Network functions virtualization is all about agility, flexibility and reducing costs, but a report from the Cloud Security Alliance highlights the flip side of these benefits: new security risks.
In a “position paper,” released Monday, the CSA Virtualization Working Group cited six challenges in securing NFV environments: hypervisor dependences, elastic network boundaries, dynamic workloads, service insertion, stateful vs. stateless inspection, and scalability of available resources.
Several of the NFV security issues stem from conflict with traditional security methods. “NFV’s appeal is in its agility and dynamic capabilities. Traditional security models are static and unable to evolve as network topology changes in response to demand,” the CSA said. “Inserting security services into NFV often involves relying on an overlay model that does not easily coexist across vendor boundaries.”
While NFV is designed to do more with less data center rack space, power, deep-inspection technologies such a next-generation firewalls and Transport Layer Security decryption are resource intensive, according to the CSA, an industry group that promotes best practices for cloud security.
Moreover, with NFV there often isn’t a simple insertion point for security services that aren’t already layered into the hypervisor, and NFV may add complexity for security controls that can’t deal with the “asymmetries created by multiple, redundant network paths and devices,” the paper states.
Kapil Raina, co-chair of the CSA Virtualization Working Group, told me that the purpose of the report is to draw attention to NFV security issues and provide a framework for dealing with them. The report is designed as an initial step to developing practical guidance for securing NFV environments.
The paper also discusses some security issues with SDN, which it notes can be used with NFV, but Raina said the group’s focus was more on NFV since there is already an extensive body of knowledge on SDN.
In its paper, the CSA also highlighted how an NFV environment can speed security response, such as in the case of a denial-of-service attack. Still, it stressed that there are challenges in virtualizing network functions. Raina said a big challenge is the lack of a standard for either NFV or SDN with many vendor-specific implementations.
“Even though there’s an opportunity for good, the complexity and diversity of environments can also be a challenge,” he said.