In October, we announced details about Cisco PSIRT’s new and improved security vulnerability disclosure format. Our Chief Security and Trust Officer, John Stewart, also revealed that Cisco will launch an application programming interface (API) that empowers customers to customize Cisco vulnerability information and publications. Today, we have officially launched the Cisco PSIRT openVuln API and it is available for immediate use.
The Cisco PSIRT openVuln API is a RESTful API that allows customers to obtain Cisco security vulnerability information in different machine-consumable formats. It supports industrywide security standards such as the Common Vulnerability Reporting Framework (CVRF), Open Vulnerability and Assessment Language (OVAL), Common Vulnerability and Exposure (CVE) identifiers, and the Common Vulnerability Scoring System (CVSS).
This API allows technical staff and programmers to build tools that help them do their job more effectively. In this case, it enables them to easily keep up with security vulnerability information specific to their network. That frees up more time for them to manage their network and deploy new capabilities in their infrastructure.
Read More »
Tags: API, cvrf, openvuln, OVAL, psirt, security, security automation, vulnerabilities
Yesterday, Cisco announced a new software release for ACI. If you are looking to automate IT, or build out your cloud environment, and want to do so in an open fashion that provides a lot of flexibility – then you’ll probably be interested.
Why? The new ACI release:
- Makes managing and securing your cloud environment easier;
- Provides openness, expanding customer choice; and
- Delivers operational flexibility
OK, so what does this actually mean?
- Makes managing and securing your cloud environment easier
Three of the most popular cloud management tools include Microsoft Azure Pack, OpenStack and VMware vRealize. Earlier this year, we announced Windows Azure Pack ACI integration. With this new ACI release, we integrate ACI with OpenStack and vRealize, as well. (More details are here.) So this means that if you need to, say, provision a virtual workload in vCenter, ACI automagically orchestrates things to match computing resources and networking infrastructure. So, you can enjoy the policy based automation and all the other benefits of ACI regardless of which of these tools you use to manage your cloud environment.
This also means OpenStack users can now create and manage their own virtual networks, extending ACI policy directly into the hypervisor with a hardware-accelerated, fully distributed OpenStack networking solution – the only one available that integrates both physical and virtual environments.
To more easily and completely secure these environments, the new release provides micro-segmentation support for VMware VDS, Microsoft Hyper-V virtual switch, and bare-metal endpoints. Essentially, this means more granular enforcement of security policies. These can be based on numerous different criteria relevant to attributes associated with the network, e.g. IP address, or the virtual machine, e.g. VM identifier, Name, etc. There are additional capabilities that can, for example, disable communication between devices within a policy group (intra EPG, for those more familiar with ACI) – useful in thwarting lateral expansion of attacks.
- Provides openness, expanding customer choice
Piggybacking off some comments above, it’s worth noting that since ACI’s inception, one of its differentiators has been the ability to integrate physical servers as well as virtual machines, and to apply policy consistently across them. Well, now there’s a new kid on the block, as the industry observes an increasingly popular trend to use containers as another way of operating applications. As part of this announcement, we are extending ACI support to include Docker containers, in addition to VM’s and bare metal servers. This is done by using Project Contiv, which is an open source project that has a Docker network plugin allowing, among other things, automatic configuration of Docker hosts to integrate with ACI. Check out details on this video and/or this white paper. Network Computing commented here, that:
“Given all the hubbub in the industry over Docker, ACI’s new Docker container support is noteworthy.”
Another way this new release is driving openness and providing more choice for customers is around L4-7 services. ACI now supports service insertion and chaining for any service device. So, customers can leverage their existing model of deploying and operating their L4-L7 device, while automating the network connectivity. This is in addition to, not instead of, the device package model, which provides for more comprehensive ‘soup to nuts’ automation. Speaking of which, as part of this announcement, several new partners also joined the ACI Ecosystem. This video provides some insight into how some of them automate your applications.
