The Big Security Guide

About this Guide

Security is a broad, and at times unruly, topic. As IT

Table of Contents
Educational Articles
What is SD-Branch Security? . . . . . . . . . . . . . . . . . . 1
How to Approach Cloud-Native Security . . . . . . .2
What Are the Top 5G Security Challenges? . . . . 4
What is Docker Security? . . . . . . . . . . . . . . . . . . . . 6
What is Cloud-Based Security? . . . . . . . . . . . . . . . 7
Five Elements of Cloud Security . . . . . . . . . . . . . . 8
infrastructure environments evolve, security must
evolve with them, especially as more data is moved to
virtualized and cloud environments. In this definitional
guide, we bring together our top security content from
across SDxCentral’s education materials and news
articles, ranging from SDN to 5G to IoT. In anticipation of
RSA Conference 2020, particular focus has been placed
on anticipated hot topics that will be discussed at the
show.

Data Center Security and Virtualization . . . . . . . 10

What is Security Virtualization? . . . . . . . . . . . . . . 12

Edge Computing Security Challenges . . . . . . . . 13

What is SD-WAN Security? . . . . . . . . . . . . . . . . . . 15

News Articles
What’s So Sassy About SASE . . . . . . . . . . . . . . . . 17

NSA Ranks Cloud Security Risks . . . . . . . . . . . . . 19

Will SD-WAN Solve IoT’s Toughest Questions? 22

Cisco Study: Data Privacy ROI for Businesses . 24

About SDxCentral
SDxCentral is the leading resource for IT infrastructure
knowledge.

IT infrastructure is under more demand and more

scrutiny than ever. The way we build networks has
fundamentally changed, with new technologies
constantly popping up to solve new challenges. At the
same time, the role of IT departments and of individuals
within the department is changing. While vendors and
executives strategize around new technologies, those in
the trenches scramble to keep up.

These guides are independent content designed to

share knowledge and help technology professionals stay
ahead of the curve.

This guide was assembled by Connor Craven.

© 2020 SDxCentral LLC. All Rights Reserved.

The Big Security Guide | What is SD-Branch Security?

What is SD-Branch Security?

SD-branch security refers to the tools and techniques
used to secure the software-defined branch. SD-branch
deployments are protected by multi-function appliances
with security in the branch office. All web traffic in and
out of the branch travels through these appliances. The
legacy fixed-function hardware boxes are condensed
into a smaller number of appliances that use security
virtual network functions (VNFs). The exact appliances
and VNFs an organization deploys varies in number and
type, based on the organization’s needs. Aligned with
other aspects of the SD-branch, the goal is to simplify
the management and orchestration of the branch.
SD-Branch and Security
SD-branch security relies on virtualization and SDN
technology. Virtualizing networking and security
functions allows multiple functions to run in a single
box, reducing the total amount of hardware needed at a
branch location.
As with other networking functions, the security
functionality in an SD-branch deployment can be
updated from a central location via management
software. Updates can reflect changes in business and
security policy, or can be patches to software bugs.
The concept of continuous integration and continuous
delivery (CI/CD) can be applied to this so the software
remains secure and effective.
There are multiple layers of security. Software for
firewalls, antivirus, anti-malware, intrusion detection
and intrusion prevention systems, unified threat
management, web and content filtering, and dynamic
segmentation are all seen in various combinations
in different SD-branch offerings. Some of the listed
examples can also be found in SD-WAN technology
because SD-branch is an extension of SD-WAN, and
includes SD-WAN’s features.
Things to Consider When Setting Up
SD-Branch Security
Evaluate the Vendor
Not all SD-branch offerings are created equal. Likewise,
not all organizations’ needs are the same. When starting
business with an SD-branch provider, it is good practice
for an organization to ensure that the vendor fits as
many of an organization’s needs as possible at an
affordable rate. If the vendor has cloud-based security
partners, those partners also need to be evaluated.
Recent Appliance Purchases
SD-branch products and services are still relatively new
to the market. An organization can’t be blamed if it
had recently started or completed the deployment of
a different type of branch infrastructure before hearing
of SD-branch. Wide-spread deployments take time and
money that make an organization hesitant to replace the
deployments too quickly. If the branch still meets the
organization’s needs and regulatory requirements with
the non-SD-branch technology, there is little reason to
change. Alternatively, an organization might not be able
to afford another refresh of hardware so quickly.
Regulation Compliance
Different verticals have different regulatory requirements
around security to meet. A bank with global reach
would need more advanced security in its SD-branch
solution than a restaurant with a handful of locations.
An organization must study the specifics of a vendor’s
appliances to ensure that the security aspects meet
regulation requirements.

It is also common for SD-branch vendors to partner with

third-party cloud-based security vendors. Vendors can
then integrate their SD-branch technology with best-in-
class cloud-based security vendors to round out their
SD-branch offering and relieve any customer concerns.

