Bob Kimball is Chief Technology Officer (CTO) of Ciena Government Solutions (CGSI), tasked with identifying Ciena’s product and technology directions for the Federal Government, DoD, and R&E market segments.

Cyber defenders traditionally concentrate their efforts on the network edge to try to keep malicious traffic out of their networks while assuming that the network infrastructure is safe from compromise and can be implicitly relied upon. However, while it’s true that the preponderance of threats and virtually all well-known attacks had either a human or application layer vector, modern cyber defenses that largely ignore the network infrastructure layer are increasingly flawed in today’s networked era. 

Meanwhile, there are two key emerging trends to consider: first, the frequency of data breaches and the volume of impacted records continues to escalate; and second, the way that data is stored and accessed in the cloud era significantly enhance the possibility of data exposure. As applications are moved and stored outside of the enterprise location, and as more data is moved across large distances, there are more opportunities for an inflight breach.   

While there are elements of today’s network infrastructure—including optical encryption and network segmentation—that can be applied to bolster defensive cybersecurity measures, wide-scale network virtualizations enabled by SDN and NFV bring great promise to improving both cyber defensive and, more importantly, cyber offensive measures. 

Let’s take look at three examples of how SDN and NFV will change data security:


1) Early detection through improved situational awareness of traffic flow.

SDN software orchestrates infrastructure layers across vendors and traditional network protocols (e.g., SONET, OTN, EtherNet, and IP), which provide the SDN controller with data from every element. This data can then be utilized to improve situational awareness of traffic flow in the network, as well as the state of every network element within the network. This visibility brings security into the interior of the network, which enables both constant monitoring and diagnostics of the most minute network activity, creating opportunities for earlier detection of unauthorized or unusual activity.


2) Automated, dynamic network response at cyber speed.

While detecting an anomaly is vital to stopping a breach before it happens, mounting a fast response is just as critical. The flexibility and responsiveness of the network becomes a defense for combating attacks, especially as those attacks evolve toward cloud-type services. Network operators can create response strategies that the SDN controller software may utilize to automatically respond to early detection events. Human-controlled detection and response methods can take days, months, or longer to work, while SDN can accomplish the same tasks in real time.


3) Virtualization of appliances.

Network Function Virtualization (NFV) is the ability to virtualize a number of network appliances (e.g., firewalls, DPI, routers, and the like) that were previously instantiated in separate hardware platforms, and to realize these functions using generic x86 based compute hardware. By leveraging NFV, a network operator can instantly distribute and manage these virtual appliances to any location, via the network. This not only saves space, power, and hardware costs, but it also evolves service delivery and ensures consistent security levels across the enterprise. This functionality allows distribution of known good instances of an appliance, circumventing potential compromise at any given location. This capability also allows network operators to reconfigure network topologies, quickly provisioning services to respond to a network event in a much more robust manner than simply moving traffic around a problem.


It’s not an overstated claim that the communications industry is undergoing a transformation in technology that will likely be as impactful as the transition from analog communications to digital in the mid 1980s. Wide-scale virtualization of network infrastructure—made possible by SDN and NFV—has moved from lab trials to network implementation, bringing about an evolutionary progression of network technology. 

With this evolution, the basic building blocks of network infrastructure are changing from complex hardware platforms to virtualized software-controlled instances that can be network distributed and dynamically configured to meet real time requirements.

As a result of all this progress, we will need to change our thinking around data security. Border security measures will have little meaning as network boundaries constantly shift and are further comprised of a software interface shared between several applications. The fact is, traditional efforts to provide data protection—which have previously focused on human interfaces and applications—will no longer suffice.