IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Q&A: John Stewart, Cisco's chief security officer

The head of security for Cisco speaks to IT PRO about application security and solving the identity problem.

With the emphasis on security techniques like data leakage prevention, there's a shift from network based security to application based security - agents on the desktop, monitoring tools, rights management, encryption, log analysis.

With that, Cisco has ambitions to be seen as more than an infrastructure provider. Unified communications and collaboration are part of the vision but so is security. We caught up with chief security officer John Stewart to ask him for Cisco's take on two big issues - application security and identity.

What does Cisco have to offer for application security today?

There are certain answers in the application security space that don't necessarily get called out as application security answers. In many cases, application security is a combination of four things. It's the teaching of the developers, commercial or internal. Second is penetration testing, where you're actively seeking application vulnerabilities, either in flight or active.

Then there's defence, where you start getting ahead of the application systems - in an attempt to ensure an application suite has got an application firewall, if you like. Take Cisco Security Agent. It is very possible - in data centres and on end points and externally facing or internally facing systems - that you can't patch fast enough or you can't fix fast enough, while still trying to keep your operation running. As a result, what you want is something that can, in a sense, try and anticipate the unknown. When you're anticipating the unknown, signature technology falls by the way so you have to go to heuristic-based anomaly detection.

We talk about CSA as being endpoint security but we put it on servers for the exact same reason. You're trying to ensure that if you can't patch fast enough or you don't have a signature-based system, you still have protection.

I've already talked to a couple of customers just this week with NT 4.0 in their data centre. There's no patch. They still need NT 4.0, they can't migrate yet. And as a result they still feel at risk unless they use something and CSA works on NT 4.0. It makes them feel confident that they're still ok in their applications in their data centre. You still don't see CSA as application security technology, yet it is. It's just presented as an endpoint system.

And the fourth stage?

The architectural review of the infrastructure itself, because it's not just one application it's typically a combination of systems.

Can you move application security into the network itself?

The ACE XML gateway work that we have done is very germane to talking about application firewalls, the true application layer inspection. And that's in our sweet spot: we have the ability in our switch fabric and our router fabric to start pre-filtering before an application ever sees a threat.

The anti-virus injection into some of our kit is doing on the fly screening we still talk about "anti-virus" but what it's really doing is mitigating threats in flight.

Cisco, in most people minds it'll be, yeah, you're the network security guys'. Well, networking security and applications - there aren't two separate domains any more.

Does that mean the application being more aware of the network a user is connecting over?

Applications need to know the network they're going to be on, the endpoints they're going to use and if necessary, how they might dynamically change in the middle of the conversation. You're using a service; you don't know where it is, it's transiting any number of networks.

You move from one network like GSM, to jumping over WiMAX, switching back to Wi-Fi; the medium changed and the application needs to know it. The service delivery might be a completely different model, your security context changes. You might go from a trusted network in your corporation to an untrusted network that's asserting trust differently yet still want to do the transaction. You might switch your endpoint. You're on a notebook, you decide the battery is getting low and you pop your phone out and you still get the context. You're still doing your work; it's just on your phone not on your notebook.

When we get to that seamless nature applications versus networks, this whole conversation is irrelevant. The two have to be so tightly coupled that the security of both is inherently intertwined.

So how do you deal with that security context? How can you choose to trust the same user less if they're in a coffee shop than if they're connecting from home? And how do applications need to change to make that work?

Take the way Cisco is using Cisco Security Agent on itself. CSA is network aware. You can decide, if it's on a certain network, to behave in a certain way and if it's on a different network to behave in a different way. You know what your home network is so you can decide what context of trust you want to assert when it's inside your network. And then you can decide that all other networks unknown and then you might up level the protection systems when you're on them.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Cisco to exit Russia, Belarus in business wind-down
Business operations

Cisco to exit Russia, Belarus in business wind-down

24 Jun 2022
WAN Insights is Cisco’s first foray into predictive network intelligence
Network & Internet

WAN Insights is Cisco’s first foray into predictive network intelligence

16 Jun 2022
Cisco unveils new ‘intelligent’ approach to networking with brace of product launches
Network & Internet

Cisco unveils new ‘intelligent’ approach to networking with brace of product launches

16 Jun 2022
Deepfake attacks expected to be next major threat to businesses
phishing

Deepfake attacks expected to be next major threat to businesses

16 Jun 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022