© 2020 SDxCentral LLC. All Rights Reserved. 1

The Big Security Guide | How to Approach Cloud-Native Security
How to Approach Cloud-Native Security
Cloud-native security should be approached by moving
away from traditional manual techniques. IT departments
should focus on automation and integrating security
personnel into DevOps teams to form DevSecOps.
Cloud-native apps are able to scale much faster than
legacy apps because of their microservice architecture
packaged in a container-based infrastructure. This speed
means automation is required instead of manual security
approaches, which are too slow.
Bringing security teams into DevOps groups ensures
security is built into the code of an application instead of
being retrofitted once problems are identified. This also
makes responses to problems faster and more precise.
Cloud-Native Security and Microservices
Benefits
Microservices allow DevSecOps teams to decompose
security programs into smaller, individual, and easier
to manage services. However, the rate of change in a
cloud-native application is magnitudes greater than in a
traditional app, and the sheer amount of microservices
in a given app makes manual security approaches
untenable. The shift to automation tools makes for
improved control and management of microservices for
security purposes
The continuous integration and continuous delivery
(CI/CD) approach that is common to cloud-native
apps can keep any application up to date. Traditional
applications, which did not have microservices, needed
software patches that were often large and complicated.
Microservices allow for updates to be fast, small, and
immutable. Immutable means that the microservice
is unchangeable. Once the object is created, it is
uneditable.
There is also less risk of breaking a whole application
during an update than compared to a traditional
application. As an architecture, microservices are loosely
coupled to each other and are fairly independent,
so a change to one does not have a huge impact on
another. In the tightly coupled architecture of traditional
© 2020 SDxCentral LLC. All Rights Reserved.
applications, a small change can have a large impact for
the worse.
In a DevSecOps scenario, developers are able to focus
on a specific piece of a project, producing better results.
Disadvantages
When a cloud-native application is scaled up for high
traffic, there is a massive number of microservices
functioning. Because of all the APIs that the
microservices have to communicate to ports, there is an
exponential increase in attack surface.
Cloud-Native Security and Containers
Benefits
To reduce the attack surface of the application and its
microservices, container images are kept small. If there’s
less there, then it is harder to attack. There is also an
emphasis on giving containers a short lifespan. A short
existence means a short window of attack. When using
container registries as a resource, a safe bet is to use
a managed container registry like Google’s Container
Registry or Docker Trusted Registry that scans container
images for infections. Alternatively, tools like Anchore
are available that are separate from a registry, and
analyze downloaded containers and enforce policy.
Kubernetes, an open source container platform,
allows for visibility of the containers it orchestrates so
developers can see what their program is doing. Using
declarative language, containers deviating from an app’s
declared ideal state are automatically replaced with the
previous stable version.
Containers also have an immutable aspect. When there
are issues, individual containers are replaced, instead of
being modified.
Disadvantages
There are a few concerns around containers and security.
One is how trustworthy the source of a container
image is (supposing the developers did not make one
from scratch). According to Ben Hale, lead of Java on
Cloud Foundry, a best practice is, “using official images
2
The Big Security Guide | How to Approach Cloud-Native Security
provided by OS vendors to the public. These vendors are
close to their communities, are aware of vulnerabilities
before they are made public, and are strongly
incentivized to keep images safe.”
For the greatest degree of control over the process,
engineers can build containers from the ground up. Hale
emphasizes this for images beyond the base OS images.
Another concern is how much access the container has
to the host OS. Using non-root containers with relatively
few privileges makes it so malicious code does not
spread as easily.
Third, Kubernetes can widen the attack surface. The
orchestrator itself can be targeted by attackers. The
Kubernetes API can act as a backdoor where hackers
may access any pod (group) of containers they want.
Cloud-Native Security and Infrastructure
The security of cloud-native applications does not have
to be viewed through microservices and containers.
There are infrastructure-based elements as well.
Using a service mesh enhances communication in a
system by connecting the platform monitoring tool with
the security infrastructure. Monitoring becomes more
granular and can be managed in a more automated
fashion with a declarative approach.
Policy as code is an approach to security that gives
DevSecOps teams more control and influence over the
security system.
Policy as code means that a rule developers want
the program to always follow is written into code.
An example from Justin Garrison and Kris Nova’s
2018 book, Cloud Native Infrastructure: Patterns for
Scalable Infrastructure and Applications in a Dynamic
Environment, is about deployment gating. Say a
developer doesn’t want to deploy code after 3 p.m. on a
© 2020 SDxCentral LLC. All Rights Reserved.
Friday without manager approval. The developer codes
the system to check the day and time, and then request
manager approval if it is 3 p.m. or later. Then, if the
manager approves it, the code can be deployed.
Policy as code should be the same as any other code.
It should have the same syntax and the same approach
to being changed as other code. Changes should be
tracked and commented on in the same way as well.
Gating deployment of applications is another area
where automation is key. It would cost a lot of time for
humans to parse through all of the oplicies and enforce
them individually. Another issue is that interpretations of
policies are not the same from person to person.
Again, immutability has something to offer. It does not
cost much in resources to deploy new virtual machines
(VMs) or containers. It makes sense then to keep them
static and just replace them with corrected versions.
For example, Capsule8, a cloud security company,
says that to ensure visibility, and therefore security,
information should be gathered from the host, VMs,
containers, apps, and API services. That information
should then be sent to an engine for real-time decision
making. Capsule8 also says integration of workload
orchestrators and deployment automation tools allow
security tools to be deployed automatically alongside
the workload the tools are protecting.
In Summary
Traditional security approaches cannot sufficiently
keep pace in a cloud-native environment. Microservices
and containers have their pros and cons: They make
large attack surfaces but are immutable and easy to
fix. Automation is the name of the cloud-native game,
as well as including security teams in development
pipelines to integrate security policies as code.
3
The Big Security Guide | What Are the Top 5G Security Challenges?
What Are the Top 5G Security Challenges?
The top 5G security challenges include IoT devices and a
spike in network breaches.
Telecoms are working to combat these challenges by
securing the edge and architecting their networks to
detect breaches through automation.
5G Security Threat Landscape
5G networks support a massive number of connected
devices. They enable a huge increase of bandwidth
over LTE, and create a threat landscape different from
previous networks. Security challenges stem from the
very attributes that make 5G such an improvement.
IoT, which is a major component of 5G network
architecture, remains a major security risk. IoT devices
are one of the most-attacked types of hardware,
making up over 78% of malware detection events in
communication service provider networks in 2018,
according to a report by Nokia.
“If an IoT device today is plugged into the network,
and it doesn’t have protection in it, it’s infected in three
minutes or less,” said Mary O’Neill, VP of security at
Nokia at an MWC Los Angeles press conference in 2019.
High-profile breaches are on the rise. In 2019, publicly-
recorded breaches increased by 25%, and the rate of
