Smart security solutions for tomorrow's networks
Date: Tue, 07/17/2012 - 14:47
With latest generation firewalls and in-line IPS systems scanning real-time data at gigabit speeds – is there anything more that can be done to improve security for tomorrow’s networks? One look at the statistics for successful cyberattacks and the answer is “yes”. Or rather: it has to be “ yes”
Cut to the TV crime series cliché: when the serial killer has struck for the second time and the operation chief says: “I want to know EVERYTHING, every alibi, every movement , about EVERYBODY having ANY connection with the victim or crime scene!” And the police team groan – knowing it means days ahead sifting through mountains of mostly meaningless data.
It’s an amazing human ability: to scan those mountains and pick out meaningful patterns that lead not just to a criminal conviction but even to stopping the next crime before it happens. It’s the holy grail for IT security – anticipating attack – but we have a long way before machines can match the intuitive skills of the criminal fraternity.
Security Information and Event Management (SIEM) has long been serving the needs of compliance reporting, but provides the equivalent of the mountains of police data. So how well can we mine that data for meaningful patterns? How readily can the search be shaped to detect potential threats and avoid false alarms? And what sort of interface is best for initiating countermeasures?
Between the vision of the ideal active counterintelligence system and reality lies a gulf of practical choices: hardware v software solutions; centralized v distributed; unified, heterogeneous or layered approaches. We have brought together the top names in security for our panel, and we invite them to look over the horizon, share ideas and guide us through these challenging choices.
Panellists at NetEvents EMEA Press Summit, Garmisch, Germany: Markus Nispel, Chief Technology Strategist, Enterasys; Pascal Oetiker, Director EMEA, NetIQ; Thomas Hemker, Security Strategist, Symantec; Frank Thias, Senior Systems Engineer, F5; Franz Kaiser, Regional Director Switzerland, Austria & Czech Rep, Fortinet
Introduced and Chaired by: Rob Bamforth, Principal Analyst, Communication, Collaboration and Convergence, Quocirca
Good morning, everybody. I would like to pick up actually on one of the points that Peter mentioned or a couple of points that came through in the previous panel discussion and move them on now into the area of the debate in particular around security and the impact of security on the network and perhaps where in the network we can start to address some of the security issues that are being raised. In particular, I wanted to start from this point, the point of consumerisation, hitting all organisations large or small, and how to perhaps tackle this looking at the underpinnings of the network.
We have probably all seen this ourselves, whenever you travel on trains, planes or sit in any office, the number of different sorts of gadgets appearing on anyone’s desk, in everybody’s pockets, in their briefcases is just growing, and there is very little consolidation, just lots of growth. And I’d probably say that some of these figures are perhaps even an underestimate when you look at tablet devices, which seem to be growing even faster than predicted.
What’s the impact on the enterprise and how people are using these things that have started off in the consumer world and are now being deployed in the enterprise world?
We did some research last year looking into this and looking into how different types of devices are used in different industries and actually in different parts of the word.
If you look across industries, you will see there is a little bit of divergence. Some industries are more traditional and perhaps their use of IT is more business process orientated, fundamental structural processes, manufacturing, retail, transport and so on.
And others are more people orientated, personal productivity. And this is perhaps where you are seeing more of the impact of consumerisation into those sorts of businesses. And they are populated by the people that we can trust with these devices and how they can use them – marketing, media, very high usage of consumer devices in those industries, potentially some significant vulnerabilities and risks being exposed.
We looked then at different countries and the adoption of consumerisation. This is not an American problem. This is not something that is happening over there and will eventually start to hit over here. It is a worldwide issue, the adoption in this case of tablets in the enterprise, being used to access corporate data, is significant and growing in many countries. In fact, as you can probably see from the research, it looks like France was growing faster than other countries, including the US, in terms of its adoption and percentages of usage. So, a significant issue, a growing issue and something that really does open up a whole series of vulnerabilities.
If we look over a couple of years ago, or 18 months ago, when we looked into how enterprises felt about their ability to protect their corporate data, certain things they were fairly comfortable with or more comfortable with, certainly around email. But if you go out to sharing of information with external users, unauthorised users and other internal users and into the whole mobile spectrum, you see there is a lot less confidence. And that is reflected also in terms of the devices that have come along and how people are using these devices, and the fear is that in these spaces there is a greater and greater risk.
