alphaspirit - Fotolia
Which KPIs should I measure for security in SDN?
KPIs provide useful guidelines to measure how network performance and security align with business objectives. Here are some KPIs to help keep track of an SDN environment.
Enterprises implement software-defined networking to achieve agility and to provide new support for security challenges. So, they should measure and report on factors that directly reflect IT agility and security in SDN.
Organizations look at business-level agility based on the kind of business they are and the line of business they are in. Some of these agility metrics include the time to begin conducting business in a new location and the time to spin up a new online service, among others.
Still, some key performance indicators (KPIs) are both safely generic and useful. These include the following:
Time to add a new network service. Measure this KPI in days, from the time a service is ready for deployment to the time a service is fully deployed. In a legacy network, this time can range from zero -- for services requiring no change to the network -- to many months -- for services that require significant changes to WAN and firewall configurations. In an SDN environment, it should range from hours to a few days.
Time to provide a functioning network environment to a new data center workload. Measure this metric in hours. In a legacy environment, this can take days to months, depending on the number of teams involved in configuring the environment, such as systems, storage and security.
In an SDN environment, it should take hours -- like when a human needs to push some changes, such as a rule change for a data center internal firewall, for example -- to minutes or even seconds where everything can be pushed by automation.
Metrics for security in SDN
Security in SDN often revolves around deep segmentation of the network. This breaks relatively open, large networks into many tiny network segments that don't talk to each other directly.
The key is a shift in perspective: Security starts by denying all attempted network connections and explicitly allowing only desired ones. Deep segmentation minimizes the chance of a successful lateral attack, and it swaps a huge and difficult-to-manage firewall rule set for many simpler rule sets.
KPIs for security in SDN -- separate from the above agility measures -- look at complexity and change frequency, including the following:
The rules per segment. Consider how many communications and destinations have to be allowed for a segment. For each workload or workload component, the number should be low, as these rules define which other systems must talk to it -- not the ones that shouldn't.
The rule changes per quarter. Once a workload goes into public availability, changes to network segment definition should become rare. This metric should trend steadily lower post-launch.