breaches is “exponentially increasing,” according to
Wipro’s 2019 State of Cybersecurity Report.
Securing New 5G Use Cases
The coming 5G networks have the potential to explode
vertical industries, enabling the creation of a wide array
of new services — all of which will demand new, varying
levels of security.
Autonomous Vehicles: The threat of automotive
cyberattacks will rise as autonomous vehicles become
more widespread. To combat this, the National Highway
Traffic Safety Administration employs a multi-layered
approach to cybersecurity as it approves driver
assistance technologies.
Healthcare: In the healthcare field, 5G capabilities will
help with faster transfer of large patient files, remote
© 2020 SDxCentral LLC. All Rights Reserved.
surgery, and remote patient monitoring via IoT devices
among other advances. However, those advances are
tempered by the need for ever-stronger security. The
above Wipro report states that the healthcare industry
was the target of 48% of data breaches in 2018. It adds
that the growth of IoT device use will make dealing with
increasing cybersecurity risks more challenging.
Smart homes: 5G-enabled smart homes will require
stronger methods of authentication, such as biometric
identification, seen in software made by Sensory
that uses voice and face recognition, or the bevy of
fingerprint-access door locks available at hardware
stores. In December 2019, a set of breaches into
Amazon’s home camera security product Ring sparked
outrage, as hackers were able to access cameras in
users’ homes and on their front porches.
In general, IoT devices and sensors will demand more
complex authentication to prevent unauthorized access.
5G Security and New Network Architectures
Cloud virtualization technologies such as software-
defined networking (SDN) and network functions
virtualization (NFV) are thriving in anticipation of 5G
networks. However, they too come with new security
concerns. Because of their open, flexible, programmable
nature, SDN and NFV open up a new avenue of security
threats. For example, a network element of an SDN such
as the management interfaces could be used to attack
the SDN controller or management system and bring
down the system.
Research from the Journal of ICT Standardization
suggests a multi-pronged approach to 5G security,
including trust models, authentication and key
agreement, and an extensible authentication protocol-
based secondary authentication, among others.
The security of 5G network infrastructure must evolve
alongside the standard. For example, because 5G
networks can be sliced into uniquely purposed slices,
each virtual network slice could demand unique
security capabilities based on the needs of different
usage scenarios. Also, compromised Radio Access
4
The Big Security Guide | What are the Top 5G Security Challenges
Network (RAN)-side 5G devices might present a larger
Distributed Denial of Service (DDoS) threat.
Tackling 5G Security
Wipro’s report outlined five network components in
ensuring 5G security:
• A secure edge
• A secure SDN controller
• Proactive analytics
• Hypervisor and container security
• Security through orchestration
Securing the edge means ensuring real-time detection
capabilities at the edge. The network must find and stop
breaches before they make it to the core.
Securing the SDN controller means enabling dynamic
security protocol through northbound and southbound
APIs. Northbound APIs gather intelligence about
network activity. Southbound APIs control switches,
routers, and firewalls to end attacks as they occur.
Proactive security analytics uses machine learning
and AI to detect unusual activity in the network that
may indicate a breach. Detection of a brach is based
on previously-learned network patterns and trends in
previous breach attempts.
Hypervisor and container security mean ensuring
that virtualized network elements are protected from
© 2020 SDxCentral LLC. All Rights Reserved.
exfiltration and VM-based attacks that come from
east-west and north-south traffic. Network operators
should include hypervisor inspection and hardening
mechanisms in order to guard against such attacks.
Finally, security through orchestration means taking
advantage of 5G’s software-defined, disaggregated
architecture, to orchestrate VNFs to automatically react
to a breach. VNFs can alert the orchestrator of a breach.
The orchestrator then instructs the SDN controller to
enact security protocol and control routers and firewalls
to halt the attack, as well as tighten access control.
5G Security: Key Takeaways
1. 5G security is more important than ever, as breaches
continue to increase in frequency and volume.
2. IoT devices pose a huge threat to the network.
3. 5G use cases, such as autonomous driving,
healthcare devices, and smart homes mean that
attackers have more access to personal data than
ever.
4. A 5G network must be architectured to evolve to
growing security needs.
5. 5G requires end-to-end security that uses its
software-defined architecture to automatically
detect and mitigate threats.
5
The Big Security Guide | What is Docker Security?
What is Docker Security?
Docker security issues, and container security issues
generally, are not too different from the issues that
container technology has faced for some time. Container
technology arose from the need to run certain workloads
in isolation — not so much to protect those workloads,
but to protect everything else from them.
Security-related needs triggered the development trend
that eventually led to Docker. Although Docker is taking
steps to plug potential holes in container development
platforms, security is a moving target, and more work is
always needed.
Docker Security Risks
One problem large organizations face today when
adding Docker to their production environments is
ensuring that developers employ best-practices, as the
platform has no inherent security mechanism.
A best practice for security engineers is to consider the
connection between containers and the kernel of the
operating system (OS) that hosts their Docker daemon,
and how exploitable the relationship could be. An exploit
delivered by way of a container could conceivably attack
the kernel of its host, rendering the OS vulnerable.
In an attempt to reduce the risk of kernel-OS
exploitation, organizations may deploy their Docker
environments on virtual machines — rendering the
containers’ host kernels virtualized. Therefore, the kernel
is partitioned exclusively from the processor’s native OS.
While this eliminates the threat from one known exploit
vector, it also diminishes the performance of containers
in production.
Compliance Guidelines
Docker Inc. and its platform subscribe to container
compliance guidelines set by governmental and non-
governmental organizations, such as the Information
Technology Laboratory (ITL) of the National Institute
of Standards and Technology (NIST) and the Center for
Internet Security.
Encryption-Based Solutions for Docker
Security
© 2020 SDxCentral LLC. All Rights Reserved.
Docker Content Trust
Docker Inc. has responded to the need for improved
Docker security with containers and images by creating
a system called Docker Content Trust, which forces
developers who push images to Docker Hub and other
registries to encrypt the image. In addition, images that
have signatures from the creator(s) are filed under the
Verified Publisher section, which is more trustworthy.
Organizations can automatically limit containers running
in a production environment to only those images whose
constituent parts (including its master pulled from the
registry) are digitally signed and verifiable. This way,
organizations know they’re not running containers that
have been tampered with, and can rely upon the good
standing of the institutions that signed the images.
Key Management Risk
It can be risky to rely exclusively on a method so
dependent on encryption for container security.
Encryption can merely shift the single point of failure
to the organization’s key management systems.
However, there is little or no argument against the use of
encryption as part of a larger security system.
In November 2015, Docker Inc. addressed the issue of
key management for Docker security by announcing
support of YubiKey, a physical, USB-based digital
key manufactured by Yubico. YubiKey can be used
in conjunction with an access control system that
verifies the physical presence of the user logged in at a
particular terminal. Operations involving the acquisition,
composition, and deployment of containers can be
restricted to individuals whose YubiKey is accessible to
the host kernel.
6
The Big Security Guide | What is Cloud-Based Security?

