Security as a Bolt on: Myth # 2 of the Good-Enough Network

Editor’s Note: This is a post by Michael Rau, Vice President, CTO, for the Borderless Network Architecture Cisco.

Imagine that it’s a warm sunny day and you’re sitting on a glorious white-sand beach. You relax and gaze out at a group of surfers as they paddle to catch a wave. As you gaze down at your watch, you realize it’s time for your 2 p.m. conference call. No need to dash back to the office to call in or access important documents you’ll need; you simply grab your smart phone and dial into the meeting.

While many of us don’t have the luxury of working on the beach–not to mention the fact that sand and sunscreen may not be the best elements for your electronics–many of us are able to work remotely without ever setting foot in an office.

In fact, 60% of employees believe they don’t need to be in the office to be productive and efficient, according to the Connected World Report, 2010. And two-thirds of employees believe they should be able to access either work or personal information using company devices at any time from any location.

With a workforce that’s scattered around the globe and telecommuting happening from all sorts of far-reaching places or even satellite offices, how does a company create consistent and secure access to the network? Not to mention security over wired, wireless, and VPN technologies. IT managers also have to contend with the multitude of devices, from smart phones, to iPads, and even personal laptops – all of which are connecting to the network. These are the things that keep many CIOs awake at night.

So how do IT departments address employee telecommuting and security at the same time?

Bolt-On Network Security

I recently blogged about the “good enough” network myth number one, “the single-purpose network.” Today, we’re continuing on to myth number two: “bolt-on security.”

Bolt-on security typically consists of one or more point products that don’t really communicate with each other and don’t share information, which makes it difficult to create consistent security across the entire IT environment, a sort of Frankenstein network. A network like this can leave a company exposed to costly security incidents. These security threats are real: incidents of customer data being leaked to the public are becoming more and more commonplace and it only needs to happen once because a security threat like this can ruin a company’s reputation and forever erode customer trust.

Network security has to keep pace with an ever-changing mobile workforce’s needs and an increased threat profile. And it doesn’t help that security risks are everywhere. There’s been a 46% increase in the spread of malware on mobile devices in 2010 while at the same time, 20% of workers have left devices unattended, and 46% have let others use their devices, according to the Connected World Report, 2010.

But with all these risks out there, so many “good enough” networks that are cobbled together with inexpensive equipment employ the bolt-on security method. This leaves the network (and valuable data) open to hackers. So how do you resolve these security issues?

Integrated Architecture and a Network That Knows Its Users

First of all, you need pervasive visibility and control that uses the network to enforce security policies. An integrated architecture means that security is part of a network that spans from an organization’s buildings at its corporate headquarters to employees’ homes where they tunnel in via VPN to employees’ personal devices on wired or wireless connections, not to mention data that’s being accessed through private or public clouds.

To be considered secure, a network should have pervasive visibility and full context-awareness so security happens across the network, for every user and every device. An important aspect of Cisco’s SecureX architecture is context-aware policy with distributed enforcement delivered through the Cisco Identity Services Engine (ISE). As the industry’s only network-wide policy engine appliance, ISE creates, distributes, and monitors policies based on a contextual language to determine the who, what, where, when, and how.

Here’s how it works: As an employee brings in a device that the enterprise doesn’t control, SecureX can identify the device, the user, and discern which privileges to grant. A truly smart and integrated network can detect devices, profile users, and then start to apply security policies. For example, Bob in Marketing can access marketing materials, but not the payroll server. Linda in Finance can’t access financial information from a coffee shop wi-fi connection; however, that same location-based policy will allow her to access this information at her office behind the firewall.

Transparency is another important aspect of a next-generation network, giving IT managers the freedom to customize the network to a company’s needs as well as the tools they need to diagnose potential security threats on the spot is of paramount importance.

With a smart network, you can establish policies for each device and user, but also share these policies with all points on the network, and instantly update information when a new device appears on the network.

Keeping Data Secure, Wherever It Is

As cloud becomes more and more mainstream, the network can be the facilitator or the impediment in the effort to securely adopt cloud capabilities. A broad premise-to-cloud security architecture guarantees security on the infrastructure in a much more dynamic environment. With the flick of a switch across a widely distributed network, it becomes easy to intelligently redirect web traffic to enforce granular security and control policies.

When planning your network, look for vendors who look at security holistically and understand that threats have multiple vectors. Build a holistic security strategy with firewalls, VPN clients, Web content security, and a centralized, global threat correlation engine that delivers critical intelligence and protection.

But if you do decide to try bolt-on security, remember, a chain is only as strong as its weakest link and a network is only as secure as its vulnerabilities.

Two “good enough” network myths down… five to go. Look for myth # 3:
“the application and end point ignorant” myth as I cover that next week.

But until then, what are some of the “good enough” myths that you’ve been hearing in the industry?

Note:  The seven myths are outlined in a recent white paper from Cisco: Debunking the Myth of the Good Enough Network.

Michael Rau, Vice President, CTO for the Borderless Network Architecture Cisco.

Mike has been with Cisco for 14 years and is currently responsible for working with customers and partners. In his current role, he helps shape the future direction of the network and how it delivers business value to customers and partners. Prior to this, Mike was the Vice President of WW Enterprise Technical Sales Strategy where he was responsible for developing technical and competitive sales strategies in support of Cisco’s Enterprise go-to-market strategy. Mike has held a variety of other positions at Cisco, starting as a Systems Engineer where he supported Cisco’s entrance into the switching market.