Virtualization is a double-edged sword for security, according to Verizon executive Phil Ritter, who notes that both evangelists and cynics may be right about its pros and cons.
As Verizon's director of network technology planning, Ritter's role focuses on SDN and NFV security -- in particular, internal SDN/NFV platform architecture. Ritter emphasizes that, in seeing both sides of the issue of virtualization security, the overall benefit has been waking carriers and enterprises up to the idea that -- for all of its agility benefits -- virtualization is hardly a "set-it-and-forget-it" security salve.
In part one of this two-part Q&A, lightly edited for length and clarity, Ritter delves into the good, the bad and the ugly of SDN/NFV security from this vantage point of "cautious optimism." Next time, in part two, look for Ritter to talk about the due diligence required in the realm of virtualization InfoSec -- particularly in regards to network segmentation and optimized content distribution.
Telco Transformation: The one thing that really stuck out in my last NFV-related conversation with a Verizon Communications Inc. (NYSE: VZ) executive, Fred Oliveira, was the notion that NFV challenges ultimately come down to orchestration -- and the infrastructural and architectural concerns that go along with that. (See Verizon's Oliveira: NFV Needs Orchestration, Openness .) In light of your own architecture-focused role at Verizon, what's your take on this from the security perspective?
Phil Ritter: The biggest challenge that we face is that, in the prior way of doing business, we always had definite physical assets that we could point to and build security perimeters around or use security methods on those appliances that we built the network out of -- where we could achieve a very high degree of isolation. And that we would be able to keep services that were our internal networks that we use for our own business purposes or our own operation and management purposes clearly segregated from networks that may carry customer traffic or other assets within the business.
In keeping that clear segregation between systems, I won't say security was easy, but certainly as we virtualize systems and bring services together on common platforms, it requires that we exercise a much higher degree of care in how we approach security to prevent access between networks that aren't supposed to talk to each other, or to prevent a virtual appliances from being accessed by other neighboring systems. It's really raised our level of awareness of those security perimeters and boundaries, and forced us to take a much more rigorous approach to doing third-party penetration tests and validation of the network.
TT: To follow up on that, what do the new pen tests, the new network validation and the new security checks look like in this age of NFV in these software-defined networks and edge datacenters?
PR: In the short term, we've actually identified some vulnerabilities potentially in how we're using the virtualization products, and the way that we've addressed them to date is that we have not put together services in the same system to really reach the full potential of NFV until we can address those potential vulnerabilities.
Now some of them are highly speculative vulnerabilities, but certainly we take a very cautious approach; even if they're a speculative or potential vulnerability, we've taken great pains to approach that in our network.
One example in our virtualization platform internally is what we call our Verizon Cloud Platform, but it's really a virtualization service that we use for our internal systems. There are places where we've actually segregated that into multiple installations to ensure that we don't allow access from networks that shouldn't talk to each other. So we've kept things segregated until we can have a level of certitude about the security protocols that we have in place, and in the short term, that's not really the ideal. The ideal is to bring those systems together and to get the level of sharing and the level of hardware flexibility that the virtualization systems are really trying to bring us. For example, we don't currently allow services that operate on the public Internet to touch directly some of the systems that use our internal networks until we've addressed these vulnerabilities.
TT: There are people who hail virtualization as the next great thing in security, and there are others who are distrustful of it. Does virtualization inherently improve security, or does it inherently make security worse? What are the overall inherent benefits or detriments that you see?
PR: You know, the people who hail it as the next best thing and the people who fear it as the greatest vulnerability that we've ever introduced may, in fact, both be right. There are many things we deal with every day that can be viewed as both a tool and a weapon. What we're doing is trying not to dive past the hype on the capability and the next best thing that we can offer without recognizing that we actually introduced a whole new set of threat vectors.
You could fairly argue that the ability to do a centrally managed security appliance for customers is a wonderful thing for that customer because then they can have immediate access to threat information integrated into that appliance, and there's a pace of threat mitigation that you really can't achieve by endpoint-based solutions that get deployed on the customer premise.
So it really could be the next best thing, but you also have to recognize that that same centralization potentially exposes that very security appliance to threats itself. Right now, like I say, we're in a place of cautious optimism. We're very excited about the opportunities it brings to us both for what we can deliver to our customers in SDN services and managed services and what it can deliver for our own business in terms of deployment velocity improvements and cost savings, but at the same time we don't want to be naïve, and like I said before, we're taking a number of cautious steps as we introduce services to ensure that we don't believe we're solving a problem as we open a backdoor that was unexpected.
TT: What's the good and what's the bad that we have to look forward to for virtualized network security?
PR: I'm personally very excited about the ability that it will bring us to deliver services faster and to be able to evolve our business internally faster. If NFV is going to be successful, it requires that it implements a level of automation in how we do some of our internal and external processes that we've not really embraced before in the telco industry, and that is a very exciting thing for me.
Returning to the same theme of "every good tool can also become a weapon," it's also part of my greatest concern that we have to maintain the diligence. We have to build from the very beginning auditable and verifiable processes around the implementation of security policies, security tooling and visibility along the way. So this is very exciting to me. I think it's probably the biggest change for the industry since the introduction of cell phones 30 years ago, and, like I said, also a great area of concern that where we maintain our diligence.
— Joe Stanganelli, Contributing Writer, Telco Transformation