What is Cloud-Based Security?

Cloud based security services are migrating from New Architectures
dedicated hardware solutions to cloud-based security
Pursuing a cloud-based security model does have
services using a Software as a Service (SAAS) model.
challenges. In order to deliver comprehensive protection,
The increase in virtualized and cloud networks is security must be written into the architecture of a
boosting demand for cloud based security, because data network. There are also a wide range of security needs,
and applications are now more portable and distributed which all require different applications and needs. In
across a wide variety of networks. This means that addition, the move to cloud-based applications poses its
security applications need to live as software in the own threats.
cloud, rather than as dedicated hardware appliances
The three most pressing cloud issues for businesses
protecting specific points of the network.
remain email security, web security, and identity and
A Fast-Growing Market access management. Throw in bring your own device
(BYOD) trend from employees moving around within
Demand is rising for cloud based, SAAS security
their company, Distributed Denial of Service (DDoS)
solutions and the market is growing rapidly. These
attacks, and advanced threats, and many corporate
services can be provided as single features or as part of
IT managers are finding the need for a multi-faceted
a larger, integrated SaaS package. Most current security
approach to security.
systems possess outdated technology that relies on
human monitoring which opens the opportunity door for One of the largest challenges of implementing cloud-
more automated versions in the cloud. These security based security is the need to maintain consistent control
tools are also being integrated with software-defined and visibility across the different domains. With many
networking (SDN) SDN to deliver a network that can use existing networks, there is a combination of public and
real-time analytics and monitoring to protect against private (and even hybrid) cloud-based services, which
emerging threats. makes the integration of security services and strategy a
big task.
The entire managed security services saw 10% growth
in 2014, up to $15.8 billion, with cloud-based offerings
making up 46% ($7.2 billion) of that amount. That
equates to a 13.5% growth in the cloud-based market
from 2013 when it was worth $6.3 billion. The experts
at IHS/Infonetics predict that cloud-based security will
pass traditional Customer Provided Equipment (CPE)-
based security services by 2018.

Pricing is another main benefit of cloud based security,

through usage-based pricing. This model dictates that
there will be savings in the original investment, as well
as funding for later maintenance of the system. With
software continually being developed, you will not have
to replace large and pricey pieces of equipment.

© 2020 SDxCentral LLC. All Rights Reserved. 7

The Big Security Guide | Five Elements of Cloud Security
Five Elements of Cloud Security
The five elements of cloud security are a secure
architecture, enforcing compliance, practicing due
diligence, monitoring the network, and incorporating
solid authentication protocol.
Architecture
While cloud typically means outsourcing some or all
of an organization’s IT infrastructure, ultimately the
organization is responsible for infrastructure security.
This starts with understanding cloud architecture.
Organizations should understand the security limitations
of their cloud service. Such as what the provider
offers and what the organization is responsible for. For
example, if an enterprise chooses a service provider that
offers an Infrastructure-as-a-Service (IaaS) cloud, then
the enterprise is expected to handle most of the security
set up.
This is because the enterprise is in charge of the
software overlay, which is where most of the security
features will be. While this creates more work, it also
gives the organization more direct control over how
their security is set up.
On the flip side, if the cloud service provider is in
charge of a cloud service software (software-as-a-
service applications), the provider is expected to
enforce application and data security. This is less work
for the organization but provides less control over
cloud security as the service provider handles most
of the security enforcement. This is even more true
for organizations purchasing managed cloud services,
where their IaaS is managed completely by a third party.
Overall, organizations need to know the elements of
cloud security architecture to understand potential gaps
in security coverage, what they are responsible for, and
how to secure weak points in cloud computing.
Items that enterprises may need to implement
include virtual firewalls and intrusion detection
systems and intrusion prevention systems (IDS/IPS).
Understanding the security architecture is the first step
to understanding cloud computing security.
© 2020 SDxCentral LLC. All Rights Reserved.
Cloud Security Compliance
The next step is to analyze compliance. Many countries
are imposing data privacy regulations and fines on
companies that do not adequately protect users’ data.
An example of this is the EU’s General Data Protection
Regulation (GDPR), which levies hefty fines for violations
– 4% of annual turnover or €20 million. Regularly
researching regulations is a priority for organizations.
Practicing Due Diligence
Enterprises should constantly analyze and review their
compliance. As well, they should evaluate the security
measures currently in place and be up to date on the
latest security breaches. Hackers constantly discover
new points of entry. It’s up to enterprises to remain
educated on these new breaches to confront potential
attacks head-on.
Monitoring and Visibility
Investing in performance management tools is
another critical step to monitoring the health of the
cloud network. A network performance management
(NPM) tool spots issues affecting the network, such as
traffic bottlenecks and suspicious activity, and alerts
IT professionals of the issues. Incorporating an NPM
product helps enterprises stay informed on its network
activity. It also allows IT professionals to resolve any
issues that negatively affect the network’s computing as
the issues occur.
Authentication
Enterprises should implement centralized login
management systems, cloud access security brokers
(CASBs), encryption, encryption key management,
tokenization, and two-step or multi-factor
authentication. All these tools add barriers to halt
hackers from infiltrating sensitive data. Additionally,
backing up data and investing in data loss prevention
tools keep an enterprise’s data accessible in case a
hacker successfully enters cloud storage.
8
The Big Security Guide | Data Center Security and Network Virtualization
Data Center Security and Network
Virtualization
Data center security refers to the process of using
physical and virtual components (such as firewalls)
to protect a data center from malicious activity. In
recent years, network virtualization has improved and
expanded what security tools are available to data
center operators.
Virtualized Data Center Security Essentials
In a data center network, the core elements are
authentication, authorization, and accounting, or AAA.
Authentication of users is done through multi-factor
authentication where users enter a password in addition
to something like a YubiKey or a code that was sent to
their phone. Authentication is foundational to the other
two elements.
Authorization is the curation of an access list that
determines what level of access employees have. It
relies on having the identity of the employee, which is
provided through authentication. Virtualization improves
authorization because, with it, authorizations can be
changed on demand from a central location. Changes
may be in order when the scope of an employee’s job
© 2020 SDxCentral LLC. All Rights Reserved.
fluctuates, or when an organization’s needs shift.
Accounting is the final element and refers to the
collection of network data for analysis and auditing.
Without authentication, the network management
software would be lacking critical information giving
context for who or what generated certain data.
Virtualization is critical for accounting because it adds
visibility to the network, which increases the amount of
data that can be collected.
Role-Based Access Control
Role-based user access (RBAC) is a key component
of data center security. By virtualizing the network,
administrators can establish rules through centralized
management software. The software can often
intelligently identify users through multi-factor
authentication. Different users are given different
degrees of access to network resources depending on
what the user needs to do their job. For example, some
users may be granted total access to working with data
center resources, while other users may only be able to
view application traffic flow.
9
The Big Security Guide | Data Center Security and Network Virtualization
Software-defined networking (SDN), a complementary
technology to network virtualization, also makes
RBAC easier by centralizing network management and
enabling direct programmability in the network. This
means administrators can program the network to adjust
to the needs of the organization on-demand and modify
user permissions when needed.
Microsegmentation
Microsegmentation enables security architects to
separate different parts of the data center into precise
segments. The granularity can go down to a server’s
individual workloads. Unique policies can be established
to the different segments that have been created. The
degree of security established by the policies depends
on the regulatory and compliance requirements of the
segment’s data.
Microsegmentation is possible thanks to network
virtualization. It is similar to how VMs split up the space
on a server to have multiple distinct instances run at the
same time. Virtualized networks are overlays on physical
infrastructure, which is basically used as the connections
data travels through. Changes to the network can be
done as needed because the virtual network is an
abstracted overlay. Changes include microsegmentation
to new workloads to keep them isolated and secure.
Isolation of VMs, for example, can prevent the lateral
spread of an attack from application to application. This
east-west communication has become more common in
data center networks as servers are increasingly talking
© 2020 SDxCentral LLC. All Rights Reserved.
to other servers in their network. By segmenting the
network, a data center limits the risk of attacks being
able to move to other applications or servers because
there are fewer instances of them talking to each other.
The security policies that are part of virtualizing the
network can route traffic through virtual firewalls within
a segment before it goes to another server. This is
commonly implemented through service chaining. In a
traditional data center network, traffic steering would
send information through multiple different devices
for each of the security and networking functions. This
slowed processes down and was inefficient compared
to the more modern technique in use by VMware’s NSX
platform. The platform uses service chaining, which is
the insertion of multiple functions, like firewalls or load
balancers, into a forwarding path
Data Center Security: Key Takeaways
1. The three core elements of data center security are
authentication, authorization, and accounting.
2. Access control software is able to identify users, find
out how much access to network resources they are
assigned, and keep them within those limits.
3. Software definition of a data center brings
intelligence and centralized control to the data
center’s network.
4. Microsegmentation of the network can be highly
granular and prevents attacks from spreading from
application to application or server to server.
10
The Big Security Guide | What is Security Virtualization?
What is Security Virtualization?
Security virtualization is the shift of security functions
from dedicated hardware appliances to software that
can be easily moved between commodity hardware or
run in the cloud.
The increased virtualization of the computing and
network environments is putting more requirements
on flexible, cloud-based security. Networks and data
centers dynamically create software-based networks
and computing functions such as virtual machines
(VMs), so the security functions must also be virtualized
in a portable way to move with the applications and
computing workloads.
From Physical to Virtual
Physical security devices are typically inserted on the
perimeter of a network to provide protection, enabling
access to the network by authenticated users. In a virtual
environment, networks, workloads, and virtual machines
are consistently being set up, torn down, and moved
around inside a data center or network, shifting the
focus of the security needs.
In addition, because multiple virtual networks
can operate across the same underlying physical
infrastructure, security must address each layer of
virtualization. VMs, for example, have additional security
complexity. They pose security risks because they
operate as digital files that can be moved, regardless of
physical infrastructure. These trends have driven more
security virtualization.
Segmentation and Isolation
Security virtualization uses software installed on virtual
networks to monitor workloads, applications, and access
© 2020 SDxCentral LLC. All Rights Reserved.
to VMs. The security can also manage security policies
for access to virtual networks and workloads themselves.
Two common concepts in virtualized security are
segmentation and isolation. With segmentation, specific
network resources are only accessible to specified
applications and users. This can be achieved with virtual
software in addition to physical security devices.
Another important approach is isolation, which
allows discrete applications and workloads to operate
independently on the same network. An example of this
would be segmenting the portion of the network dealing
with sensitive information, such as credit-card data.
With the advent of software-defined networking (SDN),
segmentation can be built into virtual network fabrics.
For example, an SDN network could be set up to have
several secure layers, depending on policies assigned to
various applications. Microsegmentation is another trend
in SDN security that is driving security virtualization.
With microsegmentation, additional layers of security
can be added at the application and workload level.
Microsegmentation applies specific security policies to
workloads and applications, in a manner that can enable
the security functions to follow workloads around the
network if they are moved, an approach that is common
in today’s virtual infrastructure.
Security virtualization is a strong trend and is likely
to remain that way as more applications are run in
the cloud and networks grow increasingly virtualized.
New forms of security software than can be installed
to monitor and manage security policies on virtual
infrastructure will be needed.
11
The Big Security Guide | Edge Computing Security Challenges
Edge Computing Security Challenges
The top edge computing security challenges are having
network visibility, secure operating systems, encrypted
data, and user authentication mechanisms. As edge
computing adoption rises, the heightened exposure of
user data has security experts focusing on detecting and
addressing the ways sensitive data could be breached.
Why is Edge Security Important?
Edge security is important because it maintains privacy
of the user and preserves user trust in the edge and
other networks.
The network edge can be a weak point in the network
because of a lack of physical security and the absence
of or weakness of security measures in the devices using
edge computing.
Carelessly-made Internet of Things (IoT) devices, or
weak passwords on employee-owned devices, create
vulnerabilities for the whole network. Establishing a
uniform level of security for all hosts, and keeping all of
them patched, is a way to make edge computing less
risky.
© 2020 SDxCentral LLC. All Rights Reserved.
IEEE published a research paper outlining important
requirements for edge security and privacy. Important
points include:
• Information integrity is key to assuring that
data is securely transmitted without undetected
modification. If integrity exists, then trust follows.
• Security mechanisms should guarantee the
outsourcing information of users, such as data,
personal identity, and location, is kept secret from
adversaries.
• Suggested security mechanisms include encryption,
integrity audits, and features like authentication and
access control.
Who or What is Targeted on the Edge?
The edge network user, IoT devices, the data on the
network, and the edge network itself are all targets for
attack on the edge.
IoT devices are major targets because they have implicit
trust for other devices and do not verify the credibility
12
The Big Security Guide | Edge Computing Security Challenges
of connections. They are also often released before
they have suitable security measures included so the
company can be the first to market.
Edge computing’s vulnerabilities come from its
distributed nature, whether there is limited physical
security, or difficulties around total network visibility.
How Companies Can Secure Edge Nodes
Visibility
A key component to securing any network is visibility.
An operator needs to know what is happening on the
network to ensure that it is working properly and that
users are behaving properly.
This is particularly important in the IoT world, as devices
send potentially sensitive data to clouds that users
cannot be certain are safe. Moreover, the vast majority
of applications for users to interact with or monitor IoT
devices have little to no security testing.
Secure Operating System for Edge Platforms
Internet Technology Letters published a proposal
regarding a new security architecture for when IoT
devices use edge computing. The architecture focuses
mainly on an operating system for edge computing.
Elements of a secure edge operating system include
authenticated network nodes, using named data
© 2020 SDxCentral LLC. All Rights Reserved.
networking (NDN) instead of a traditional IP addressing,
and authenticated users.
VPN and General Encryption of All Data
Whether the edge is being used for IoT or to increase
throughput at an enterprise’s location, data encryption is
recommended.
It is not guaranteed an edge computing device will be
encrypted or support transport layer security (TLS),
although devices can have these capabilities. If there
is no form of encryption, a VPN is a good option for
data encryption and secure transmission because of its
availability and reliability with options like OpenVPN.
User Access Management
The IEEE paper referenced above included specifications
on user access control, which regulates who can access
the network and how they can use it, specifically the
reading and writing of data.
Authentication mechanisms are necessary to keep out
malicious users and deny unauthorized users access
to resources in the edge and core. The IEEE paper
recommends a fine-grained access control system
for every trust domain in the edge network by using
attribute-based encryption or role-based encryption.
Another approach to ensure security is to use trusted
platform modules (TPMs).
13
The Big Security Guide | What is SD-WAN Security?