Where does that bring us to with the network? Well, it brings us to the cloud and ‘bring your own device’ is one part of this worry and part of the equation. The other part, and the part that it brings in around the network, is the ‘bring your own cloud’ and how this then exposes the organisation perhaps to much more vulnerability and the use of all sorts of different types of consumer-orientated, cloud-based services.
So how should this be tackled? There are lots of different parts of the infrastructure where it can be tackled in the core of the network, through different layers of the network right through to the edge. It’s pretty clear though that organisations can no longer put a complete wrapper around everything and just keep it all safe that way.
There is going to have to be a much more fine grained approach and a much more distributed approach, and an approach which involves all sorts of different tools.
So I guess with that in mind, what I would like to do is invite the panel up. We have representatives from a number of different companies who have different security elements that they can offer, and really see what they think about how this issue of the cloud, the network and the consumerisation is making life harder for the CIO to secure the organisations’ assets, and perhaps ways that they think it might be addressed. So if everybody could come up and we will get some discussion going.
Welcome panel. So, as you can see, a good mix of organisations and a good mix of different attributes. So what I would like each of the panel to do first is to give their take on this issue, the consumerisation, cloud, network and how it impinges on security and where they think perhaps this issue could be best addressed.
Let’s start from this end, let’s start with Pascal.
We are very strong in building up infrastructures for customers, or we have been in the past and are still, to manage identities, permissions and do provisioning of users and permissions across all kinds of environments. But what we now see is that there are some new computing environments. So we talk about physical, virtual and cloud environments. The vision here is that management of users and any objects and permissions across these three environments should be seamless and it should be 100% controlled and in line with the business objectives.
That’s what I want to focus on, especially when we talk about consumerisation. I think that really brings new risks. It brings things like private clouds. We spoke briefly about iCloud recently. A lot of these consumer devices now come with cloud, so how do we deal with those? From my point of view, we are all about what can users do? How do we control this and how can we stop them from doing something?
At Enterasys, we obviously focus on the network infrastructure itself and also on embedded security features that help to support and embrace things like cloud computing and BYOD. So I will focus on that and the role of the network infrastructure itself in that play. And I would also like to focus on Enterasys being a user of cloud-based services and being an IT organisation that really embraces BYOD.
And I will give some examples of how we deal with it, as obviously we are using our own technology. Eat our own dog food – I think this is a good example, and not a statement from our CIO, but one I talked to the other day. He was measuring success by his ability to give up control and how fast he can give up control. So that was interesting. It could have come from our CIO, but it was a customer of ours. I will focus on these aspects as well.
Hi, my name is Frank Thias from F5 Network, and we are addressing this issue constantly which means we have on the client side the possibility to check for instances of unspecific antivirus scanners running on the machine of a desktop file while its running.
We have options to encrypt the data between the client of the end-user, which can be a mobile device or any device, I would say. And then when the data reaches the data centre, we have possibilities with regard to classical web security solutions. So most applications on today’s networks are based on web applications, so we can protect the data with a web application firewall. We can do input validation, and we can of course transmit the data over an outside connection and can encrypt and decrypt the data. We can look into the data and can manipulate it. With this we have the possibility to ensure end point security on the one side and security of the data and the data centre on the other side.
Hello, Franz Kaiser from Fortinet. Fortinet is a real time protection company. We are mainly focused in the network. Our main goal is actually to give back some control to the IT Manager with bring your own devices, with cloud services and so on.
You are losing the control on that side, so you don’t have a chance really to control your devices anymore. But the network is still yours, and that is what we are trying to do, giving back control on the applications and on the data which is transmitting over the network. So you have your control again.
My name is Thomas Hemker from Symantec, and Symantec has a holistic approach on this so the system security and the network security are still very, very important.
But next to this there is a paradigm shift in terms of securing the data itself, because once you cannot control the host or the system which deals with this data, and you cannot control the network where the data is flowing through, it is really important that you can control the data, the assets, the information itself. So this is next to the traditional security. We have a new paradigm, which is called ‘information centric security’.
