Cisco Blogs


Cisco Blog > Security

A Global Cybergovernance Framework: The Real Infrastructure Needed to Support a More Secure Internet

As part of a broader “Cybersecurity Call to Action” outlined in the Cisco 2015 Midyear Security Report, Cisco has called for the development of a cohesive, multi-stakeholder, global cybergovernance framework. Investing in the development of such a framework is essential to supporting innovation and economic growth in business on the global stage.

While there has been an increasing awareness that managing cyber risks is essential to the operation of any networked system, current mechanisms are not effective to protect businesses from cyberattacks. The lack of effective global cybergovernance can prevent collaboration in the security industry, which is needed to create adaptive technologies that can detect and prevent new threats.

Without question, the Internet is only becoming more essential to organizations around the globe. They rely on it not only for everyday operations, but also for supporting new business models that provide them competitive advantage and benefit consumers. Adversaries, meanwhile, are deploying tactics that can undermine the success of any business operating in the digital economy. The Cisco 2015 Midyear Security Report makes clear that threat actors are only becoming more adept at innovating rapidly and enhancing their capacity to compromise systems and evade detection. Read More »

Tags: , , , ,

Enabling Retail Business Innovation With Threat-Centric Security

Last year was one of the biggest years for retail data breaches, with credit card data from well over 106 million shoppers stolen from two of America’s largest retailers alone. The attacks shook consumer confidence, eroded brand loyalty, and cost the industry millions of dollars.

Even though the retail and security industries have been talking about compliance and security for more than a decade, breaches continue. And while research shows that compliance with PCI DSS has improved in recent years, it also shows that staying in compliance as demonstrated by passing interim assessments is another matter. Furthermore, compliance doesn’t always equal security, as it tends to focus on blocking attacks at the perimeter. Stopping attacks in the first place certainly is important, but it isn’t sufficient in an era when attackers are innovating at a pace we’ve never faced before.

Read my blog here to learn more about how to create a hyper-relevant experience for shoppers at a time when security has become a driver for consumers’ trust. To dig deeper into the elements of a threat-centric approach to security, be sure to also read our new white paper, Enabling Retail Business Innovation with Threat-Centric Security.

 

Tags: , , , ,

Enabling Retail Business Innovation With Threat-Centric Security

Last year was one of the biggest years for retail data breaches, with credit card data from well over 106 million shoppers stolen from two of America’s largest retailers alone. The attacks shook consumer confidence, eroded brand loyalty, and cost the industry millions of dollars.

Even though the retail and security industries have been talking about compliance and security for more than a decade, breaches continue. And while research shows that compliance with PCI DSS has improved in recent years, it also shows that staying in compliance as demonstrated by passing interim assessments is another matter. Furthermore, compliance doesn’t always equal security, as it tends to focus on blocking attacks at the perimeter. Stopping attacks in the first place certainly is important, but it isn’t sufficient in an era when attackers are innovating at a pace we’ve never faced before.

Compounding the challenge is that retailers are in the midst of game-changing trends that can make or break them: creating a hyper-relevant experience for shoppers, adopting mobile Point-of-Sale (mPOS) systems, and realizing security is now a driver for consumers’ trust. Retailers who create successful strategies to innovate and embrace these trends will retain and gain more customers. But it requires a fresh approach to security.

So how should you look at and think about security differently?  Read More »

Tags: , , , ,

Demo: Experience Cisco Cloud Consumption

Cloud sprawl is a BIG challenge. Large companies use 730 individual cloud services – a number which has grown a staggering 21% in just six months. If you don’t know by now what your organization is using, you need to!

At Cisco Live US 2015, Haley Gallant of the Cisco Cloud Consumption practice did a masterful job demonstrating all the features of our Cloud Consumption software.

In just three minutes, you can learn how Cloud Consumption Services can help you discover and monitor your cloud service usage, identify cloud usage anomalies, and understand the risks of cloud.

Take a look and learn more about how Cloud Consumption can help you manage cloud sprawl!

Questions about the demo? Let me know on Twitter or LinkedIn.

 

Tags: , , , , , , ,

Micro-segmentation: Enhancing Security and Operational Simplicity with Cisco ACI

(This blog has been developed in association with Praveen Jain, VP, Engineering of Cisco’s Application Policy Infrastructure Controller, Juan Lage, Principal Engineer and others)

Security is top of mind in today’s data center and cloud deployments and security architectures have continued to evolve even as new threats manifest themselves in the digital world. Today’s security administrator requires a variety of “tools” to deal with the sophisticated attacks. One such tool is the ability to segment the network.

Traditionally network administrators have allocated subnets for different applications and mapped them to VLANs as a means of providing network segmentation, partitioning and isolating domains.  This classic approach was relatively easy to implement and facilitated policy definition using Access Control Lists (ACLs) between subnets at the L3 boundary, usually the first hop router or perhaps a physical firewall.

However, this approach led to the undesired mapping of IP subnets to applications. Over time, it also led to an explosion of ACLs when subnet based policies were not sufficient (for instance, by requiring ACLs that match on specific IP Addresses). This in turn made it difficult to perform garbage collection of ACL entries when applications were decommissioned, complicating the ACL management problem.

So, while the broad constructs of segmentation are still relevant, today’s application and security requirements mandate increasingly granular methods that are more secure and operationally simpler.

This has led to the evolution of what we call as “micro-segmentation”.  Broadly, the goals of micro-segmentation are as follows

  • Programmatically define segments on an increasingly granular basis allowing greater flexibility (e.g. to limit lateral movement of a threat or to quarantine a compromised endpoint  in a broader system)
  • Leverage programmability to automate segment and policy managent across the entire application lifecycle (instantiation through de-commissioning)
  • Enhance security and scale by enabling a Zero-Trust approach for heterogeneous workloads

Micro-segmentation with Cisco’s Application Centric Infrastructure  

Cisco’s Application Centric Infrastructure (ACI) takes a very elegant approach to micro-segmentation with policy definition separating segments from the broadcast domain. It uses a new application-aware construct called End-Point Group (or EPG) that allows application designers to define the group of endpoints that belong to the EPG regardless of their IP address or the subnet they belong to.  Further, the endpoint can be a physical server, a virtual machine, a Linux container or even legacy mainframes – i.e. the type of endpoint is normalized and therefore irrelevant, thereby offering great simplicity and flexibility in their treatment.

ACI still preserves the traditional segment, now called a Bridge Domain (or BD). IP subnets can still be assigned to Bridge Domains. This approach helps preserve any existing operational models, if required, allowing for creation of Bridge Domains with a single EPG that maps to the concept of a traditional VLAN.

The ACI architecture takes these even further.  Multiple EPGs can belong to the same Bridge Domain, and EPGs can be provisioned programmatically (in fact, just like everything else within ACI) via an open API made available through Cisco’s Application Policy Infrastructure Controller (APIC). Simply put, the EPGs in the ACI architecture are “micro-segments” of a Bridge Domain.

The figure below illustrates this approach:

Microsegmenation-1

Read More »

Tags: , ,