What is SD-WAN Security?

SD-WAN security is based largely on the use of SD-WAN Security Basics: IPsec and VPNs
IP security (IPsec), VPN tunnels, next-generation
IPsec-based VPNs are nearly universal to all SD-WANs.
firewalls, and the microsegmentation of application
Since an SD-WAN uses the public internet in addition
traffic. Network administrators centrally manage and
to MPLS connections, a VPN or IPsec tunnel is required
orchestrate these security elements through software
to, at the very least, ensure traffic is not interfered with
that grants granular visibility into the network through a
between the sender and receiver.
single dashboard.
This is done by:
The combination of WAN virtualization and the practice
of placing applications in the cloud has extended • Authenticating the sender, receiver, and packets that
the network perimeter out from the organization’s are sent
headquarters. This necessitates security functionality to
• Using encryption keys already shared by the hosts
be at an organization’s headquarters, branch locations,
sending and receiving the data, or using public and
and the cloud.
private key encryption
Virtualized security network functions can better keep
• Ensuring packets have not been tampered with by
up with evolving security threats and to control the cost
using the Encapsulating Security Payload (ESP)
of updating and upgrading security elements. SD-WAN
protocol
security’s use of virtual machines means software
updates can be installed on existing hardware, rather • Confirming that the origin of packets is trusted
than having to install new hardware for every update, through an Authentication Header (AH) that looks at
saving time and money. the IP header

This depiction of end-to-end segmentation from Cisco shows the path of data in an SD-WAN to and from the WAN edges through
the network connections. The vSmart component is Cisco’s SD-WAN controller that handles routing. Source: Cisco

© 2020 SDxCentral LLC. All Rights Reserved. 14

The Big Security Guide | What is SD-WAN Security?
Visibility
A major benefit of SD-WANs over traditional WANs
is the level of visibility into the network SD-WAN
provides. Network administrators are able to manage
and orchestrate the network centrally, monitoring traffic
for inconsistencies. With this functionality, network
administrators can ensure applications are performing
sufficiently, troubleshoot network problems, and confirm
security elements and policies are running correctly.
However, the degree of visibility depends on the
SD-WAN vendor. Some vendors go down to the user/
device level, while others only go to the application level.
The information the SD-WAN gathers from the user,
device, or application gives insight on whether the traffic
is coming from a trusted or less trusted source.
Application-level visibility of network traffic gives
network administrators details on what applications
are using bandwidth, how much resources they are
using, and how well they are performing. Network
administrators use visibility to granularly establish
security policies for what applications or IP addresses
users can access.
Additionally, nearly all other security features in an
SD-WAN are reliant on the amount of network visibility
because the software can only interact with the traffic it
can detect. Next-generation firewalls are not reliant on
network visibility because they are analyzing all traffic
passing through them.
Device-level visibility goes beyond just showing data
about the applications creating traffic, but on the device
using the application, and the person using the device —
if there are identifiers connecting the user to the device.
Device-level visibility gives greater granularity of security
policies that can be applied to the network. It can group
users and determine their level of access to the network
and what they are doing on the network.
© 2020 SDxCentral LLC. All Rights Reserved.
NGFW for SD-WAN Security
A next-generation firewall (NGFW) is a key element
of SD-WAN security. Deployed at branches as well as
headquarters, an NGFW is a virtualized and improved
version of traditional hardware-based firewalls. An
NGFW runs multiple virtual network functions (VNFs),
such as application awareness, intrusion detection and
prevention, URL and web content filtering, malware
detection, and antivirus protection. NGFWs and the
VNFs they run can be based in the cloud in addition to
on-premises.
Microsegmentation
In an SD-WAN, it is possible to segment the traffic from
different applications based on its characteristics and
the network policies established for the SD-WAN by
network administrators. Segmentation is the creation
of virtual networks within the SD-WAN’s virtualized
network overlay. Segmentation allows traffic from
different applications or groups of applications to be
segregated from each other. The attack vector is then
eliminated and security policy and quality of service can
be applied much more granularly. Different policies can
be applied to individual segments.
Microsegmentation is able to segment traffic down to
the workload. By keeping very specific types of traffic
separate from each other, traffic that is coming from
a less secure location cannot interact with sensitive
information.
15
The Big Security Guide | What’s So Sassy About SASE?
NEWS
What’s So Sassy About SASE?
by Tobias Mann
The secure access service edge (SASE) promises
to address changing enterprise traffic patterns, and
threatens to render SD-WAN stalwarts irrelevant in the
coming years, according to a recent Gartner report.
In its 2019 Hype Cycle report, Gartner defines SASE
— pronounced “sassy” — as an emerging market that
combines elements of SD-WAN and network security
into a single cloud-managed package.
It’s a technology that Gartner has called
“transformational.”
“SASE will be as disruptive to network and network
security architectures as [infrastructure-as-a-service]
was to the architecture for data center design,” the
report claims.
SASE vs. SD-WAN
Unlike a traditional WAN, SASE does away with the
concept of connecting the branch to the central office
© 2020 SDxCentral LLC. All Rights Reserved.
October 20, 2019
and instead shifts to a model that connects users and
equipment at an individual level to a centralized cloud-
based service.
In traditional enterprise networks the data center
is the focal point for access. Gartner contends that
this approach has become increasingly ineffective as
businesses transition to software-as-a-service (SaaS),
cloud services, and edge compute platforms.
Gartner acknowledges that the enterprise data center
isn’t going anywhere soon, but maintains that it will
become less relevant as service move to the cloud. The
enterprise data center effectively becomes just another
branch.
“A branch office is simply a place where multiple users
are concentrated,” the Gartner report states. The same is
true for a salesperson working remotely, only they are a
branch of one.
According to Gartner, SASE brings with it several
16
The Big Security Guide | What’s So Sassy About SASE?

