One of my passions is around PCI compliance. I know that sounds oxymoronic. How can someone actually be passionate about something as dry as compliance? Well, for the sake of argument, I prefer delusional rationalization. I think of myself as Batman! I don’t have his intelligence, money, car, or cape (well, I do have the cape, but that is another story), but I DO want to fight injustice where I can. I do think that there are bad guys out there trying to steal my family’s hard earned money. PCI compliance is the leading method for securing the world’s payment systems. The bad guys are real, security is getting harder, and I want to fight on the side of good.
The problem with fighting crime with compliance is that it can be so complex. The general strategy to minimize the complexity of PCI compliance is to use segmentation. Segmentation typically involves putting credit card applications and devices onto its own network, and use traditional firewalls to secure the perimeter. Although effective, this method brings about its own headaches around management. Firewall rulesets can become tedious and complex. Readdressing an entire enterprise with the sole driver of compliance is Herculean. Over time, if not properly managed and sustained, this method, can lead to bloat, misconfiguration, or worse, a breach.
Read More »
Tags: ISE, PCI Compliance, TrustSec
Yes, really. I just got back from Cisco Live! Milan where Chris Young, Senior VP at Cisco, spoke to the Cisco security story, Intelligent Cybersecurity for the Real World. The Cisco security strategy addresses many security challenges across a range of attack vectors (network, endpoint, mobile devices, cloud, or virtual). It covers the entire attack continuum with point-time solutions and dynamic analysis of real-time security intelligence. This reduces the security gaps and minimizes the complexity. Not many network providers or pure security players can make this claim. Ask your secure access provider, how do you address the access to the broad range of threat vectors? And when a threat comes in how do you manage it? Read More »
Tags: Cisco ISE, Cisco Live Milan, Cisco Unified Access, Mobile Device Management, secure access, TrustSec
Bruce Schneier, the security technologist and author famously said, “Complexity is the worst enemy of security.”
We have been working with some customers who agree strongly with this sentiment because they have been struggling with increasing complexity in their access control lists and firewall rules.
Typical indicators of operational complexity have been:
- The time that it can take for some organizations to update rules to allow access to new services or applications, because of the risks of misconfiguring rules. For some customers, the number of hours defining and actually configuring changes may be an issue, for other customers the biggest issue may be the number of days that it takes to work through change control processes before a new application is actually in production.
- The number of people who may need to be involved in rule changes when there are high volumes of trouble tickets requiring rule changes.
Virtualization tends to result in larger numbers of application servers being defined in rule sets. In addition, we are seeing that some customers need to define new policies to distinguish between BYOD and managed endpoint users as part of their data center access controls. At the same time, in many environments, it is rare to find that rules are efficiently removed because administrators find it difficult to ascertain that those rules are no longer required. The end result is that rule tables only increase in size.
TrustSec is a solution developed within Cisco, which describes assets and resources on the network by higher-layer business identifiers, which we refer to as Security Group Tags, instead of describing assets by IP addresses and subnets.
Those of us working at Cisco on our TrustSec technology have been looking at two particular aspects of how this technology may help remove complexity in security operations:
- Using logical groupings to define protected assets like servers in order to simplify rule bases and make them more manageable.
- Dynamically updating membership of these logical groups to avoid rule changes being required when assets move or new virtual workloads are provisioned.
While originally conceived as a method to provide role-based access control for user devices or accelerate access control list processing, the technology is proving of much broader benefit, not least for simplifying firewall rule sets.
For example, this is how we can use Security Group Tags to define access policies in our ASA platforms:
Being able to describe systems by their business role, instead of where they are on the network, means that servers as well as users can move around the network but still retain the same privileges.
In typical rule sets that we have analyzed, we discovered that we can reduce the size of rule tables by as much as 60-80% when we use Security Group Tags to describe protected assets. That alone may be helpful, but further simplification benefits arise from looking at the actual policies themselves and how platforms such as the Cisco Adaptive Security Appliance (ASA) can use these security groups.
- Security policies defined for the ASA can now be written in terms of application server roles, categories of BYOD endpoints, or the business roles of users, becoming much easier to understand.
- When virtual workloads are added to an existing security group, we may not need any rule changes to be applied to get access to those workloads.
