On the subject of identity access, irrespective of other vendors' woes in the world of ODP (ontology design patterns), my belief is that identity is changing. But it's changing not so much on the ODP "good" or "bad" axes, it's changing on what we call "context." We've talked a little bit about this publicly as a company. It's because we have to wrap up the "who, what, where and how" in order to get what I would call projected identity that's usable versus just the "who." So my belief on this one, is when I can start combining elements that then allow pattern recognition of behavior as a result of trying to identify you, and then feel confident it really is you, then the "who, what, where and how" is context-significant.
And that's how we've gone after it with the Cisco Identity Services Engine and also providers like Ping, which has done federated identity in this respect for cloud services providers and the like. So adding rich data to John Stewart -- "Well it's John Stewart, and he's working apparently at 3 a.m. and the last we knew he was in the Pacific time zone, so what in the world is he doing that for?" -- It might still be me, I might be working late, but it would still be used, versus John Stewart gave me a fixed password, which I trust ubiquitously. So that's where I think we'll be getting to.
The simple observation I would make here is that one-time usernames and passwords, for the moment, procedurally and technologically are still a very strong way to handle identity. They're just not strong enough, because they don't have the context of the "who, what, where and how." So it's not like we have to retool the entire world because one-time passwords have fallen. I think we can just build upon getting beyond just the "who" to, "Where are you accessing it from, what are you trying to do, and then how are you trying to transport traffic?" When you throw all that together, then you can start making much better value decisions as to whether or not to allow access, irrespective of whether the access requested is inside or outside the company.
So, practically speaking, can you handle that at the switch level?
Yes. There's more than one company and product in this space, but this is where we've gone. We're already shipping product that does stuff like this, such as the Cisco Identity Services Engine (ISE) that we launched in May 2011, the Cisco Adaptive Security Appliance (ASA) is essentially our firewall used in a remote access solution, which is adding a lot of the data, and last but not least, is the Cisco AnyConnect VPN Client, which is the client supplicant that allows you to do remote access.
Is defense-in-depth still the best overall security strategy for data center managers?
I agree that defense-in-depth, or what I would call "composite security," is still a very sound strategy. However, there is a piece of this that we don't talk enough about, and I think is elemental, which is situational understanding. What I'm trying to offer up here for debate, is that if you have defense-in-depth, but you don't understand your infrastructure, then you don't really have security.
Too often, just out of speed, time, efficiency, you name it, we end up building things and then we lose track of how they're working properly, so we don't really have that situational understanding. We have all these layers of defense-in-depth, but then the porosity of something we don't understand is where the hole is, and somebody else finds it, because they study us ...
And they actually may end up knowing more about your network than you do.
Yes, exactly. So only when composite security/defense-in-depth and situational understanding are combined, should you really feel confident, because one without the other, I don't believe, is a comprehensive enough strategy.
Another interesting aspect about situational understanding -- one in which we've focused our product and services suite -- is that it's really important to have somebody watching you from the outside. A classic example: I have defense-in-depth and situational understanding, so I know it's working and I know how it's working, but somebody outside my infrastructure watching me is actually noticing that I have all sorts of ports open, or a new system's online, or this thing is generating gigabytes of traffic, or it's become a spam host or a botnet-controlled device, or whatever -- that's equally valuable as part of that situational understanding. Now you know that whatever you've done, it wasn't completely good enough. Sometimes the only way to see that is to have someone looking out for you.
Does Cisco provide that service?
We do, in a format we call "Security Intelligence Operations" or "SIO." It's kind of a two-for-one. Part one is that we're studying the Internet for reputation and making sure we create the "badlands of the Internet" and can automatically block through any number of means -- email, Web, IDS, IPS, firewall -- you going there, but also that area trying to contact or connect to you. Part two, as we work increasingly with the ability to understand traffic via Netflow, which is "free" on every router that we make, it has some really good value equations in situational understanding. Although you can't see payload, you can see traffic in terms of how much and from what IP address to another, and that's where it's really valuable.
IN DEPTH: Inside Cisco global security operations
So from that alone, you can potentially identify that maybe it's not legitimate traffic.
Exactly, but it is traffic, so you have to ask, "Why is this happening?" The part I'm trying to build upon, is that it's just an element of helping you to realize that you're not alone and having to do this all by yourself. You end up having, in my opinion, the need to subscribe to services that are studying an aggregate number of customers, so they can get a priori warning that this is happening as part of a group -- that you're a part of a bot-controlled or spam-generating system.
Considering the business risk posed by security breaches (data and identity theft as examples), should businesses establish a distinct threat operations unit, similar to Cisco's TOC (Threat Operations Center), that reports directly to top management? If this isn't feasible, how can customers best take advantage of the security analyses compiled by their network vendor?
I think that's a great question. Bridging from the prior point, there are essentially two ways to get data. One is an automatic system that provides it, and that's what I was just talking about with SIO. With our analysis of literally terabytes of data per day, SIO enables you to participate in a community of customers that are all essentially helping one another through the enriched study of traffic. That's what we provide, but then there's another way that is more manual. When you have a vulnerability that's been reported, you need to look at the vulnerability plus its implication.
I think it's really helpful for vendors to collaborate with other companies on security related issues. Suppose there's a vulnerability that's reported, for example, by Microsoft and here's how Cisco would say you can use Cisco to help mitigate it, and here's how Microsoft says you can use Microsoft to help mitigate it. That's helpful because it gives you something to do, versus just data, "Hi, you're vulnerable." Well, that's great, but that's not what I need. I need, "What the heck do I do about it? Give me some choices and options." So that's where I think the subscription value of getting the data manually can help.
My observation is that it's easy to get in a rut. Like on Tuesday you patch servers, and on Sunday you do other server maintenance, and nothing seems to be wrong, so there's just a tendency to get into a pattern. And inertia and also the problem obviously of trying to pitch to management that the network is vulnerable and we could be having major problems, when there's no apparent problem -- but your data could in fact be streaming out the door.
You're spot on. Just because you can't see it, doesn't mean it's not happening.
Right, exactly.
If I were to put sort of a fine point on what I think your question relates to -- I've said, very loudly, "Make sure you do the basics well." That includes being cognizant of potential future problems, but also being very cognizant that you're running the existing operation the best you can, with the true risks well mitigated or fully accepted. Because too often -- and I've even seen my own team do this at times -- you're thinking the latest problem is what you have to work on when the honest truth is that a misconfiguration over the weekend is what's causing your biggest risk. So it's risk plus mitigation equals risk management. So do the basics well, then start going for the higher-order bits, set a strategy and go.
Perschke is co-owner of two IT services firms specializing in web hosting, SaaS (cloud) application development and RDBMS modeling and integration. Susan also has executive responsibility for risk management and network security at her companies' data center. She can be reached at susan@arcseven.com.