Cisco Blogs


Cisco Blog > Data Center and Cloud

Securing Cloud Transformation through Cisco Domain Ten Framework v2.0

Businesses of all sizes are looking for Cloud solutions to solve some of their biggest business and technology challenges—reducing costs, creating new levels of efficiency, transform to create agile environment and facilitate innovative business models. Along with the promise of Cloud comes top concern for Security. With rise of applications, transactions and data in the Cloud, business are losing control and have less visibility on who and what is moving in and out of the business boundaries. 

Any  transformation initiative with Cloud, whether a private, hybrid or public, with early focus on security from architecture, governance, risks, threats and compliance perspective can enable the business with a compelling return on investment with a faster time to business value – regardless of geographic, industry vertical, operational diversity or regulatory needs.

Here, I would like to bring to your attention on Cisco Domain Ten framework v2.0 and my blog on What’s New in Cisco Domain Ten Framework 2.0 that is born from Cisco’s hard won experience of deploying both private, hybrid and public Cloud environments, Cisco has developed the Cisco Domain Ten framework and capabilities to help customers accelerate IT transformation.

The Cisco Domain Ten does not prescribe that customers must build each domain into their strategy – rather it provides guidance on what aspects should be considered, what impacts should be identified, and what relationships exist between domains.  Cisco Domain Ten framework 2.0, we can establish the foundation of a true IT transformation and the factors you need to consider for success. Key is to identify, establish and track strategic, operational and technological outcomes for IT transformation initiates. A major thrust of the Cisco Domain Ten is to help customers strategize for transformation vision, standardize their technology components and operational procedures, and automate their management challenges, to deliver on the potential of IT Transformation– covering Internet, Branch, Campus and Data Center environments.

Security consistently tops CIO’s list of cloud concerns. The security domain highlights identification of security and compliance requirements, along with an assessment of current vulnerabilities and deviations from security best practices for multisite, multitenant physical and virtual environments for one’s IT transformation vision.

Security should be a major consideration in any IT transformation strategy. The architecture should be designed and developed with security for applications, network, mobile devices, data, and transactions across on-premise and off-premise solutions. Moreover, security considerations for people, process, tools, and compliance needs should be assessed by experts who understand how to incorporate security and compliance safeguards into complex IT transformation initiatives.

Security is an integral part of the Cisco Domain Ten framework, applies to all ten domains, and provides guidance to customers on all security aspects that they needs. Our Senior Architect from Security Practice – Ahmed Abro articulates well in Figure – 1 Cisco Domain Ten Framework with Security Overlay that there are security considerations for all ten domains for Cloud solutions.

 d10secoverlay

Figure – 1 Cisco Domain Ten with Security Overlay

Now that we understand how Cisco’s Domain Ten Overlay approach that helps one to discuss security for each domain of Cisco Domain Ten Framework, let’s now talk about the how Cisco Domain Ten aligns with Cloud Security Alliance’s (CSA) Cloud Control Matrix to discuss the completeness and depth of the approach.

CSA Cloud Control Matrix Alignment with Cisco Domain Ten

Application & Interface Security

  • D-8 – Application

Audit Assurance & Compliance

  • D-10 – Organization, Governance, processes

Business Continuity Mgmt & Op Resilience

  • D10 – Organization, Governance, processes

Change Control & Configuration Management

  • D10 – Organization, Governance, processes and
  • D-3 – Automation

Data Security & Information Lifecycle Mgmt

  • D-9 – Security and Compliance

Datacenter Security Encryption & Key Management

  • D-9 – Security and Compliance and
  • D-1 – Infrastructure

Governance & Risk Management

  • D10 – Organization, Governance, processes

Human Resources Security

  • D10 – Organization, Governance, processes

Identity & Access Management

  • D-4 -- Customer Interface

Infrastructure & Virtualization

  • D-1 – Infrastructure and Environment and
  • D-2 – Abstraction and Virtualization

Interoperability & Portability

  • D-7 – Platform and
  • D-8 – Application

Mobile Security

  • D-8 – Application and
  • D-1 – Infrastructure and Environment

Sec. Incident Mgmt , E-Disc & Cloud Forensics

  • D-9 – Security and Compliance and
  • D10 – Organization, Governance, processes

Supply Chain Mgmt, Transparency & Accountability

  • D10 – Organization, Governance, processes
Threat & Vulnerability Management
  • D-9 – Security and Compliance

 Table – 1 CSA Cloud Control Matrix Alignment

with Cisco Domain Ten Framework

From above table, one can see that Cloud Security Alliance Cloud Control Matrix and Cisco Domain Ten aligns well and it also highlights key facts that many areas such as Mobile security requires one to focus on Application and Infrastructure (network, virtual servers), etc to address security needs. One should also note that Cisco Domain Ten’s focus on Catalog (Domain 5) & Financials (Domain 6) that highlights security specific SLA and assurance discussions for security controls.

Now that that we discussed, Cisco Domain Ten approach for Security, In the next blog, I would try to discuss how Cisco Service’s focus on the strategy, structure, people, process, and system requirements for Security can help business address an increasingly hostile threat environment and help successful migration to Secure Cloud based transformation. We will also discuss current questions in business asks or should ask to understand security and privacy in the vendor’s agreements.

 

Tags: , , , , , , , , , , , , , , , , , , , , , ,

Trusting the Cloud

In the past couple of years, cloud-based solutions have gone from the status of a brave new technology to a mainstream vehicle for delivering storage, application, infrastructure and other services. From a security point of view, consuming cloud-based services usually involves delegating security for the service to the service provider. This does not need to be as scary as it sounds – as long as you approach the service engagement with your eyes open, and arm yourself with pertinent requirements for the service provider to provide appropriate controls to protect your organization.

