Cisco's Vision Of Trust And Security: Building It With Or Without You

June 30, 2010

6 Min Read

I am pretty impressed with Cisco's breadth and depth of vision on where the information technology is heading and the role of the network in that vision. One item stuck out during Pamasree Warriors Keynote address today, and that is the requirement for trust and security in the borderless endzone, borderless Internet and the borderless data center. The inference I take from that is that security and trust have to follow information and services as they are accessed and located in the varying zones. I agree that security and trust are necessary, but getting there is going to be extremely difficult. What strikes me is that Cisco's vision in the near term to perhaps even 10 years out requires either an all-Cisco network or a ton of standards development that I don't even see on the horizon.

In most data centers today, you can point to where your data resides -- on the server or SAN array -- and say "that needs to be protected." You can identify its location in the network and say I need to create a border around this stuff and protect it. You can point to who is accessing your sensitive data and where they are located and set access controls on who can access it and from where and in some cases, from what devices. It's a big task, but companies can and do employ access controls to protect sensitive data from prying eyes.

IT mashes together a bunch of products like firewalls, IDS/IPS systems, anti-malware, monitoring, virtual private networking, encryption for data at rest, authentication and a host of other security technologies. It works more less well because the location of the data and the methods and modes of access are relatively static and predictable. But in this borderless network that Cisco envisions, much of that predictability falls to the wayside. The information services become much more dynamic; they can change location, for example. Information itself is located in more places than ever before, which in turn may be more accessible.

Enterprises are feeling this pain today with smart phones like BlackBerries and iPhones, where users are accessing enterprise resources with devices that most likely don't have the same controls and protections that your IT issued laptop might have. The borderless network, Internet and data center is only going to exacerbate that situation.

The question becomes, how does IT build security systems that can be as dynamic and robust as the IT systems they are trying to protect? One simple example is moving a web server that accesses a data base from the data center to a cloud service. In the data center, you probably don't have and don't need to encrypt the connection between the web server and the DB (it might be prudent to do so, but you probably don't). Move that web server to the cloud and now you have to do a few things. You have to encrypt the connection between the web server and the data base. Use a VPN. To do that, you have to set up an authentication process. You have to open access in your firewalls. You might want to expose the DBMS traffic to IDS/IPS monitoring. You might want to capture logging. Oh, and you have to worry about the cached data that is located on the VM image in the cloud service provider and how has access to that. While we are at it, how do you know (this is governance) that when you delete the VM, that the image is, in fact, removed and not stored on a SAN somewhere?And I haven't even addressed the information security controls that should be in place. I am just talking about protecting the platform and protocols.

You can do what I described today by putting the parts together. It's not that difficult. But in the borderless world that Cisco envisions (and I tend to agree it is going to happen) is going to be much more dynamic. You won't be setting that stuff up manually. You won't be able to do so quickly enough. It's going to be automated. That is where you either need an all Cisco network (or it's partners) or a set of standards that aren't close to being developed. By the way, this vision applies to any vendor, not just Cisco. I'd put Juniper's security vision in the same boat.

It comes down to integration between disparate systems and that is the disconnect. It's hard enough to get vendors to sit down and agree on basic connectivity standards. I see a riff over TRILL and 802.1aq for multi-path support in networking. Cisco favors FabricPathand TRILL. Other vendors are lining up with 802.1aq. Comparatively speaking, multi-pathing is child's play compared to the integration required to protect the borderless network and then prove that the borderless network is in fact, secured. It's not just adding some ACLs to a firewall and creating a VPN. It's identifying what routers and firewalls need the ACL, and which ACLs to apply. Creating the userIDs and VPNs. Setting up the IDS/IPS monitoring and policies. Setting up other monitoring and logging policies. And then ensuring those policies are applied to your switches, routers, firewalls, IDS/IPS's, VPN system, log management, hypervisor, virtual machine, directory store and key manager. And then documenting that what you think you have in place is in fact in place. Do you have all those functions from one vendor?

Probably not. More likely, you have products from multiple vendors that have some form of API available and perhaps a few vendors may have actually done some integration, but I will bet it is pretty limited. And that's for a single vendor and/or partner. So here is my point: IT needs standards that define the protocols and message formats for communicating and automating those functions need to be developed and deployed. Those standards need to be robust and well defined so that they are predictable, interoperable and unencumbered by patents and other intellectual property claims. I am suggesting the scale of standards development work is on par with the standards work defining the Internet Protocol and all the enhancements and improvements. I think herding squirrels would be easier (and perhaps more fun).

Here's what's going to happen: Cisco or Juniper, the only two vendors I think have the scale of vision today, will be driving a lot of the standards work. I put my money on Cisco just because of the breadth and depth of their product lines and their footprint in the standards bodies and the market, but I wouldn't dismiss Juniper. They are going to push the direction of the standards because they will be working on them internally and they will want other vendors to come play in their sandbox. They will eventually start the standards work in the IEEE and IETF bodies with a ready made set of documents like they are doing with their Overlay Transport Virtualization protocols that other vendors, even competitors, can use. In the mean time, Cisco will be out in front with their own protocols with the plan to offer the ratified standards when they are ready, just like Flexfabric and TRILL.