Network functions virtualization (NFV) brings new opportunities for network operators. But as the old security adage goes, the introduction of new technology also brings new opportunities for security threats.
This is definitely the case when it comes to NFV security. While flexibility, an increased reliance on general-purpose hardware and automation are some of the benefits of NFV, there also are new security issues that network operators must consider.
Some of the new security challenges from NFV, all from virtualization, include reliance on additional software (the virtualization hypervisors and modules) so a longer chain of trust, reduced isolation of network functions, fate-sharing due to resource pooling and multi-tenancy, and effective key escrow for hosted network functions.
A good way to tackle these NFV security issues is through a divide and conquers approach, according to a recent white paper, Providing Security in NFV, by Alcatel-Lucent (News - Alert). Through a policy-driven approach to orchestration, security zoning and workload placement, operators can leverage the advantages of virtualization to combat the threats from it.
The Alcatel-Lucent CloudBand NFV system, for instance, includes the ability to specify security policy using the standard OASIS Topology and Orchestration Specification for Cloud Applications (TOSCA) language.
“As a result, compute, storage and network resources can be optimally allocated and stitched together, as required by the security policy,” noted the paper. “If, for example, the policy requires that certain virtual network functions (vNF) components be separated physically, they will be placed on different hosts. Similarly, virtual security appliances can be spun up automatically and chained together according to the provider’s policy.”
The automation that NFV enables also can be used to stem the new threats.
Even with all security processes and policies properly documented and the datacenter personnel trained, there is far too much information to be left to manual processing. But if security processes are automated and implemented as part of the management system that oversees the cloud environment in all datacenters and compute nodes, this is no longer a problem. This is helped by the fact that NFV can be controlled from a centralized system for command and control to ensure systematic and consistent implementation of security.
NFV brings new challenges. But properly deployed, NFV also can solve most of the issues it introduces.
Edited by Peter Bernstein