Nearly all of us depend on public key infrastructure (PKI) when we engage in secure transactions on the Internet. Digital certificates, most commonly based on ITU standard X.509, are used to prove that one is communicating with an intended website or Internet host. They are also used to establish the ownership of specific email addresses when S/MIME signing and encryption are used. Having a secure way to determine who you’re communicating with is important because an impostor or “man in the middle” site could decrypt the data sent to it, effectively defeating the security of the transaction.
Certificates issued by Certificate Authorities (CAs) digitally sign a public key presented by the subject (website/host or user) after some diligence (usually for a fee) is done to determine that the entity requesting the signature is in fact the legitimate owner of that host or address. The public keys of the Certificate Authorities are, in turn, configured into Web browsers, email clients, and other software that makes sure connections. If the host being communicated with proves ownership of a certificate that is signed by a recognized CA, the certificate is recognized as valid.
Security and process problems at several X.509 CAs, most notably DigiNotar and Comodo, have received considerable coverage in the past year. This has led to doubts about the long-term viability of the X.509 ecosystem, and alternatives have been proposed. I’d like to step back from that a little bit and look at the properties we would like to have in an idealized replacement system and then how that might be accomplished.
Read More »
What a week! From October 31-November 3, Cisco hosted its annual internal security event—SecCon 2011. Co-hosted by Greg Akers, SVP of Cisco’s Global Government Solutions Group and Ed Paradise, Vice President of Engineering, this marked the fourth year in which we shared the latest in product security practices, policies, processes, and thought leadership with employees who participated in live and virtual sessions around the world.
Read More »
Tags: common crypto, CSDL, product certifications, product security, public policy, Secure Development Lifecycle, security, trustworthy systems
“Security must be built into every aspect of our systems architecture and be seamlessly compatible with our business architecture.”
– Rebecca Jacoby, Cisco Chief Information Officer
When Cisco’s CIO Rebecca Jacoby and I agreed that security would be built into every aspect of our IT systems architecture, we knew this was no small task. To some degree, security requirements were bolted on, not baked in, and what “security” meant was different from person to person in our organizations. We knew that we had to raise awareness and knowledge about security—not just among the security practitioners in our IT organization, but also with the IT generalists and those architecting applications and systems. That way, systems would be designed and embedded with security from day one. Read More »
Tags: Cisco, cyber security, cybersecurity, security
Okay, this may sound like gibberish. But I’m sure that many of you know what I mean. Just to be clear, let me put the title in plain English: Mobile Device Management (MDM) is not the only approach to help secure a Bring Your Own Device (BYOD) environment.
Read More »
Tags: bring your own device, byod, MDM, Mobile Device Management, mobile devices, SecureX, security
As our customers and partners well know, security has been front-of-mind for Cisco this year. As far back as February, our CEO John Chambers announced that security was to become a top engineering priority for the company. The pace of innovation and development has been rapid ever since.
During the year, we unveiled our context-aware distributed security solution, Secure X, introduced the Cisco Identity Services Engine to simplify management of organization-wide security policies, and we brought new security to branch offices by adding Cisco ISR Cloud Web Security to the Cisco ISR G2 branch router.
We also elevated the role of our amazing Cisco Threat Operations Centers in helping customers chart the escalation and sophistication of security threats designed to exploit new business models that emphasize mobility, social collaboration and cloud computing.
Even with all of this momentum in security, we still saw opportunities to do more; to move faster; and to address our customers’ security challenges more completely.
It’s with those goals in mind, that I am delighted to announce today a senior executive appointment to further strengthen Cisco’s security business. For the first time, the security engineering team will be led by an SVP, reporting directly to me. We are pleased to share that Chris Young will be joining Cisco in on November 14th to fill this new leadership role.
Chris is an outstanding technology, business and security industry leader. He joins us from VMware, where he was Senior Vice President and General Manager, responsible for strategy, products, engineering and delivery across all of VMware’s end user computing solutions.
Prior to joining VMware, Chris served as Senior Vice President, products at RSA, the Security Division of EMC, where he was responsible for strategy, product management, product marketing, engineering and delivery of products across all of RSA’s Identity and Access Assurance, Security Information and Event Management, Governance Risk and Compliance (GRC), and Data Security solutions.
While at RSA, he built the company’s highly successful Identity Protection and Verification business, which includes products such as RSA Adaptive Authentication that today protects more than 200 million online bank accounts globally. Chris’ role grew to include responsibility for all products in the RSA portfolio and during his tenure he led several successful acquisitions, including Cyota Inc., Passmark and Archer Technologies among others.
Chris will assume responsibility for a new integrated security engineering team and for Cisco’s overall security vision. His new team combines our security technologies group and our global government security solutions into a single entity.
As we welcome Chris, we say goodbye to Tom Gillis, VP of our security technologies business unit. Tom joined Cisco through our acquisition of Ironport and has been instrumental in driving our overall security business thus far. Tom is keen to pursue his entrepreneurial passion outside Cisco. We thank Tom for his leadership and wish him well in his future endeavors.
We said during our Q2 earnings call that we would continue to take further actions that allow us to address market transitions with greater speed, agility and consistency. Today’s news is a good example of that commitment: we are evolving our operating model and investing in and strengthening our team with new talent in the process. We look forward to welcoming you to Cisco, Chris!
Tags: Chris Young, Cisco, RSA, security, VMware