Thursday, February 17, 2011

Tablets, smartphones force Cisco to rethink how security works

Cisco has unveiled a self-described "complicated" security architecture dubbed SecureX that it says provides a context-aware way to safeguard networks increasingly overrun with smartphones, tablets and virtualization.

SecureX, outlined at the RSA Conference in San Francisco, will initially give Cisco firewalls -- and eventually its switches, routers and other products -- the ability to dynamically scan and tag data related to a user's identity and application/device usage in order to have a real-time basis for enforcing identity-based security policies.

Tom Gillis, vice president and general manager of Cisco's security technology business unit, acknowledged the SecureX Architecture is novel and complex, and its evolution in terms of product implementation will only start to slowly roll out later this year.

ANALYSIS: Is a next-generation firewall in your future? | HP accuses Cisco of diverting data center standard

The SecureX capability is expected to first be evident in the line of CiscoAdaptive Security Appliance (ASA) multipurpose firewalls, which will be outfitted with Cisco TrustSec tagging technology to identify a wide range of information about a user's network usage, such as applications, devices, location and time of day, so that security decisions can be made in a context-aware fashion.

"What will context reveal? Who somebody is, are they part of an organization, what applications are they trying to use, are they using an iPhone and iPad and is it managed by IT," and are they inside or outside the corporate network, says Ambika Gadre, senior director for Cisco's security technology business unit.

The idea is to flag policy violations, block access or warn about security threats. SecureX is seen as augmenting Cisco Borderless Networks strategy, which is intended to support applications, processing cycles and services that are increasingly distributed and virtualized, such as those in cloud computing and software-as-a-service environments.

"It is proprietary," Gillis acknowledged when asked whether the SecureX architecture will ever extend to incorporate third-party security or network gear. But Cisco executives said they are weighing how to create a shared ecosphere for it, likely by making APIs available or approaching a standards body with some fundamental SecureX-related technology.

Cisco is a large player in the network security market, with about $2 billion in sales last year. But the consumerization of the endpoint, with devices such as Apple iPads and iPhones as well as mobile devices running Google Android and other software spilling into the enterprise, "is causing us to rethink how security works," says Gillis. The spread of virtualized systems is also a big part of that mix, he says.

Cisco envisions SecureX as a way to not only give customers a broad view of what computer and mobile device users are doing on the network, but to enforce granular policies such as access to applications on Facebook. There's also the idea that blending some tagged identity and device information data with threat data amassed from Cisco's Security Intelligence Operations, a cloud-based service for analyzing ongoing threat information globally, would advance context-aware security. Cisco also will amass situational telemetry data culled from the actions of more than 150 million AnyConnect and legacy VPN clients its customers use to apply this to context-aware security.

Deciphering SecureX

In trying to absorb what the heck Cisco is talking about with SecureX -- especially with no demonstrable product to show off -- analysts were somewhat divided.

Gartner analyst Neil MacDonald called SecureX and the shift to context-based awareness "very compelling" and applauded the "richness of the ideas."

But other analysts were skeptical about it, especially its complexity, and intimated Cisco was going off on a tangent that was unlikely to benefit the rest of the security industry.

"I wish Cisco would stop misdirecting the security industry by taking the patchwork quilt of the few products they have and lumping them into an overarching, over-branded architecture," said Richard Stiennon, analyst with IT-Harvest. "They have nothing to show us," he said, adding that if the concept has any chance, the company will have to show proof of something important in the next 12 months.Over the next 12 months, Cisco promises to get SecureX into its line of ASA appliances. But when asked if this will be a software upgrade or require new hardware, Cisco executives say they aren't sure. "That's to be determined," said Fred Kost, director of security solutions marketing.

Read more about security in Network World's Security section.


No comments: