I am pretty impressed with Cisco's breadth and depth of vision on where the information technology is heading and the role of the network in that vision. One item stuck out during Pamasree Warriors Keynote address today, and that is the requirement for trust and security in the borderless endzone, borderless Internet and the borderless data center. The inference I take from that is that security and trust have to follow information and services as they are accessed and located in the varying zones. I agree that security and trust are necessary, but getting there is going to be extremely difficult. What strikes me is that Cisco's vision in the near term to perhaps even 10 years out requires either an all-Cisco network or a ton of standards development that I don't even see on the horizon.
In most data centers today, you can point to where your data resides -- on the server or SAN array -- and say "that needs to be protected." You can identify its location in the network and say I need to create a border around this stuff and protect it. You can point to who is accessing your sensitive data and where they are located and set access controls on who can access it and from where and in some cases, from what devices. It's a big task, but companies can and do employ access controls to protect sensitive data from prying eyes.
IT mashes together a bunch of products like firewalls, IDS/IPS systems, anti-malware, monitoring, virtual private networking, encryption for data at rest, authentication and a host of other security technologies. It works more less well because the location of the data and the methods and modes of access are relatively static and predictable. But in this borderless network that Cisco envisions, much of that predictability falls to the wayside. The information services become much more dynamic; they can change location, for example. Information itself is located in more places than ever before, which in turn may be more accessible.
Enterprises are feeling this pain today with smart phones like BlackBerries and iPhones, where users are accessing enterprise resources with devices that most likely don't have the same controls and protections that your IT issued laptop might have. The borderless network, Internet and data center is only going to exacerbate that situation.
The question becomes, how does IT build security systems that can be as dynamic and robust as the IT systems they are trying to protect? One simple example is moving a web server that accesses a data base from the data center to a cloud service. In the data center, you probably don't have and don't need to encrypt the connection between the web server and the DB (it might be prudent to do so, but you probably don't). Move that web server to the cloud and now you have to do a few things. You have to encrypt the connection between the web server and the data base. Use a VPN. To do that, you have to set up an authentication process. You have to open access in your firewalls. You might want to expose the DBMS traffic to IDS/IPS monitoring. You might want to capture logging. Oh, and you have to worry about the cached data that is located on the VM image in the cloud service provider and how has access to that. While we are at it, how do you know (this is governance) that when you delete the VM, that the image is, in fact, removed and not stored on a SAN somewhere?