Complexity comes in many forms, says Cisco’s chief security officer, John Stewart, who rates the speed of change as his top challenge.
“The pace of change inside IT systems is on a steady and up on to the right trajectory,” he says, rattling off a list that includes switching on and off systems, virtualising them, delivering mobility, application management and context switching.
“Complexity is it’s own threat. If not carefully managed, it ends up being one of the gaps where the seams end up being exposed and you find yourself vulnerable unexpectedly.” But there are problems you can eliminate and those you can’t. And the latter group includes increasingly sophisticated criminal elements.
You're never going to solve it. It's a containable item but never solvable because it's just part of the way life works
Some risks are more easily dealt with, such as systems visibility and the cost of ensuring they remain protected as new products are integrated, says Stewart. "I need to have a far more detailed understanding of my operation," he says. Stewart's key investments for 2011 will focus on improving log-file analysis of NetFlow (internet) protocol traffic, configuration management and scanning systems.
Meanwhile, Stewart would like to reduce the costs of securely integrating new technologies. "It’s expensive for my time, it’s expensive for my team’s time.” To counter this, Stewart would like to realise an ideal state of interoperability, where glueing together complex IT systems is as simple as Lego.
“We have to fix this. Otherwise, we just keep finding a new problem and building a product that doesn’t always integrate. Consumers of all these point-based solutions go after it a little bit differently and it’s more complex.”
With a vested interest in the continued adoption of Cloud services, Cisco is using increased demand for security in tenders to differentiate its business pitch.
“It’s increasingly the case. We’re seeing it in requests for information and proposals. Security is becoming part of the negotiating process for providing a service. “One of the important measures is a universally well understood controls practices framework, such as ISO 27001,” he says.
“It can translate to a very transparent way of talking about what controls are in place, and it can be audited through both an external auditor or your internal auditing team.”
Some harbour concerns for security and privacy under data centre infrastructure that spans several jurisdictional territories, but Stewart sees a potential for policy-driven trade-offs. If a customer’s data was managed across separate jurisdictions, they could choose, for example, that a subset of their data does not to fail-over to another location in the event of a disruption. “It’s a question about how much resiliency you want for one location and whether you’re willing to sacrifice some of the resiliency of a Cloud service that could fail over to another location,” argues Stewart.
As a choice, you’re taking a risk,but you’re also mitigating one ofyour own risks.
Cisco’s aim is to create the ability to construct “electronic versions of plain English policy”, which could be projected to other Cloud service providers.
“So that if you move workloads from inside your own data centre into, say, a service provider who is running a Cloud, the same policy controls are brought with it, and essentially both operations run the same.” According to Stewart the conflict between CSO’s and CIOs has largely disappeared.
“I don’t think that’s where we’re at anymore. There are phenomenal ways in which security enables productivity.” “If you are able to do your job from wherever you are,and not endanger the organisation or customers as a result, you’ve essentially taken security as a connectivity play, and enabled productivity.”
Follow CSO Australia on Twitter: @CSO_Australia