- Delivers operational flexibility
The new release has a number of tools that create more flexible operating environments. A quick rundown includes the multi-site app, which enables policy-driven automation across multiple datacenters, providing enhanced application mobility and disaster recovery. In short, this means you can run ACI in 2 different data centers, and extend the policy across them. Other tools provide the ability to do configuration rollback, as well as NX-OS Style CLI. This is for the CLI junkie that wants to run the entire ACI fabric as a single switch. There are some other cool nuggets in here as well, like a heat map that provides real-time visibility into system health.
Clayton Weise, Director of Cloud Services at KeyInfo, summed it up best when he said:
“ACI is the direction we’re going to go because it gives us the best flexibility.” (Read the entire Network World story here.)
In summary, this new release adds capabilities that will help you more effectively manage and secure your cloud environment, as well as leverage the benefits of both openness and operational flexibility.
Tags: #CiscoACI, #ciscodatacenter, ACI, API, cloud, Cloud Computing, containers, data center, docker, L4-7 Services, Linux Containers, Open, SDN, security
Recently, I participated in the panel on Internet of Things (IoT) security as part of the Automation Perspectives media event hosted by Rockwell Automation, just prior to Automation Fair 2015 in Chicago. It is clear that the ability to deal effectively with security threats is the No. 1 make-or-break factor for IoT adoption. With this reluctance to implement IoT, companies will not benefit from the growing number of powerful IoT use cases that are emerging across all industries, which includes the digital revolution in manufacturing, where there is an identified 12.8 percent profit upside over three years for manufacturers that digitize.
IoT is now part of the very fabric of industry and the public infrastructure, including such essential services as transportation, the power grid, the water supply, and public safety. When these systems are compromised, the damage can go far beyond financial loss. Some examples in years following the Great Recession:
- 2008 – A 14-year-old Polish boy hacked a local tram system, disrupting traffic, derailing trams, and injuring 12 passengers
- 2009 – Due to a failure in the automated control system, a Washington D.C. Metrorail train struck the rear of a stopped train, resulting in death and injury
- 2014 – An overflow of wastewater at a water treatment plant was due to suspected unauthorized employ access
In recent years, there have also been hacks on nuclear power plants, transportation systems, and connected cars. No one wants their company to show up on the front page of the paper as a cyberattack victim. In addition to the physical impacts, attack vectors on IoT security can cause losses that are less immediately perceptible—but very real and lasting—including downtime, brand damage, breach of trust, and theft of intellectual property.
Read More »
Tags: Cisco, Cisco Security Grand Challenge, internet of things, IoT, IT-OT convergence, operational technology, security, Security Everywhere
The Digital Economy is transforming the way that organizations operate. Deploying a secure, trustworthy infrastructure is no longer enough. Security must be designed into all facets of an enterprise’s network and its third party ecosystem. At the same time, enterprises of all sizes must shrink the attack surface. And, foster an open, security-aware culture, internally and throughout their value chain.
Given Cisco’s commitment to being trustworthy, transparent and accountable, I have been thinking quite a bit lately about the importance of collaboration.
Partnering for improved security
Ensuring that your value chain embraces security wholeheartedly requires a commitment to collaboration. Embracing that commitment can enhance and accelerate security innovation. A true partnership that focuses on security can also create opportunities for previously unexplored operational excellence. Read More »
Tags: Cisco Security and Trust Organization, secure supply chain, security
Shutdown. Cleanup. Restart.
This “incident response” approach to cyber security was designed primarily for enterprise networks, data centers, and consumer electronics. It companies perimeter-based protection that uses firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) to prevent security threats.
When threats penetrate perimeter-based protections, human operators typically shut down the compromised system, clean up or replace the compromised files and devices, and then restart the system.
Next is forensic analysis. This, too, requires intensive human involvement to harden existing protection mechanisms and develop future remediation measures.
However, as we move into the next phase of the Internet—the Internet of Things (IoT)—this security paradigm won’t be adequate because of changing form factors and use cases.
To succeed, we need fog computing. This will extend cloud computing (including security) to the edge of an enterprise’s or consumer’s network. Much in the way cloud technology enabled the Internet, fog will enable an array of secure IoT possibilities.
Read More »
Tags: #IoE, #IoTWFHack, Cisco, connected cars, connected devices, Fog computing, OpenFog Consortium, security