virtual, on-prem), they may have traditional access controls (e.g. firewall rulebase), they may be temporary in nature (container, SDN), and they may implicate other security controls to accomplish the security intent (e.g. application is in virtual environment, access a database that is on-prem or vice versa).
Automation that is impartial to enforcement point is the only way to implement the security intent that we’ve translated. This universality is imperative for the security intent model, because the enforcement layers may shift, change or require crosstalk between systems to deliver the original intent.
Consider this example: continuous delivery has application development moving at an insanely fast clip. What would happen if security teams spent all their time writing rules for current state?
Answer: they'd lag behind, and the business would suffer.
To implement security the moment a resource is needed requires a global policy, translated for any enforcement point and instantly deployed in all the correct places.
We’ve now reached a point where we are no longer writing rules or establishing controls for the current state. We've moved beyond this trouble.
At this stage...
Now you have mapped the network, deduced existing intent, declared global policy, translated intentions to rules and automatically distributed those rules to the correct places.
IBNS helps with several areas of top concern for enterprise security leaders:
- Software-defined networking
- New application deployment
- Moving applications across platforms (e.g. on-prem, cloud, virtual, containers)
- Orchestrate policies automatically to fit the network need
If you follow the steps in these blog posts, you can arrive at a desired future state for your network teams.
Conversely, you can also download the full eBook on security intent here.
We hope you enjoyed this series – or at the very least found it educational. If you'd like to see more about how FireMon is an industry leader in automation and orchestration, we'd love to set you up with a demo or evaluation: www.firemon.com/demo