Q&A: John Stewart, Cisco's chief security officer
The head of security for Cisco speaks to IT PRO about application security and solving the identity problem.
With the emphasis on security techniques like data leakage prevention, there's a shift from network based security to application based security - agents on the desktop, monitoring tools, rights management, encryption, log analysis.
With that, Cisco has ambitions to be seen as more than an infrastructure provider. Unified communications and collaboration are part of the vision but so is security. We caught up with chief security officer John Stewart to ask him for Cisco's take on two big issues - application security and identity.
What does Cisco have to offer for application security today?
There are certain answers in the application security space that don't necessarily get called out as application security answers. In many cases, application security is a combination of four things. It's the teaching of the developers, commercial or internal. Second is penetration testing, where you're actively seeking application vulnerabilities, either in flight or active.
Then there's defence, where you start getting ahead of the application systems - in an attempt to ensure an application suite has got an application firewall, if you like. Take Cisco Security Agent. It is very possible - in data centres and on end points and externally facing or internally facing systems - that you can't patch fast enough or you can't fix fast enough, while still trying to keep your operation running. As a result, what you want is something that can, in a sense, try and anticipate the unknown. When you're anticipating the unknown, signature technology falls by the way so you have to go to heuristic-based anomaly detection.
We talk about CSA as being endpoint security but we put it on servers for the exact same reason. You're trying to ensure that if you can't patch fast enough or you don't have a signature-based system, you still have protection.
I've already talked to a couple of customers just this week with NT 4.0 in their data centre. There's no patch. They still need NT 4.0, they can't migrate yet. And as a result they still feel at risk unless they use something and CSA works on NT 4.0. It makes them feel confident that they're still ok in their applications in their data centre. You still don't see CSA as application security technology, yet it is. It's just presented as an endpoint system.
And the fourth stage?
The architectural review of the infrastructure itself, because it's not just one application it's typically a combination of systems.
Can you move application security into the network itself?
The ACE XML gateway work that we have done is very germane to talking about application firewalls, the true application layer inspection. And that's in our sweet spot: we have the ability in our switch fabric and our router fabric to start pre-filtering before an application ever sees a threat.
The anti-virus injection into some of our kit is doing on the fly screening we still talk about "anti-virus" but what it's really doing is mitigating threats in flight.
Cisco, in most people minds it'll be, yeah, you're the network security guys'. Well, networking security and applications - there aren't two separate domains any more.
Does that mean the application being more aware of the network a user is connecting over?
Applications need to know the network they're going to be on, the endpoints they're going to use and if necessary, how they might dynamically change in the middle of the conversation. You're using a service; you don't know where it is, it's transiting any number of networks.
You move from one network like GSM, to jumping over WiMAX, switching back to Wi-Fi; the medium changed and the application needs to know it. The service delivery might be a completely different model, your security context changes. You might go from a trusted network in your corporation to an untrusted network that's asserting trust differently yet still want to do the transaction. You might switch your endpoint. You're on a notebook, you decide the battery is getting low and you pop your phone out and you still get the context. You're still doing your work; it's just on your phone not on your notebook.
When we get to that seamless nature applications versus networks, this whole conversation is irrelevant. The two have to be so tightly coupled that the security of both is inherently intertwined.
So how do you deal with that security context? How can you choose to trust the same user less if they're in a coffee shop than if they're connecting from home? And how do applications need to change to make that work?
Take the way Cisco is using Cisco Security Agent on itself. CSA is network aware. You can decide, if it's on a certain network, to behave in a certain way and if it's on a different network to behave in a different way. You know what your home network is so you can decide what context of trust you want to assert when it's inside your network. And then you can decide that all other networks unknown and then you might up level the protection systems when you're on them.