In terms of the cloud, I think it’s important to leverage the important benefits so we can, let’s say, control security much better now out of the cloud. And I am pretty sure that, in terms of hosting and securing the cloud, the security levels for, let’s say, the average enterprise customer, may be increased. And also we can deliver kind of information security intelligence, information on threats, on mitigation of threats and so on, which wasn’t possible before that, because now we have a critical mass of information and everybody can benefit out of this. I think that is a big benefit. And also host solutions, security solutions where people who may have security for you and mitigate risks centrally also on a network basis.
For us it is also important that we have technology in place which allows our customers to use these listed cloud providers, so mainly software as a service in a secure way. That means we will see something like a cloud firewall in the future, which enables you then to implement authentication, information protection, in terms of DOP and encryption, and also compliance controls centrally for the usage of external services, just like Sales Force and DropBox, etc. So I think that will be pretty interesting.
From that, I have actually just raised a couple of questions in my head. One in particular was, I guess, can the CIO take back control? And actually to your point, is that a good thing for the CIO? Should the CIO take back control? Or should he just say, let’s give it away? So, can, I guess is the question. Can, and is it a good thing?
From our perspective, if you look at the trend of BYOD, it has multiple drivers from my perspective. So one of the drivers is obviously to enable new applications much more efficiently, and also to get rid of specific investments that need to take place, in terms of computer infrastructure. So you are pushing out a lot of things to the employee and make it more flexible.
You also want to lower operational costs. And if you then start to try to put tight controls on such a system, the operational costs and the increase in operational costs will probably eat up all the savings and the efficiency increments that you might want to look for. So I think you have to balance that out, and that also requires that CIOs initially really look at their existing security policy from an overall point of view and really decide what is required to be protected and what not, and specifically in that new world. A lot of customers don’t do that yet.
So from our perspective, for example, we also have cloud-based users, so we migrated to salesforce.com four years ago. We are currently migrating to Google Mail and Google Apps. Our expense reporting is in the cloud. We have box.net as a cloudbased storage service. So we are going there, but our intellectual property is obviously our development and that is still in our own data centres. CIOs need to adopt to that first before they really discuss where to regain control and where control is basically contradictory to their original goals.
I think when we look at the way that people behave, we talked about the clouds.
When we talk about cloud, I would like to talk about software as a service for now, because we were talking about Sales Force and things like that. So let’s call it SAS, or software as a service.
What we see is that there is this movement where a line of business or organisations within organisations are moving into the SAS applications. I am one of them. I lead a team of marketing managers, and I want these people to be their own CEO, run their own little shop. they get a budget and they need to run with this throughout the year.
One of the things they do is they pull out a credit card and go to Google docs because they need to share some docs between the GOs, they want to keep a team calendar and things like that which we don’t have internally, or at least it is not facilitating that same service. Pull out the credit card, get the service running and then the questions start because now you have to find out who is controlling this and what kind of data do you put in there? That whole initiative is not possible.
So I think one of the things you need there, and this is my own requirement for this, and I am also talking about eating my own dog food, because I am also pitching a product here, but in the end, what we see, or what I see is necessary, is that you have the flexibility as a business to very quickly move into these things on a project basis maybe. Say do that for two years, maybe a couple of months, until your project is finished, and then move out of that SAS application and ensure that your stuff is also withdrawn from there, not only your data, but also the access to the data, the user credentials, password and user names.
What I see is that it is kind of an extension of the enterprise infrastructure. We just want to have another service. We don’t have it already so we will get it externally.
Now that comes with a control gap, right, because the enterprise CIO does not have the control there. He is not in control. So what we are doing there is saying look, it should be transparent. So take your user management system, like your active directories or whatever you are using internally, and extend those into those cloud applications. That requires technologies, you need a way to connect to those clouds, you need a way to translate the internal policies, groups and users into that cloud application. And ideally you would even do it in a way that you don’t have the same user names. The whole set of user names and passwords should not be in the cloud application. So therefore the user could never bypass your enterprise and go into the cloud application.
So now what you have done is you have regained control, but you have still enabled the business to go into those SAS applications.
There is one more thing that I think we should be doing there. Since these businesses are taking a decision to move into the SAS applications, we should also give them the responsibility for access to the application. In other words, we should govern the access. We should govern the identities that are used to access these specific pieces of SAS.
