NEW YORK -- The ideal security architecture for virtualized networks will be distributed, diverse and resilient, which means it will look a lot like a botnet, AT&T Chief Security Officer Ed Amoroso said Wednesday at Light Reading's Carrier Network Security Strategies conference.
A year after he told the same conference that the days of just protecting the perimeter were over, Amoroso got a bit more detailed about how AT&T Inc. (NYSE: T) is evolving its security strategy to match its adoption of software-defined networking and the cloud. SDN actually represents a substantial opportunity to improve security by enabling the instant provisioning of per-workload security, he said. (See AT&T Adds Virtual Layer of Security and AT&T Virtualizes Multi-Layer Security.)
"We are at a pretty important point in computer security where we are all changing our architectures," the AT&T executive said. Architecture is the key thing even though it doesn't get the attention from the vendor community it deserves, largely because it's impossible to get venture capitalists excited about architecture, Amoroso said.
As telecom adopts virtualization and begins delivering applications and services in new ways, security has to adapt as well, he noted, and one way to do that is apply the security needed on a per-app or per-workload basis, at the time the virtual network functions are being assembled.
"So you spin up a VM, using your Puppet or Chef provisioning tool, why not spin up security as well?" Amoroso said. That would use only the security required for that particular workload, and it would enable applications or workloads to be protected in a hybrid environment, using public and private clouds, because the security is directly associated with that app or workload.
"The advantage here is, if I am only protecting that app, the rules are real simple," Amoroso said. "You don't need a Fort Knox-style bunker. I can put that in the cloud, and with the magic of SDN, I can service chain through APIs. It's a powerful concept because it takes all of the security functions that are necessary and makes them on demand."
This approach will work for one of security's looming challenges -- the Internet of Things with its proliferation of connected devices. Amoroso sees IoT as three distinct markets, one being industrial control systems, the second being the industrial Internet and the third being what he termed "whimsical devices." The first one, in particular, will need heavy-duty security.
The AT&T exec also told the CNSS audience that "It's time to think about new ways to do things; not how to bolster the old ways" like firewalls and perimeter security. To date, it's the bad guys who have been more innovative -- they are, after all, the ones who came up with botnets.
A virtualized security landscape with its micro-segments of security, being controlled at a higher layer of the network, looks very much like a botnet, "and that gets an A-plus on my test," Amoroso said.
— Carol Wilson, Editor-at-Large, Light Reading