Cisco Security Chief: Security Needs To Be Built In, Not Bolted On


Bolting security onto software and hardware that contain myriad vulnerabilities is inefficient and often creates complexity that introduces more weaknesses criminals can leverage, according to security and technology executives who recently discussed how enterprise IT adoption trends are impacting information security.     

Businesses, especially public companies that must meet shareholder expectations, are going to be increasingly challenged about data security, risk mitigation and the effectiveness of their overall security strategy, said John Stewart, senior vice president and chief security officer at Cisco Systems, San Jose, Calif. Speaking to financial industry executives and IT leaders at the Bloomberg Enterprise Technology Summit in New York last week, Stewart said the manufacturers of devices and software need to be proactive about addressing data security issues, beginning at the design level

"We've relied for a very long time on the notion of perimeter," Stewart said, adding that security needs to be something simpler and easier for businesses to implement and measure.

[Related: Security Experts: The Public Cloud Is A Safe Place For Storing Data]

Cloud adoption is having a significant impact on the security model at many organizations, said Gary Clark, chief technology officer and vice president of technology services at Juniper Networks, Sunnyvale, Calif. More than 80 percent of Juniper's corporate applications are in the cloud one way or another, Clark said. Many companies, including Juniper, are keeping the most sensitive information stored in an in-house private cloud due to the perception that it can be better controlled and monitored, Clark said in a discussion at the summit on how cloud adoption is impacting security strategies.

"You can look at it as data center interconnect, but today we need cloud interconnect," Clark said. "Security is in that fabric of interconnect."

Throughout the daylong summit, executives said the move to cloud services is forcing businesses to rethink how fundamental security best practices are implemented and enforced. The model of validating users onto the network and giving them access to a variety of system resources needs to change, they said, adding that privileges need to be minimized and all network traffic should be treated as untrustworthy. More organizations need to adopt a "zero-trust model" and proactively inspect all network traffic to validate the authenticity of user activity, said Benjamin Fried, chief information officer at Google, Mountain View, Calif.

"There is no corporate network; there's a private network," Fried said. "You treat everyone connecting to you as if they were the Internet."

Security experts at solution providers, service providers and systems integrators tell CRN that large businesses increasingly are embracing a zero-trust model, where most data can flow freely on a private network that is strictly monitored. Larger firms have deeper wallets to adopt the latest technologies and attract and retain a skilled IT staff, they say. Many small and midsize firms embracing the zero-trust model likely would need assistance from service providers to proactively identify and address suspicious activity, said Alex Moss, managing partner of security consultancy Conventus, a Chicago-based firm that is developing a way to provide visibility and proactive management of privilege access.

"There needs to be a way to mitigate some risk and make it easier to implement a more secure network and create a path to maturity over a shorter period of time," Moss said.

Businesses are modifying how they approach security, but Cisco's Stewart said the security industry also is going to need to adapt rapidly to changing enterprise environments. He stopped short of calling cloud adoption a more secure approach, explaining that there's no clear way to measure or compare cloud security vs. an on-premise security approach.

"Rarely are there metrics of efficacy, and there is no reasonable way to compare one [approach] to another," Stewart said. 

PUBLISHED MAY 1, 2014