Read More »

Tags: , ,

Coordinated Attacks Against the U.S. Government and Banking Infrastructure

Prologue

On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin TimmJoseph KarpenkoPanos Kampanakis, and the Cisco TRAC team.

Analysis

If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOICHOIC, and Slowloris.

Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »

Tags: , , , , , , , , , , , , , , , , , , ,

Judge for yourself: Taking Dell to task on “holistic” security claims

In case you missed it, Network World’s Ellen Messmer published a rather surprising article on how Dell was going to “trump” Cisco in the information security market as a result of some recent acquisitions. Now certainly Dell is entitled to their beliefs. They’re in a difficult position right now, as Michael Dell and Silver Lake maneuver the company through a very complex set of buy-out related transactions. They need to give their customers assurance that they won’t be distracted through this process. And if you want to set a big impression with your customers, you might as well go after the market leader in security.  Be it as it may, we can’t just sit back and let these blatant statements go unchecked. So, in the spirit of “fair and balanced” reporting, we thought we’d issue our own little fact check and let you conclude for yourself.

  • “Cisco is a great competitor but they don’t have our holistic view” – Acquiring assets and bundling them together doesn’t constitute a “holistic” approach.  Those assets must be closely integrated, which is the approach Cisco is delivering with its next generation security architecture. This architecture will be built on top of a multi-function security platform with deep network integration. There are many proof points today that demonstrate we are delivering against this strategy and architecture. Today our customers are deploying Cloud Web Security with their Cisco ISR G2 and ASA Next Generation Firewall through connectors built from Cloud Web Security. In addition we’ve brought market leading application, visibility and control to ASA, embedded deep in the firewall.  But it doesn’t stop here.
  • Now what about Dell’s comment that Cisco “doesn’t have an identity business“?  Cisco’s Identity Services Engine provides the backbone of Cisco’s secure Unified Access solution. The real network security action is in delivering access privileges based on more than just user identity and group which is all Dell can do today with Quest. In the BYOD world customers also require action based on the type of device, posture of the device, and location. Cisco’s Identity Services Engine is the industry leading platform to deliver context based policy controls and then leveraging the network for distributed enforcement consistently across wired, wireless, and VPN access. This is a game-changer for the enterprise and our next generation end-to-end security architecture. Enterprises can now implement context-based policy from the access layer through the data center switching fabric without using brittle and costly network segmentation methods tied to VLANs and ACLs. This is real synergy, and it is delivering a holistic solution as opposed to a holistic press sound bite.  But don’t just take our word for it; check out Gartner’s latest Magic Quadrant for NAC.  Cisco’s ISE combines identity, device, and network with a market leading platform deployed in over 3000 customers.
  • Just weeks ago we announced another key milestone with the introduction of ISE 1.2.  With this latest release we also became the first vendor in the industry to offer automated profiling feeds making us better and faster at identifying new devices and operating systems.  We’ve increased the speed and scalability of ISE to address the increasing demands brought on by the “Internet of Everything”.  And we’ve added a new set of partner APIs enabling integration into key MDM partners – SAP, AirWatch, Citrix, Mobile Iron and Good.  This expands the reach of ISE and enables customers to drive common context and identity management from the network all the way to the end point.  Dell talk’s about their direction to advance the “concept” of embedded security to virtually any type of device.  We’re not just talking about it, we’re doing it. Read More »

Tags: , , , , , , , , , , , , , , , , , ,

Addressing Government Cloud Security Challenges – AFCEA Cyberspace Symposium

Boutelle Press Photo[1]Guest post from Steve Boutelle, VP, Business Development, Global Government Solutions, Cisco.

Cybersecurity and innovative IT solutions play a central role in the National Defense Authorization Act (NDAA) for the 2013 fiscal year, highlighting the military’s increasing reliance on IT. In order to address new and evolving threats today and into the future, the DOD is challenged to develop a strategy to acquire next-generation host-based cyber-security tools and capabilities that go beyond current anti-malware and signature-based threat detection.

Government information systems today are more sophisticated and globally integrated than ever before, and attacks are growing in frequency and complexity. The challenge of data protection is constantly increasing in scope. While government organizations have always needed to secure confidential information, changes in information technology models have introduced new stakeholders, new threats and new regulations. As a result, government organizations need to think beyond the traditional models of securing the perimeter and locking down specific segments of IT infrastructure. For example, the risks of unauthorized access to data in the cloud can be mitigated through the use of next generation technologies.

This year’s AFCEA CYBERSPACE Symposium is themed, “Cyber -- The New Center of Gravity.” The event serves as a key opportunity for interaction between industry and government to explore this new domain that has become the center stage of national defense.

At the event, I will be moderating a panel, “Securing the Cloud,” featuring Bret Hartman, CTO, Security Office, Cisco and leaders from Lockheed Martin, ThreatMetrix and Terremark. The panel session will explore current and future technologies for addressing government concerns about new threats targeting the cloud.

By ensuring the integrity, confidentiality, and availability of critical information that flows through today’s cloud-based infrastructures, new and emerging technologies enable government organizations to reduce risk, demonstrate compliance, enhance agility and pursue strategic goals with greater confidence. This panel will be an opportunity for attendees to learn more about a wide variety of current and future technologies that address cloud security challenges.

More information about AFCEA Cyberspace Symposium and the panel is available here: http://www.afceacyberspace.com/

Tags: , , , , , , ,