SDN are not the answer
So he is say plan out your networks, know the traffic, block anything that is unknown, restrict access to it lowest level, Roll based access. Anything that doesn't need to be in the Data Centre should stay out of the data centre.
I guess forcing your application developer or supplier to document every access they require and hold them accountable for anything that isn't recorded in their documentation. I guess don't back down on the rules!