Cisco Blogs


Cisco Blog > Security

How Secure is Your Mobile Worker?

August 22, 2013 at 6:00 am PST

How well do you know your mobile worker? Understanding the mobile worker’s perceptions and behaviors will offer a better view on the potential security implications your organization must manage. Cisco recently released a new global infographic and white paper, the Cisco Connected World International Mobile Security study. They explore the mobile worker’s view points concerning working remotely, connecting to corporate, and their sense of security. Some of the findings are worth reflecting on to help you set the course for your mobile security efforts.

There is no question that the movement to mobile personal devices in the workforce has been well recognized. A recent response to this trend includes almost half of employers offering to fund workers to buy their own devices. Allowing the “chose your own” device alternative will attract and retain talent and reduce costs (see recent IBSG BYOD research), but what are the security implications?

There are a few striking data points to call out:

  • 63% of users download sensitive data on their devices. The frequency significantly increases in some countries which should alarm people doing business internationally if there are no precautions taken to secure the downloaded data. Imagine your financial data or product road maps being downloaded on an unprotected personal device.
  • Most believe remote access is a privilege. Yet in some countries they believe it’s a right as a worker. This establishes high expectations for IT to support and secure the devices including, but not limited to, extensive help desk calls.
  • Most users are diligent when a pop-up appears and will read through the details and determine what it really means. Yet, many workers from select countries generally tend to be less careful and accept warning pop-ups without reading the details which increases the risk that hidden malware will be downloaded. Hackers depend on this social mining effort.
  • 60% of users admit to engaging in risky behavior on a device (for example, personal or company-owned) while connected to corporate resources. This suggests that more security enforcement technology would benefit the prevention of data breaches and/or loss.

Data_Protection_Chart_1-300x115So, who really owns the mobile security issue? Mobile workers do not take full responsibility for a safe device with 84% believing that their IT will protect them from threats no matter what device is used. Sometimes IT’s perspective on this dependency is expressed with disbelief. An example of this issue was observed at BlackHat from a security professional during a demonstration we presented a couple weeks ago.

During the demonstration, we were showing how a user who inadvertently clicked on a phony URL sent in an email. That click triggered to phone an alert to a hacker that an “innocent” user is accessing the phony Internet site. The user unknowingly offered login credentials to their bank account. The hacker begins to record the users’ keystrokes to use later for malicious purposes. A security professional from BlackHat chimes in during the demonstration with the comment, “Dumb User.” The demonstration later showed how the combined effort of Cisco ISE and SIEM (Lancope) with unique TrustSec enforcement can identify and control the malicious activity with a single policy (for example, by segmenting and restricting users traffic close to the edge—on a network switch). The surprise to the security experts watching the demonstration was the concept that the network switch provided this enforcement.

Bottom Line: Most mobile workers have good intentions but do rely on IT to step in.

It would be great hear from you on your impressions of these recent findings and whether you are a mobile worker or an IT professional.

Please refer to Cisco’s security response for the mobile workforce: Secure Access

Tags: , , , , , , ,

#EngineersUnplugged S3|Ep9: The Underlay Network (SDN w/PacketPushers)

August 21, 2013 at 4:13 pm PST

Welcome back loyal viewers--this is an episode not to be missed. Engineers Unplugged is thrilled to welcome the Packet Pushers (@packetpushers), aka Greg Ferro (@etherealmind) and Ethan Banks (@ecbanks), as they discuss the underlay network. Yes, they’re showing us the underside and future of software defined networking.

Watch and see:

Welcome to Engineers Unplugged, where technologists talk to each other the way they know best, with a whiteboard. The rules are simple:

  1. Episodes will publish weekly (or as close to it as we can manage)
  2. Subscribe to the podcast here: engineersunplugged.com
  3. Follow the #engineersunplugged conversation on Twitter
  4. Submit ideas for episodes or volunteer to appear by Tweeting to @CommsNinja
  5. Practice drawing unicorns

And it wouldn’t be Engineers Unplugged without unicorns, a software defined one here.

Packet Pushers, aka Greg Ferro and Ethan Banks, plus unicorn!

Packet Pushers, aka Greg Ferro and Ethan Banks, plus unicorn!

We’ll see you next week at VMworld! Be sure to drop by the Cisco booth and try your hand at unicorn whiteboarding.

