Affirming Trustworthiness of Critical Infrastructure
The network is critical infrastructure for Service Providers. In previous blogs we talked about Cisco’s trustworthy technologies and software innovations in Cisco IOS XR that elevate the trust posture of the Cisco routers. It is imperative to establish a strong infrastructure foundation that preserves integrity and reinforces trust. In this blog, I will focus on how you can cryptographically gather evidence to affirm trustworthiness of your trusted network.
Earlier this year, at Mobile World Congress (MWC) in Barcelona, Cisco announced Crosswork Trust Insights as a cloud-based SaaS offer that reports on the integrity of devices and provides advanced forensics for assured inventory. The visibility helps to maintain confidence in your trusted network infrastructure, and track potential concerns such as:
- Is my hardware authentic?
- Am I running the expected software?
- Are the firmware and OS verified to be genuine?
- Was there an unexpected software or hardware change?
Cisco is committed to continually enhance the security and resilience of its networking solutions. Delivering highly trusted and secure platforms involves relentless effort across technology innovations, rigorous certifications, best-in-class manufacturing and software development processes.
Building and maintaining trust demands reliable and verifiable reporting on device state. There is no feature on the device that can tell you whether it is trustworthy. Instead, you must gather evidence: a broad set of integrity measurements related to hardware, firmware and software (Figure 1). It begins in the hardware as the evidence needs to be cryptographically anchored to hardware-level root of trust. Such evidence need to be collected and verifiable, not just at the boot time, but also at runtime and retrospectively for ongoing affirmation of trust. The crucial component of such a solution is the visualization and reporting of evidence that can enable today’s service providers to track the trust posture of their network infrastructure components. Such a solution must have the following attributes:
- Cryptographically secured collection, evaluation and storage of evidence
- Automated feed of up-to-date fingerprints derived from manufacturing and software build processes to affirm hardware and software integrity
- Authoritative history of changes to the device state to establish traceability for forensic analysis. The key is reinforcing the truth based on verifiable evidence collected today, yesterday or in the past
- Hosted independently to safe-guard against insider threats
In releasing Cisco Crosswork Trust Insights, we introduced a secured mechanism backed by cryptographic proof for collecting data from your devices. This mechanism can be leveraged to gather verifiable evidence for a variety of use cases such as inventory and operational reporting, compliance verification or trust attestation. Accurate tracking of inventory changes and ability to prove retrospectively, what happened, when and how it happened, who did it, are critical to preserve assured inventory. The assessment can be augmented with trust data enabling integrity verification and detecting unanticipated changes. For example, when a router is upgraded, it is essential to gather evidence to verify what OS version it is running or if the version changed unexpectedly indicating a suspicious activity.
Crosswork Trust Insights reports on inventory changes and system integrity information with comprehensive coverage across hardware and software. It uses Cisco Crosswork Data Gateway as a proxy deployed in your network to collect data from network devices using a cryptographically secured channel. It validates the signatures and evaluates the collected evidence against the fingerprints provided by Cisco. Crosswork Trust Insights also provides secure off-site storage of evidence which can help ease compliance and forensics while safe-guarding against internal threats. All the information can be visualized and analyzed with intuitive dashboards and workflows.
For service providers, Web/OTT, and enterprises alike, a network is a mission-critical asset. Especially for service providers, the network enables delivery of business-critical services, new revenue streams, and business models. Trust is a key infrastructure pillar that can help you reinforce trustworthiness as a significant differentiator.
As we know, the security landscape will continue to expand, therefore Cisco is committed to transparency and accountability, acting as a trusted partner to our customers to address evolving security threats.