NEWS

advantages over existing technologies, not the least
of which include greater flexibility for the end-user,
reduced operational complexity and costs, and better
performance.
Distributed Access
The distributed nature of SASE will make the number
of points of presence (P0Ps) offered by a vendor an
important factor for customers evaluating a solution.
“The SASE solution should offer distributed [PoPs] and
a portfolio of traffic-peering relationships,” the report
notes.
This approach means enterprise data will only rely on
the open internet to get to one of the SASE vendor’s
PoPs.
An Emphasis on Security
SASE will also open the door to enhanced security
features including support for content inspection and
zero-trust network access. Enterprises using a SASE
platform supporting content inspection could scan
active sessions for malware and sensitive content
regardless of where the device or user are located.
Emerging SASE Market
While still a relatively new technology with less than 1%
adoption, Gartner anticipates many vendors will begin
rolling out SASE products over the next several months.
Gartner reports that no vendors are offering a
comprehensive SASE product today, but notes there
are several SD-WAN and cloud-based security providers
well-positioned to move into the space in short order.
Even then the technology isn’t expected to reach
mainstream appeal for another five to 10 years, and is
likely to undergo significant changes within that span of
time.
Because of this, Gartner warns early adopters to limit
contracts to no more than two years and include
acquisition protection clauses. It also warns customers
should be wary of vendors trying to link several services
together using virtual machine (VM) service chaining to
reduce the time to market.
“This approach may speed time to market but will result
in inconsistent services, poor manageability, and high
latency,” the vendor explains.

And because SASE doesn’t rely on the IP address or

physical location of the device for policy enforcement,
Gartner says enterprises can employ a zero-trust
approach to networking, allowing for consistent policy
enforcement and security wherever the user is working.

© 2020 SDxCentral LLC. All Rights Reserved. 17

The Big Security Guide | NSA Ranks Cloud Security Risks

NEWS

NSA Ranks Cloud Security Risks

by Jessica Lyons Hardcastle January 31, 2020

Moving to the cloud can improve a company’s security Shared Responsibility

posture — but cloud services aren’t without risks, and
The NSA report also discusses the concept of shared
organizations should both understand and address
responsibility. This is important because security vendors
these risks before buying these services and deploying
and cloud service providers alike say many of their
workloads in the cloud. To that end, the National
Security Agency (NSA) published new guidance titled customers still don’t have a strong grasp on this model

“Mitigating Cloud Vulnerabilities.”
The report targets companies’ leadership and
technical staff. It highlights the basic components of
cloud architecture and threat actors. And then it also
ranks four different types of cloud security risks —
misconfiguration, poor access control, shared tenancy
vulnerabilities, and supply chain vulnerabilities — that,
according to the NSA, account for the vast majority of
known security flaws.
While each cloud service providers’ architecture will be
slightly different, most clouds have four components in
common. This includes identity and access management
— these are controls in place for customers to protect
access to their resources and controls that the service
providers use to protect back-end cloud resources — as
well as compute, networking, and storage.
and how it works. Cloud providers like Amazon Web
Services (AWS) and Microsoft Azure are responsible
for protecting their public cloud infrastructure and
implementing logical controls to separate customer data.
The customer, however, is responsible for configuring
application-level security controls, and for protecting
its workloads running on cloud servers. In other words,
both the cloud provider and the customer have a shared
responsibility when it comes to cloud security.
“Shared-responsibility model is a tough one,” said James
Christiansen, VP of cloud security transformation at
Netskope. Part of the difficulty comes from “a mindset
that when you outsource something, you wash your
hands of it.”
In other words, when companies move from their
on-premises infrastructure and into the public cloud,

