Q&A: John Stewart, Cisco's chief security officer

The head of security for Cisco speaks to IT PRO about application security and solving the identity problem.

With the emphasis on security techniques like data leakage prevention, there's a shift from network based security to application based security - agents on the desktop, monitoring tools, rights management, encryption, log analysis.

With that, Cisco has ambitions to be seen as more than an infrastructure provider. Unified communications and collaboration are part of the vision but so is security. We caught up with chief security officer John Stewart to ask him for Cisco's take on two big issues - application security and identity.

What does Cisco have to offer for application security today?

There are certain answers in the application security space that don't necessarily get called out as application security answers. In many cases, application security is a combination of four things. It's the teaching of the developers, commercial or internal. Second is penetration testing, where you're actively seeking application vulnerabilities, either in flight or active.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Then there's defence, where you start getting ahead of the application systems - in an attempt to ensure an application suite has got an application firewall, if you like. Take Cisco Security Agent. It is very possible - in data centres and on end points and externally facing or internally facing systems - that you can't patch fast enough or you can't fix fast enough, while still trying to keep your operation running. As a result, what you want is something that can, in a sense, try and anticipate the unknown. When you're anticipating the unknown, signature technology falls by the way so you have to go to heuristic-based anomaly detection.

We talk about CSA as being endpoint security but we put it on servers for the exact same reason. You're trying to ensure that if you can't patch fast enough or you don't have a signature-based system, you still have protection.

I've already talked to a couple of customers just this week with NT 4.0 in their data centre. There's no patch. They still need NT 4.0, they can't migrate yet. And as a result they still feel at risk unless they use something and CSA works on NT 4.0. It makes them feel confident that they're still ok in their applications in their data centre. You still don't see CSA as application security technology, yet it is. It's just presented as an endpoint system.

And the fourth stage?

The architectural review of the infrastructure itself, because it's not just one application it's typically a combination of systems.

Can you move application security into the network itself?

Advertisement - Article continues below

The ACE XML gateway work that we have done is very germane to talking about application firewalls, the true application layer inspection. And that's in our sweet spot: we have the ability in our switch fabric and our router fabric to start pre-filtering before an application ever sees a threat.

The anti-virus injection into some of our kit is doing on the fly screening we still talk about "anti-virus" but what it's really doing is mitigating threats in flight.

Cisco, in most people minds it'll be, yeah, you're the network security guys'. Well, networking security and applications - there aren't two separate domains any more.

Does that mean the application being more aware of the network a user is connecting over?

Advertisement
Advertisement - Article continues below

Applications need to know the network they're going to be on, the endpoints they're going to use and if necessary, how they might dynamically change in the middle of the conversation. You're using a service; you don't know where it is, it's transiting any number of networks.

You move from one network like GSM, to jumping over WiMAX, switching back to Wi-Fi; the medium changed and the application needs to know it. The service delivery might be a completely different model, your security context changes. You might go from a trusted network in your corporation to an untrusted network that's asserting trust differently yet still want to do the transaction. You might switch your endpoint. You're on a notebook, you decide the battery is getting low and you pop your phone out and you still get the context. You're still doing your work; it's just on your phone not on your notebook.

Advertisement - Article continues below

When we get to that seamless nature applications versus networks, this whole conversation is irrelevant. The two have to be so tightly coupled that the security of both is inherently intertwined.

So how do you deal with that security context? How can you choose to trust the same user less if they're in a coffee shop than if they're connecting from home? And how do applications need to change to make that work?

Take the way Cisco is using Cisco Security Agent on itself. CSA is network aware. You can decide, if it's on a certain network, to behave in a certain way and if it's on a different network to behave in a different way. You know what your home network is so you can decide what context of trust you want to assert when it's inside your network. And then you can decide that all other networks unknown and then you might up level the protection systems when you're on them.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/hardware/laptops/354533/dell-xps-13-new-9300-hands-on-review-chasing-perfection
Laptops

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020