Tags: , , , , , , , , , ,

Cisco vPath Technology Enabling Best-In-Class Cloud Network Services

vPath, a Cisco innovative technology developed within Cisco Nexus 1000V, has been shipping for more than 2 years, enabling customers to seamlessly create policy-based multi-tenant / multi-container Data Centers across multiple hypervisor environment. Increasingly, customers are implementing network services into their virtualization and cloud networks in order to meet regulatory, security and service levels. To this end we are seeing increased deployments of virtual firewalls, load balancing, routing, WAN optimization & monitoring tools. Cisco’s vPath technology allows customers to deploy these best-in-class network services seamlessly in their Data Center and Cloud deployments. So, what makes vPath so unique in this industry?

#1 -- vPath Powered Service Chaining at a tenant level: For customers to create multi-tenancy architecture today, they have to configure the different network services and manually “stitch” them together for every unique combination. While this method provides the goals for regulatory compliance, security and service levels it often increases application provision time, and does not easily support application mobility. Additionally most applications have to follow the same manually stitched network services.

With Cisco Nexus 1000V vPath technology, the customer’s Data Center becomes very agile by enabling policy based services chaining at the application or tenant level. Customers can create policies and select the L3-7 virtual services appropriate for the application at the time of VM or Tenant creation. These policies are then dynamically instantiated and fulfilled in the Nexus 1000V distributed virtual switch.  If the particular application VM moves, the Nexus 1000V network policy moves with it and hence the service chain remains intact.

Figure 1: Policy based dynamic service chaining through vPath

service_Chain

 #2 -- vPath enables Distributed Cloud Network Services: As noted in the picture above, vPath controls the packet flow through all Services that are chained for that particular policy. Once the first few packets of the flow is inspected by each Service node, vPath offers the capability to off load flow decisions of the particular Service to the local host such that the subsequent packets of the same flow are locally inspected at the host. Through this mechanism, vPath improves the performance of the particular service since the subsequent packets of the flow are no longer required to be inspected by the individual Service node and hence enabling distributed behavior of the particular service.

Figure 2: Distributed Cloud Network Services through vPath Fast Path Offload

 fast_path_offload

 

#3 -- vPath offers Best-In-Class Cloud Network Services across multiple hypervisors: vPath enables the customers to use the best-in-class Cloud Network Services from Cisco such as Virtual Security Gateway, ASA 1000V & virtual WAAS, and best-in-class ecosystem partners such as Citrix NetScaler 1000V & Imperva Secure Sphere Web Application Firewall.  This vPath enabled architecture will be supported across all major hypervisors such as VMware vSphere, Microsoft Hyper-V, KVM and Xen. 

#4 -- vPath to become a standard based Network Services Header: In traditional fashion, Cisco creates innovative solutions to help solve our customer’s IT challenges. Once proven, we offer these technologies such as VXLAN through standards bodies to allow greater interoperability and choice. Recently, vPath header format has been submitted to the IETF as a Network Service Header draft.  In the future customers will be able to leverage dynamic policy based services chaining including both virtual and hardware based solutions that support Network Services Header! 

To learn more about Cisco Nexus 1000V and Cloud Network Services, please visit our community site. Create a Cloud Lab account and checkout out the vPath in action today!

Lastly, if you are at VMworld, make a point to attend our sessions PHC6409 and NET6380, or stop by at the Cisco booth.

Tags: , , , , , ,

The Role of Executives in Employee Engagement: Crossing Your T’s and Dotting Your I’s

August 21, 2013 at 11:58 am PST

In our #ciscosmt Twitter chat yesterday, we talked about how to engage employees in social media. On a very high level, I presented the pillars of our program: identify, activate, recognize and measure. And previously, I blogged about a potential framework you can use for your own Social Ambassador program (that’s what we call our employee engagement program at Cisco).

At the end of the session, I offered 3 key takeaways for companies interested in starting or improving their employee engagement programs (these are all Twitter-friendly nuggets): Read More »

Tags: , , , , , , , , ,

SDN and Network Programmability: First Five Use Cases for Cisco IT

The Cisco IT network services team views network programmability—the broader category that includes SDN, or Software-Defined Networking—as one of our top priorities.

To clarify terms, SDN is a network architecture that decouples the control plane (that is, the building of a routing table) from the data plane, moving the control plane to a software-based centralized controller. In Cisco IT, we see the real value of SDN as enabling network programmability. Network programmability requires two capabilities: harvesting information from network devices, and automatically pushing out new configurations in response to dynamic network conditions or service-provisioning requests.

We’re in the early stages of weaving network programmability into Cisco IT programs. So far, we’ve identified five internal use cases. Read More »

Tags: , , , ,