How do we do this? You need a process, maybe an automated process or whatever it is, a process that governs the certification of the fact that a user has access to a cloud application. In other words, a recertification process, like a monthly or quarterly or yearly process that sends out tickets or emails to the owners of these businesses, like me as a Marketing Director, saying hey, do you still attest that these people should have access to your marketing calendar or to your customer database because that is privacy sensitive information. I will then sign if off or click on yes and then it goes back to the CIO’s organisation, only then.
So how does the CIO keep control? Extend the infrastructure so the business remains flexible and can actually do their business, but at the same time give the responsibility to the business and say hey, if you want your users in there, you better sign off on this because I am going to be watching you.
I think this is really crucial because if you look at, let’s say just as an example, revoking policies of the SAS application providers. I had a look at this, and we use also Sales Force for expense reporting and whatever there. I saw that from the SLA perspective, we have sometimes up to 12 weeks before a user gets revoked when I notify the SAS application provider, which is not acceptable for me as an enterprise controlling user access. So I think this is really something which has to be done internally, and then you need to extend it to, let’s say, a single sign-on solution or add a second factor for authentication to all these company-owned or company-used SAS applications. I think that is really crucial.
Could more be done automatically in the network then rather than …?
Network is crucial also because then you probably have to … If it’s a companyowned device then it is probably easy. If it’s an own device, then the network is responsible for, let’s say, redirecting the traffic through the corporate network to access these services.
Okay. So some weren’t quite right. The network is the controller, not the computer.
It’s partially the network itself that provides network access control capabilities and how to distinguish devices and user groups. On the other hand, identity is really important as well. So Enterasys, as a user, we also use a single sign-on solution that is cloud-based that interfaces with all of these cloud applications. So we are really able to revoke access effectively. And that is a very important point. I assume you also have a product, we don’t use yours, so I won’t name the product that we use, but that is a critical component for sure. Otherwise you have identity and access address, and also data address, issues that you have to avoid for sure.
I want to add something from my side as well. What we talked about is the identity of the person which is accessing the network and to control that. You mentioned before also the data to be able to safeguard the data you have in your network on your database. And what we see as an additional function is also that you need to control your data applications which are travelling across your network to be able to decide, is that malicious code? Or is it an application? Is the user allowed to use this application at this time of the day? Yes or no? Stuff like this.
There are lots of applications, when you switch on some systems show you the application which you don’t even know about. So because a lot of users are just switching them on, especially when you have iPads, iPhones, stuff like this, there are so many applications you have no idea. And as soon as an IT management company you see what is flowing across your network and who is using these applications, you can start doing some sort of control.
I agree with that. I think auditing or monitoring is also important there and originally in the agenda it was talking about seam, but here comes the topic of seam again. Yes, we have to have some kind of understanding what is actually happening. So if we are controlling who gets access to data and we can control how to get access through the network and single sign-on mechanisms and all the cool technologies that are out there, the next part is then, how do I actually know if anything doesn’t work? If those access controls are not 100% watertight, I still need some kind of safeguard or dashboard or something that tells that to me. So I fully agree with it.
It is sad that we have to agree all the time, but it is absolutely something that, without having visibility into this, at some point things will happen. And I think the biggest point is, if you take your consumer device, and whatever it is, it could be an Android that has all these malicious things happening in their store because they are not 100% controlled, you will never be sure up front that it will be 100% secure. In general, you cannot be in computing, but especially with these devices. We just don’t know so much about them and everybody can load any type of app on it. So the control is less with it, so you need higher visibility.
One point is that if you are adding additional control layers, like authentication or firewalls, this does not necessarily mean that the user experience is going down. And if you are talking about single sign-on from the client, and you are moving from one application to a different application, you could [indiscernible] from the user from the client perspective. But you could also do it from a server-side perspective. So you have different applications which are being addressed from a central point, and you could have a single sign-on for instance [indiscernible], and this means that the user experience is getting better for the user. It does not mean that the user is getting punished somehow and he needs to input his password again and again and different passwords. There is also a chance for you to make it simpler for the user.
I second this, and the experience which we have with the cloud firewall, which I mentioned, especially for the authentication part, is that the single sign-on portion, even if you add a second factor for authentication to make it more secure, the single sign-on portion is very well received by the user experience.
