Service Provider Security Architecture – Part 1
There has never been a more interesting time to be a Service Provider. Today, we are in the midst of a once in a generation transition in technology that we last saw with the birth of the internet. Today, the exponential growth in hyper-connectivity, the services that evolve upon it and the dawn of the Internet of Things demand a next generation of flexible and dynamic infrastructure. To power this new epoch in infrastructure, Service Providers are grappling with the promise and challenge of such technologies as virtualization and orchestration. Compounding this challenge is the need to maintain the security of this critical infrastructure and the confidentiality, integrity and availability of the information that resides upon it. Service Providers are well aware of this requirement and have traditionally built architectures that focused on enforcement of the security perimeter.
The challenge with architectures like this is that despite building ever taller walls and ever deeper moats the bad guys are continuing to evolve more sophisticated ways of bypassing the perimeter. Much like the Trojans of ancient times we see increasing techniques to not only bypass these walls but also to bypass perimeter inspection mechanisms. This pattern of behavior is not dissimilar to the evolution of most traditional security mechanisms for example the passport. Originally started as a document that stated a list of places, towns or cities where someone could visit it was rapidly determined that additional information, such as height, weight, eye and hair color was needed in order to prevent spoofing.
Later on, it was determined that even this additional information would not be sufficient to prevent a determined and motivated malicious actor from bypassing these checks and misusing the passport. What followed as a logical consequence of this was the birth of modern surveillance and intelligence services required to protect society in the state from these malicious users. These services were very much focused on the concept of visibility and understanding within the borders of the state that they are operating. In many ways, the problem of the Service Provider is very similar to that of the state and as a consequence we should look to learn from the past to develop solutions that may help.
This is why within Cisco’s Open Network Architecture (ONA) pervasive security is called out as being critical and in my next post I’ll describe what is meant by this pervasive security.