Digitization Compels a Fresh Approach to Network Security
We know that organizations today must digitize to thrive, with the CIO and IT teams at the helm of the transformational journey. Why does this matter? Because businesses must find ways to deliver more modern business operations as well as satisfying customer and workplace experiences or quickly fall behind their digitized competitors.
This digital transformation needs technology platforms made for digital business to bring-out new applications faster, make IT quicker and simpler – and of course do this all securely.
For this reason, Cisco used its networking and security experience as the network’s original architect to create the Digital Network Architecture or DNA. Organizations on the road to digitization will use DNA to spark key technology trends like mobility, IoT, the cloud, and analytics to innovate faster, reduce costs and complexity, lower risk, and increase security.
How does DNA address security? It uses the network – the routing, switching, wireless and next-generation firewalls to continuously detect and stop threats faster (like, in minutes, not days).
To successfully address the growing threats and increased risks digitization brings with it, the traditional perimeter security approach must be complemented. Security products on the network perimeter cannot see and control every bit of activity on your network. And now with the fast growth in mobile devices (over 500 billion will be active by 2030) and also new IoT endpoints hitting the network like a freight train, there are more ‘things’ in more places you need to segment, watch and control.
Enter DNA. Now you can augment your next generation perimeter security using the Network-as-a-Sensor and an Enforcer that can see and control every network action of every endpoint.
The network as a sensor and enforcer is an example of Cisco using the digital network to automate security by bringing together the network with Identity Services Engine (ISE), Stealthwatch (formerly Lancope StealthWatch) and TrustSec software-defined segmentation to work in concert. We can identify suspicious flows on the network, understand what user and device they connect to and automatically enforce a security policy in the network to contain an infected device.
Let’s look at this in a bit more detail.
With the network-as-a-sensor every communication passes through a network device like a Catalyst Switch or ISR router and a log is created from which Netflow data is generated. Netflow can be harvested and analyzed by StealthWatch from your network devices and now from the cloud. When anything is misbehaving – a laptop or lightbulb — you’ll see it. Add the context with ISE (Identity Services Engine) and you’ll know who it is, what it is, and where it is.
The security in DNA does not stop there. The network-as-an-enforcer enables containment of anything misbehaving on the network. Since everything passes through a network device, it’s a perfect place to put a stop to threats. First of all, DNA won’t let it on the network if it doesn’t authenticate or prove it’s within policy. Then using the TrustSec software-defined segmentation technology (built into the Cisco network in over 45 Cisco product families and managed by ISE) you can move the offending endpoints to a safe zone to watch, fix, or get them the heck off your network. Plus it’s easy to group users and endpoints together, such as administrators, students, guests, BYOD, server, printers, executives, video surveillance, HVAC control systems, PCI, and smart lighting (you get the idea) and put them into a software-defined zone (network segment) to enforce the policies of each group.
There’s more: you can use StealthWatch and the Netflow data with to make sure your policies are working.
Will you still need security at the perimeter? Yes – there is incredible value in today’s next-generation firewalls that bring together multiple threat-focused technologies to stop the thousands of threats that endlessly pound your network. The fully-integrated Cisco Next Generation Firewall (with NGIPS, advanced malware protection, sandboxing and advanced analytics) is a powerful ally to network security that can both see (sensor) and stop (enforcer) bad things. There’s a lot more to security, but that’s all I’m covering in this blog.
To learn more about Cisco DNA, check out Rob Soderbery’s blog and video.