Coming back to the overall compliance and visibility monitoring part, I think that’s really important, but not only the internal view. To get real evidence and practicality,
I think it’s really important to have also an external view. So, let’s say, most of my users are travelling with their mobile devices within this 3G network. What is the status of security there in that network? What are the current threats towards this kind of platform, especially in a heterogeneous world, when I cannot control the device itself or any security control on these devices?
To get criticality evidence and quantifiable risk, I think it’s really important to have, not only the internal view with correlation, but also to have external security intelligence information to really correlate that.
I wanted to touch on one point briefly that was made where you said the user experience was not impeded because of the security controls. Yes, but at the same time, wouldn’t you want the user also to be aware. So I think things like pop ups, if I take this into my enterprise network, wouldn’t we want this to say, hey, you’re now on the enterprise network, be careful. It’s just a question.
And this takes us to the awareness piece, if we are only doing things at the back end, which we as a company are trying to do, we are trying to make productivity, right?
You can do business because we enable you. But at the same time, there is not a lot of awareness there. So I think we take away the technology, one of the things that should be happening is that – we always get back in discussions like this – awareness of the user of the danger that they bring into the company. So, awareness programmes again, we can talk about technology, but awareness programmes are very important here.
There is a need to refresh the awareness programmes that are currently there.
Yesterday I visited with one of our customers, a credit card issuer. They are now starting a pilot with iPad; they actually gave one to the CEO. That’s a start, very controlled environment. But the guy also said, at the same time, we need to brush up our awareness programme, because there is a new thing, there is a new technology that may come with new risks. So we should also sharpen those up.
I guess the other side to this is we are talking really about the people that we trust, employees, and they are bringing the consumer devices in. But what sort of level of risk does that open up to those people we don’t trust who are coming in from the outside? Do they see this as a new opportunity to break in perhaps?
There are a lot of options, [indiscernible] from Layer 2 to Layer 7. So, on Layer 3 or Layer 4 you can do denial of service attacks so that the application is not reachable any more, for sim flooding or other flooding attacks. Then if you are going up into the layer, for instance if you are talking about HTTP or DNS, you have botnets which are sending [indiscernible] http requests to the application and see whether the application overload and cannot respond anymore. Or with regard to DNS, you can overload the DNS system with massive DNS requests. And if this happens the application does not react anymore and you cannot access the service, and this is a problem for your business. You need to ensure that you have either over provisioned your system or smart technology which can defend you against these Layer 4 up to Layer 7 attacks.
Denial of service can happen just by accident as well in places that don’t have enough connectivity.
I see the threats that are also from the availability perspective. That’s for sure. But also then on a higher level, in terms of the confidentiality and integrity of the data. So if we talk about the CIS system, in terms of security. This is then really application information- and the user-centric security. And this will probably then turn out to, let’s say, totally agnostic from the user devices towards the workspace provisioning for the user, so that we can embrace lots of new technologies much faster within the companies and so on. So we move towards this, where you control the applications, the user access and the information security more and better.
For me it’s very simple. Are there any additional risks with bringing consumer devices into companies? Yes, because it’s my device. So I’ll leave it in my car, I go to Garmish on a skiing holiday, I take it with me right? It goes with me wherever I am. I may lose it somewhere when it’s still logged in or somebody steals it, maybe I don’t have a password on it, I don’t have all these policies because it is not an enterprise-governed device. So the whole governance piece is not there. You automatically need to have governance on your data, so confidentiality on your network connections, all that stuff. So actually, it really shifts any control to the back end, because the front end you just do not.
There is less control. You have to assume it’s unprotected.
You cannot control this thing because I paid for it.
Does that raise any questions amongst the audience wanting to ask anything?
From the floor
I wanted to ask a question about some small or medium sized companies about bring your own devices. They say okay, fine. Do it. But we want to control this device.
But if it is stolen, then we want to kill it, remove everything, so you must have the possibility through software or whatever that you kill this device if it is stolen or broken and/or corrupt. Have you such software? And do you have customers who use it?
I think the market from that perspective is quite fragmented so I see basically four approaches to BYOD and how to handle that. One approach is what we are seeing in healthcare specifically, even healthcare customers start to embrace BYOD, they just say ok, we just offer virtual desktop solutions on top of that solution, so you don’t have that problem with data addressed on the end point so that’s one example. The other example is that you are starting to employ mobile device management solutions on top of that and you even have users that bring their own device, except the fact that the mobile device management also incorporates these devices so that’s a second choice.
