Core components to improving your security posture through Intent-Based Networking include a single source of truth, continuous real-time validation and the ability to swap or upgrade devices quickly. These components are not enough, though.
Audit, time machine, and roll-back your infrastructure
Without a single source of truth, it is impossible to properly audit all changes that are taking place across your infrastructure. And without a proper audit, it is impossible to know whether your infrastructure has been compromised. With Intent-Based Networking, not only do you have one source of truth, but because all changes are done through software, they’re all recorded. You can go back to an audit trail, or even go back in time through a “time machine” like functionality. Doing so helps improve your security posture at many levels:
- You have the ability to monitor your audit trail for any suspicious activities
- Your Intent-Based Networking system can be programmed to look for suspicious activities. Examples of such activities that the system can easily detect are: the creation of new agents and processes; or changes to agents that enables them to accept incoming connections.
- When you do witness suspicious activity, your Intent-Based Networking system can automatically raise an alarm, or allow you to roll back to a known “safe” state.
Never, ever log into a device!
In today’s world, operators log into devices, and use the Command Line Interface (CLI) to make changes, or debug problems. This approach is fundamentally broken and insecure because it is far too easy for bad actors to take control of the devices.
With an Intent-Based Networking system, operators never log into a device. Moreover, devices never accept incoming connections. Devices only talk to the Intent-Based Networking system, which controls and protects the connection to those devices.
Properly secure, distributed architecture
Last but not least, none of this would matter if your Intent-Based Networking solution itself gets compromised. This is why a proper security posture also requires architecting the solution itself with security in mind. Apstra AOS® is a software-first distributed system, which consists of many processes, each process only connecting to the Graph Datastore with secure, encrypted connections. The processes themselves do not accept any incoming connections; and the distributed data store authenticates connections and imposes access control.
Improve your security posture by adopting Intent-Based Networking and a “Software-First” approach
With security being of paramount concern, organizations should build their infrastructures with security as a top priority. By taking a “software-first” approach and deploying Intent-Based Networking, organizations can make quick progress in terms of their security posture by avoiding some of the most common causes of security mishaps — including lack of visibility, lack of consistency and uniformity, lack of accountability, and inability to resolve problems quickly when they arise.
Intent-Based Networking forces discipline into the operational model, driven at the core by a single source of truth. The single source of truth guarantees uniformity of policy and consistency of workflows; it is the foundation of real-time continuous validation tests; and it ensures visibility and dramatically reduces the mean time to insight when problems and security vulnerabilities do occur. It reliably prevents many security problems. Intent-Based Networking also helps to fix problems quickly when they arise, either by swapping devices quickly, upgrading software, or reverting to a known state.
In summary, Intent-Based Networking can dramatically improve organizations’ security posture. This is in addition to Intent-Based Networking’s proven benefits in delivering an order of magnitude acceleration in business velocity, an order of magnitude improvement in infrastructure reliability and an 83% reduction in costs.
If you’re interested in joining our Fortune 500 customers who are well on their way to transforming their infrastructures using a software-first approach, please contact us — we’d love to hear from you!
[Read the first blog in this two part series here]