Two weeks ago, a leading global medical device manufacturer came to Cisco for advice. In an effort to streamline IT operations and reduce operating costs, the customer had recently migrated from their internal Microsoft Exchange 2010 environment to Office365, Microsoft’s hosted online service.
The migration was initially done for the headquarter users and the feedback was more positive than they expected. However, when they migrated their branch and remote office users, the WAN bandwidth usage almost immediately spiked and user experience suffered as a result.
This customer is certainly not the only company looking to embrace Cloud applications for greater agility, reduced costs and complexity, and increased productivity. Or has had to deal with BYOD issues and the increasing impact of video has on their bandwidth. However, what our customer and those other companies have found is that the current method of backhauling the traffic to the data center is no longer a viable way to handle the increased consumption when faced with a flat or even a declining IT budget. Therefore, many of today’s distributed enterprises are looking to use direct Internet access pathways in an effort to improve the user experience while reducing IT costs.
However, enabling direct Internet access (DIA) at branch offices also forfeits the inherent threat protection that traffic routed through the data center provides. The enterprise-level risks that branch offices face with BYOD issues, compliance requirements, and advanced persistent threats require enterprise-level security. According to Gartner’s “Bring Branch Office Network Security Up to the Enterprise Standard”, “By 2016, 30% of advanced targeted threats — up from less than 5% today — will specifically target branch offices as an entry point.”
Cisco FirePOWER Threat Defense for ISR addresses these issues by extending their industry-leading FirePOWER threat protection beyond its traditional network edge and data center deployments out to individual Cisco ISR routers. Read More »
Tags: byod, Cisco FirePOWER, cloud, Direct Internet Access, ISR, IWAN, security, threat defense
Cisco Live Orlando, June 23-27, 2013, is quickly approaching and registration is open. The Security track this year includes 72 breakout sessions, 74 hours of labs and seminars, and 3 Product Solution Overview sessions, accounting for about 15 percent of all the content delivered at Cisco Live. New for this year we will have several talks aimed at the network engineer in the role of a data analyst, helping them to better utilize and understand the data that comes from their networks (BRKSEC-2001, BRKSEC-2006, BRKSEC-2011, BRKSEC-2062, BRKSEC-3031, and BRKSEC-3062).
Read More »
Tags: byod, cisco live, Cisco Live 2013 Orlando, Cisco Live US, IPv6, Network Threat Defense, security, SSL VPN, threat defense, training
Last week at the RSA Conference in San Francisco, I had the pleasure of speaking to thousands of security professionals about the opportunities and risks associated with using Software Defined Networking (SDN) for security, which will be the underlying fabric of our next generation data centers and networks. SDN-enabled security will provide a better way to secure our most valuable applications, users and data, now and in the future.
Each vendor has a different definition of how the network is changing, and there are many different terms being used, such as software defined data center and software defined storage. Cisco calls this Application Centric Networking, for example, because we are introducing programmable APIs with a focus on distributed control plane intelligence so that applications can get value directly from the network.
It’s obvious why the networking industry is embracing SDN: lower operational costs and the ability to deploy applications and network services in a quicker, more scalable manner. Cloud bursting, which is about flexible compute in the cloud, is another SDN benefit that gives us the ability for applications to interact directly with the network in ways that do not happen today. For example, applications will be able to query the network for location of users to manage Quality of Service and deliver highly targeted content.
So why should the security industry care about SDN? As the threat landscape evolves, the opportunity is to make Security a key application for SDN. We can use SDN to build a Network-based Threat Defense System. I see three key elements to this system:
Read More »
Tags: Chris Young, network security, SDN, security, software defined networking, software defined networks, threat defense
In this last part of this series I will discuss the top customer priority of visibility. Cisco offers customers the ability to gain insight into what’s happening in their network and, at the same time, maintain compliance and business operations.
But before we dive into that let’s do a recap of part two of our series on Cisco’s Secure Data Center Strategy on threat defense. In summary, Cisco understands that to prevent threats both internally and externally it’s not a permit or deny of data, but rather that data needs deeper inspection. Cisco offers two leading platforms that work with the ASA 5585-X Series Adaptive Security Appliance to protect the data center and they are the new IPS 4500 Series Sensor platform for high data rate environments and the ASA CX Context Aware Security for application control. To learn more go to part 2 here.
As customers move from the physical to virtual to cloud data centers, a challenge heard over is over is that they desire to maintain their compliance, security, and policies across these varying instantiations of their data center. In other words, they want to same controls in the physical world present in the virtual – one policy, one set of security capabilities. This will maintain compliance, overall security and ease business operations.
By offering better visibility into users, their devices, applications and access controls this not only helps with maintaining compliance but also deal with the threat defense requirements in our overall data center. Cisco’s visibility tools gives our customers the insight they need to make decisions about who gets access to what kinds of information, where segmentation is needed, what are the boundaries in your data center, whether these boundaries are physical or virtual and the ability to do the right level of policy orchestration to maintain compliance and the overall security posture. These tools have been grouped into three key areas: management and reporting, insights, and policy orchestration.
Read More »
Tags: ASA-CX, Cisco ASA, cisco firewall, Cisco Security, cisco sio, Cisco UCS, cloud, data center, data center security, DC, firewall, Identity Services Engine, intrusion prevention, IPS, ISE, it security, netflow, network security, pci-dss, policy, security, server, threat defense, TrustSec, virtual, virtualization, VMDC
In part one of our series on Cisco’s Secure Data Center Strategy, we did a deeper dive on segmentation. As a refresh, segmentation can be broke into three key areas. The first, the need to create boundaries is caused because perimeters are beginning to dissolve and many environments are no longer trusted forcing us to segment compute resources, the network and virtualized attributes and environments. Along with segmenting physical components, policies must be segmented by function, device, and organizational division. Lastly, segmenting access control around networks and resources whether they are compute, network, or applications offers a higher level of granularity and control. This includes role-based access and context based access. Ensuring policy transition across the boundaries is of primary concern. To learn more on segmentation go here.
Today we will dive deeper into Cisco’s security value-add of threat defense.
Technology trends such as cloud computing, proliferation of personal devices, and collaboration are enabling more efficient business practices, but they are also putting a strain on the data center and adding new security risks. As technology becomes more sophisticated, so are targeted attacks, and these security breaches, as a result, are far more costly. The next figure is from Information Weeks 2012 Strategic Security Survey and illustrates top security breaches over the previous year.
Read More »
Tags: Cisco ASA, cisco firewall, Cisco Security, cisco sio, Cisco UCS, cloud, data center, data center security, DC, firewall, intrusion prevention, IPS, it security, network security, pci-dss, security, server, threat defense, virtual, virtualization