Cisco Blogs


Cisco Blog > Data Center and Cloud

CHAOS (Control Havoc and Overhaul Security): The new Order for IT

Mobility and the cloud have changed how we work, transforming pockets of downtime into bursts of productivity, with easy access to our most valued information and people. But this transformation has unleashed havoc. Security practices built on decades-old assumptions of placing controls at key points in the infrastructure  won’t work in today’s hyper-connected application and data-centric world.

 

Mobility and cloud have shifted the power balance from IT to users. Business units and workers are embracing public cloud services for everything from document sharing to payment services. Most CISOs cannot state with confidence that their organization’s information assets are secure.

Overhaul Security

The industry needs to embrace innovative security and identity architectures so organizations can protect their users’ identities, devices, and data, wherever and whenever they are. Now is the time for InfoSec pros to embrace CHAOS and enable the business to move forward quickly and securely.

Tags: , , , , , , , ,

Can You Guess Your ROI on Your Secure Access?

February 5, 2014 at 9:30 am PST

No need to guess now!

Cisco commissioned Forrester Consulting to examine the business value and potential return on investment (ROI) enterprises may realize by implementing Cisco Identity Services Engine (ISE)—a leading secure access solution. This is available in the recently published Forrester TEI (Total Economic Impact) Research. Four customers were interviewed for this study and covered use cases for policy-governed, unified access across the following use case scenarios: guest services; BYOD; full access across wired, wireless, and VPN; and policy networking. The calculation was based on a composite organization of 10,000 employees that reflected the four interviewed customers from higher education, utilities, and financial services markets.

Benefits were 75 percent reduction in support calls related to network issues and improved compliance reducing data exposure, breaches, and potential regulatory/remediation costs that could add up to hundreds of thousands or even millions of dollars. Most recently, the Ponemon Institute Live Threat Intelligence Impact Report 2013 indicated that US$10 million is the average amount spent in the past 12 months to resolve the impact of exploits. The benefit of secure access cannot be taken lightly.

Read More »

Tags: , , , ,

Don’t Miss: [Webinar] Preparing K-12 Networks for Common Core Feb 5

If you’ve worked on a K-12 wireless network, you’ll know that one of the main customer careabouts is adapting to Common Core Standards. Online testing and BYOD places even higher demands on a high quality, high performing network. What exactly needs to be taken into consideration when designing these networks?

Join us tomorrow Wednesday, February 5 for a great, informational webinar packed with tips and tricks on how to design K-12 networks to optimize for Common Core. If you work in education IT or are a partner or network consultant that handles lots of K-12 school district deployments, this is the webcast for you. We’re starting at 10am PST and will run for about 45-60 minutes--and there’ll be a chance for you to ask questions directly to Cisco engineers.

Register here today, or read the full article: Is Your Network Ready for Common Core Standards?

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

User Behavior and Training Critical to Secure Mobility

Worker mobility has become an essential practice for government agencies. From teleworking on the road to accessing critical data on your smart phone, mobility increases productivity and employee satisfaction. And the trend toward mobility is growing. In fact, the Cisco Visual Networking Index predicts there will be more than 10 billion mobile devices worldwide by 2017. With the increased proliferation of mobile devices comes the need to ensure that appropriate policies and procedures are in place so agencies can take advantage of increased capabilities while still maintaining high levels of security.

By and large, government agencies are doing a good job of balancing the need for mobility with security requirements. However, according to a new study by Mobile Work Exchange, which was commissioned by Cisco, 41 percent of government employees are putting agencies at risk with secure mobility habits. Clearly, there is some room for improvement. MWEhotzone

The study used the Secure Mobilometer, an online self-assessment tool, to capture data from end-users and agencies. The tool ranked their mobility habits based on practices of user inputs, password protection, data loss prevention, mobile device policies and security training.

Read More »

Tags: , , , , ,

Taking Complexity Out of Network Security – Simplifying Firewall Rules with TrustSec

Bruce Schneier, the security technologist and author famously said, “Complexity is the worst enemy of security.”

We have been working with some customers who agree strongly with this sentiment because they have been struggling with increasing complexity in their access control lists and firewall rules.

Typical indicators of operational complexity have been:

  • The time that it can take for some organizations to update rules to allow access to new services or applications, because of the risks of misconfiguring rules. For some customers, the number of hours defining and actually configuring changes may be an issue, for other customers the biggest issue may be the number of days that it takes to work through change control processes before a new application is actually in production.
  • The number of people who may need to be involved in rule changes when there are high volumes of trouble tickets requiring rule changes.

Virtualization tends to result in larger numbers of application servers being defined in rule sets. In addition, we are seeing that some customers need to define new policies to distinguish between BYOD and managed endpoint users as part of their data center access controls. At the same time, in many environments, it is rare to find that rules are efficiently removed because administrators find it difficult to ascertain that those rules are no longer required. The end result is that rule tables only increase in size.

TrustSec is a solution developed within Cisco, which describes assets and resources on the network by higher-layer business identifiers, which we refer to as Security Group Tags, instead of describing assets by IP addresses and subnets.

Those of us working at Cisco on our TrustSec technology have been looking at two particular aspects of how this technology may help remove complexity in security operations:

  • Using logical groupings to define protected assets like servers in order to simplify rule bases and make them more manageable.
  • Dynamically updating membership of these logical groups to avoid rule changes being required when assets move or new virtual workloads are provisioned.

While originally conceived as a method to provide role-based access control for user devices or accelerate access control list processing, the technology is proving of much broader benefit, not least for simplifying firewall rule sets.

For example, this is how we can use Security Group Tags to define access policies in our ASA platforms:

KReganCapture

Being able to describe systems by their business role, instead of where they are on the network, means that servers as well as users can move around the network but still retain the same privileges.

In typical rule sets that we have analyzed, we discovered that we can reduce the size of rule tables by as much as 60-80% when we use Security Group Tags to describe protected assets. That alone may be helpful, but further simplification benefits arise from looking at the actual policies themselves and how platforms such as the Cisco Adaptive Security Appliance (ASA) can use these security groups.

  • Security policies defined for the ASA can now be written in terms of application server roles, categories of BYOD endpoints, or the business roles of users, becoming much easier to understand.
  • When virtual workloads are added to an existing security group, we may not need any rule changes to be applied to get access to those workloads.
  • When workloads move, even if IP addresses change, the ASA will not require a rule change if the role is being determined by a Security Group Tag.
  • Logs can now indicate the roles of the systems involved, to simplify analysis and troubleshooting.
  • Decisions to apply additional security services like IPS or Cloud Web Security services to flows, can now be made based upon the security group tags.
  • Rules written using group tags instead of IP addresses also may have much less scope for misconfiguration.

In terms of incident response and analysis, customers are also finding value in the ability to administratively change the Security Group Tag assigned to specific hosts, in order to invoke additional security analysis or processing in the network.

By removing the need for complex rule changes to be made when server moves take place or network changes occur, we are hoping that customers can save time and effort and more effectively meet their compliance goals.

For more information please refer to www.cisco.com/go/trustsec.

Follow @CiscoSecurity on Twitter for more security news and announcements.

Tags: , , , ,