From my perspective that’s a little bit contradictory to the BYOD approach where again you don’t want to bother on what device is used but with MDM, with mobile device management we start to bother again, so you have to walk a fine line there so that is a second choice and the third choice is that customers don’t want control on the end point and they just do it via network access control combined with monitoring capabilities and quarantine capabilities.
The fourth option is if you look at basic services like email and exchange, for example an iPhone and an iPad using email via an exchange plug in, you can wipe emails through the exchange plug ins so that’s a wipe capability that you have already today and that is often accepted by most employees.
The other global wipe that you talked about, that’s a tough one. The MDM vendors are trying to get into that space and trying to manage private and corporate data and providing selective wipe capabilities but I personally think that is management overkill and technology wise it is tough to keep up the pace, especially as you see the variety of end points and operating systems; you have Droid, you have Windows, Microsoft is coming back into the game, you have Blackberry going down the drain right now, you have iPhone etc. So you have a variety of operating systems and versions and providing software solutions sitting on top of that to provide mobile device management I think it’s at least questionable whether that is the right approach.
Since we are a vendor of such a solution, let me step in here.
I think our access is all valid and I think a different approach makes different sense for different environments. A combination would also be good. For mobile device management currently to answer your question, yes, there is software out there which can do selective wiping of just company data on such a bring your own device. I think mobile device management is really at a stage where it just a first part of creating, let’s say this workspace we provide as a company for you to use your own device and there are still missing parts in terms of information security and, let’s say sent box in there as an example. I would like to control if a user is downloading excel sheet or word document or whatever from sales force but it’s just…used with the applications on that device but in a controlled environment. It’s all there encrypted and it cannot be transferred without any control associated to it and so on. We see solutions and we build solutions which are currently going in this direction as well.
Most customers I saw in the past are taking the solution where they are running encapsulated applications on the client which means that they run on the sent box and the data and sent box is protected and that is a very flexible solution for them. It is my experience where the customers are going…
So what I hear is in that case enterprise will only allow them to run their own application so they need to create an app for the platform instead of doing like a web browser to…
It’s both so you can provide your own apps with your own app store controlled by the enterprise and so on but also the user would like to use let’s say one address book and one email application for both emails and then you should be able just wipe the corporate email and not the private email for data regulation issues. This can be done already with active sinc as you said Markus and also with MDM solutions but I think this is more accepted by users than let’s say open up a remote desktop session and then control your outlook via a web browser on an iPad, I think this is not accepted as much by users.
Sometimes you have usability issues if you are working an [indiscernible] session, remote desktop or on a citric session with an iPad, you cannot do double click or right click so it’s hard to steer all the stuff and the configuration. I think writing a word document is fine but if you want to do special moves with the mouse it’s hard. This is getting better developed hopefully in the future.
Yes, after all, we are meant to being doing this for reasons of productivity not making life harder so those things are important.
Especially with that approach, I think, I have just seen it yet so far in healthcare because of compliance, so reasons all other enterprises are trying to get more towards native applications because you also want leverage to benefit an open application framework where you also provide enterprise specific applications that your own software developers develop for your users and you cannot cope with that in a BDI infrastructure so from my perspective BDI is viable and a very highly regulated but the typical enterprise probably doesn’t go down that path.
We will not only see the entire desktop as a virtual desktop infrastructure but also just virtualised applications which run on a regular system which the user has there, so we go in this direction as well.
I guess the other side to BYOD as well is its multiple devices, people don’t bring a single device in, they will have a smart phone, iPad, laptop and home computers and everything.
Yes and if it breaks, they just go to the next shop, buy a new device and in the next five minutes they have access to all this data again so you just use this existing work space just on a different device, that’s where it goes, yes.
An interesting data point here is that we have a lot of high education accounts in the US where we have seen after the winter and summer break an increase of 20% of end points on an infrastructure basis just on the fact that the kids bring a new device and gadget; typically we enforce registration of these devices on the infrastructure so we see the device count going up dramatically.
We are running close to lunchtime, so maybe one more question if that’s ok? Anyone got a question; probably not, I shouldn’t have mentioned the ‘L’ word.
Ok, it just remains for me to thank the panel, thank you very much, thank you all for your attention as well. Thank you.