- When workloads move, even if IP addresses change, the ASA will not require a rule change if the role is being determined by a Security Group Tag.
- Logs can now indicate the roles of the systems involved, to simplify analysis and troubleshooting.
- Decisions to apply additional security services like IPS or Cloud Web Security services to flows, can now be made based upon the security group tags.
- Rules written using group tags instead of IP addresses also may have much less scope for misconfiguration.
In terms of incident response and analysis, customers are also finding value in the ability to administratively change the Security Group Tag assigned to specific hosts, in order to invoke additional security analysis or processing in the network.
By removing the need for complex rule changes to be made when server moves take place or network changes occur, we are hoping that customers can save time and effort and more effectively meet their compliance goals.
For more information please refer to www.cisco.com/go/trustsec.
Follow @CiscoSecurity on Twitter for more security news and announcements.
Tags: ASA, byod, security, Security Group tags, TrustSec
Why do so many organizations maintain essentially open, “flat” networks, leaving thousands of users and devices with network-layer reach to their “crown jewels”? Especially in light of what we know with data breaches, theft, and loss? One possibility may be that some organizations simply grew too quickly, and the tools in the tool chest to implement network segmentation were onerous. Other tools or point products were deployed, making it easy to say “we have Identity and Access Management Systems” for that.
But this argument falls flat in the face of a massively-increased attack surface. How did organizations become so vulnerable? Easy – the combination of enterprise mobility trends, the exponential proliferation of devices, and the dramatic increase in workloads made possible by virtualized data centers. Combine that with advanced threats – the notion that with just one social engineering attack, an adversary can quickly move across systems until he finds valuable information – and organizations quickly start to realize that network segmentation and restricting network reach are more than just “nice-to-have,” but rather, an imperative.
Limiting who and what have network-layer reach to sensitive resources to those that truly have a need to know makes a lot of sense. The trouble has been that traditional methods of implementing network segmentation and network access control are generally cumbersome and entirely dependent on how the network is architected. Need to change or maintain the policy? You may be in for major network changes and massive resource hours – whether to redesign VLANs and IP-based ACLs, or simply to rewrite thousands upon thousands of firewall rules (in many of locations). Ouch.
Fortunately, there’s a readily available technology to apply secure access policy independent of network topology. If you can (1) classify the users and devices that access resources, (2) classify the resources themselves, and (3) specify the access permissions between these classifications, then Cisco TrustSec can enforce that policy within the network – it’s that simple.
Take a look at the example above. Here, we show a simple policy that specifies how different classes of users can access various resources in the data center. Changing this policy by changing a permission or adding a new class of users or resources is really straightforward and easy-to-understand. There’s no need to redesign VLANs, carve up the IP address space and (re) subnet the network, and/or re-write IP-based ACLs or firewall rules.
To learn how TrustSec can help protect your organization’s crown jewels by limiting the reach of who and what has access to sensitive resources, check out www.cisco.com/go/trustsec.
Follow @CiscoSecurity on Twitter for more security news and announcements, and, if you’re in Milan, Italy, during the last week of January, come visit us at Cisco Live! Milan! We’d love to see you!
Tags: security, TrustSec
With encouragement from customers, Cisco has submitted the TrustSec protocol that we use to exchange role and context information between network devices to the IETF. Chris Young, Senior Vice President of Cisco Security, shared the news during his keynote address at Cisco Live! Milan.
The Source-group tag eXchange Protocol (SXP) has been submitted to the IETF as an informational draft, in order to open up TrustSec capabilities to other vendors. In our experience, defining access controls and segmentation functions using logical policy groups, instead of IP addresses and subnets, removes operational complexity for customers. When we authorize a user device or a server as a member of a policy group, SXP allows us to propagate that information to devices that reuse that intelligent classification and apply security policies based upon it.
We have published SXP to enable interoperability with TrustSec functions in widely deployed Cisco products, so customers can not only simplify security policy management in diverse networking environments, but also use the classification for other purposes beyond security. For that reason, we have used the term source-group, instead of the more familiar security group designation, in the draft.
For more information please refer to http://tools.ietf.org/html/draft-smith-kandula-sxp-00
If you’re at Cisco Live! Milan this week, please do come to the Cisco campus, we will be pleased to talk more about TrustSec and show examples of TrustSec in action.
Tags: cisco live, TrustSec