© 2020 SDxCentral LLC. All Rights Reserved. 18

The Big Security Guide | NSA Ranks Cloud Security Risks
NEWS
often they just assume that AWS or Azure is responsible
for all the security measures needed to protect the
resources running in the cloud. However, this is not the
case.
Also, Christiansen says he’s not a fan of the term
“shared responsibility.” Instead, “I would just go with
a responsibility matrix: these are your responsibilities,
and these are ours,” he added. “There are very distinct
responsibilities, and when you see those failures, it’s
often the failure of not understanding the part that they
are responsible for.”
NSA’s Top 4 Cloud Vulnerabilities
The NSA categorizes cloud vulnerabilities and
mitigations into four groups. It also says how prevalent
each one is, and what level of sophistication it requires
for an attacker to pull it off.
Misconfiguraiton, a widespread threat that requires a
low level of sophistication, tops the list. According to the
NSA, misconfiguration of cloud resources remains the
most prevalent cloud vulnerability.
“Often arising from cloud service policy mistakes or
misunderstanding shared responsibility, misconfiguration
has an impact that varies from denial of service
susceptibility to account compromise,” the report says.
“The rapid pace of [cloud service providers’] innovation
creates new functionality but also adds complexity to
securely configuring an organization’s cloud resources.”
The report says least privilege and defense in depth
are two of the security principles that organizations
should apply from the planning phase. A least-privilege
model restricts access for accounts to only the resources
required to perform routine, legitimate activities.
Defense in depth involves placing multiple layers of
security controls throughout an IT system.
The No. 2 vulnerability — poor access control — happens
when companies have weak authentication methods in
place to allow access to cloud resources, or when these
cloud resources have flaws that enable attackers to
bypass these methods. The NSA deems this vulnerability
widespread and says it requires a moderate level of
sophistication to pull off.
© 2020 SDxCentral LLC. All Rights Reserved.
Organizations can mitigate poor access control by
enforcing strong authentication protocols such as multi-
factor authentication and using automated tools to audit
access logs.
No. 3, shared tenancy vulnerabilities, remain rare,
according to the report, and require a high level of
sophistication. But these types of vulnerabilities in cloud
hypervisors or container platforms can be especially
severe.
To mitigate these, the NSA advises enforcing encryption
of data at rest and in transit. And for especially sensitive
workloads, companies should use dedicated or bare-
metal cloud instances.
If companies don’t use a dedicated instance,
Christiansen suggests requiring that the cloud provider
perform a forensic analysis of the logs, separating your
logs from those of the other tenants. Organizations
should write this into the contract when they initially buy
cloud services, he said.
Supply Chain Security
Finally, the NSA says the No. 4 vulnerability — supply
chain security flaws — remain rare, and require highly
sophisticated attackers. But many threat hunters and
security vendors agree supply chain security risks are
becoming more common and they expect to see these
types of attacks increase this year.
Supply chain vulnerabilities include inside attackers,
intentional flaws and backdoors in hardware and
software, as well as companies’ partners and suppliers
whose security may not by up to par, and thus, allow
attackers to access their targets’ cloud resources via
their suppliers’ networks.
Christiansen agrees that attackers need be pretty
sophisticated to pull off a supply chain attack, but says
he was surprised to see it rated rare.
“You think about the big corporations and they have
done a really good job of fortifying their security,” he
said. “But then when they go to a third party, the third
party doesn’t have the same level of security, and that’s
when you are seeing the weakest-link problem. We’ve
seen this as far back as the Target breach. It’s a very
19
The Big Security Guide | NSA Ranks Cloud Security Risks
NEWS
big attack surface, and I believe that third parties are
absolutely a target for state-sponsored attacks and
organized attacks.”
While cloud service providers “mitigate the risk of inside
attackers through controls such as role separation,
two-person integrity for especially sensitive operations,
and alerting on suspicious administrator activities,”
enterprises can improve their security posture against
supply chain compromise, the report says. This includes
encrypting data at rest and in transit, and also selecting
cloud offerings that have had critical components
evaluated against National Information Assurance
Partnership (NIAP) Protection Profiles (PPs).
You Can’t Secure What You Can’t See
Christiansen suggests the NSA report could have
included a couple additional pieces of cloud security
guidance.
“The real salient parts are the right ones, and those are
the things companies should be looking at when they
evaluate their security strategy,” he said. “But where
it’s less obvious” is in companies’ multi- and hybrid-
© 2020 SDxCentral LLC. All Rights Reserved.
cloud environment, where organizations may run some
workloads on AWS, others on Azure, and still others in
a private cloud. “How do we bring all these multi-cloud
threat detection tools and be able to monitor these
different environments? That point got a little lost. You
have to look at not just one cloud provider, but all the
cloud providers, and bring those all together in a single
pane of glass.”
He also suggests putting controls in place to ensure that
the security and IT teams know when a business unit
uses a company credit card to purchase a new cloud
instance or even software-as-a-service. “A business unit
could do this, load confidential information on it, and it
would be completely insecure because we didn’t even
know about [it],” Christiansen said. “You can’t do all
those things in the [NSA] guidance if you don’t know
about it.”
Meet with the procurement and financial groups to
review credit card statements and look for cloud
purchases, he said. And then, implement a policy that
says “thou shalt not do this, enforce that policy, and
educate your staff.”
20
The Big Security Guide | Will SD-WAN Solve IoT’s Tough Questions?
NEWS
Will SD-WAN Solve IoT’s Tough Questions?
by Tobias Mann
IoT and SD-WAN might not sound like they belong
together, but ask VMware’s VeloCloud or managed
service provider Apcela and you might be surprised by
what they have to say. The two companies see SD-WAN
as the key to making large IoT deployments manageable
at a human scale.
Sanjay Uppal, who co-founded VeloCloud and now
serves as the head of VMware’s SD-WAN division, said
the expanding scope of SD-WAN has opened the door
to several applications that the technology wouldn’t
normally be associated with, and IoT is one of them.
“You think of IoT, it’s not just IoT running on a cellular
network or IoT running on Bluetooth. You could
absolutely run IoT on your enterprise SD-WAN,” Uppal
said in an earlier interview. “Just think of that IoT traffic
as a new data type that you will steer across the WAN
and you can add services to it as it is steered.”
While IoT may not be a new concept, with some
companies having been in the business for decades,
the rise of IoT to the mainstream is forcing networks to
change, said Apcela CEO Mark Casey. “The evolution of
IoT requires a more agile and more nimble environment
to accelerate it, and for [IoT companies] to accelerate
and grow their own revenue.”
© 2020 SDxCentral LLC. All Rights Reserved.
January 15, 2020
According to Casey, SD-WAN not only has the potential
to address many of the security concerns associated
with IoT, but it can also solve the operational challenges
of managing large deployments.
Here, Apcela has some experience. The company has
been working with Itron, one of the leading makers of
smart water and energy meters, for the past two years.
Is SD-WAN the IoT Security Antidote?
Of all the challenges facing widespread IoT adoption,
security is undoubtedly the biggest concern. To this
point, Mary O’Neill, VP of security at Nokia, said IoT
devices represent just 16% of traffic but account for 78%
of the malware on mobile networks.
“If an IoT device today is plugged into the network,
and it doesn’t have protection in it, it’s infected in three
minutes or less,” she said during a press conference at
MWC Los Angeles in 2019.
Opening the edge to all of these devices poses a
security challenge that isn’t easy to address, adds Casey.
“It’s one of the big things that companies are struggling
with.”
He explained that in a traditional architecture
maintaining security would involve forcing device traffic
back to the data center.
21
The Big Security Guide | Will SD-WAN Solve IoT’s Tough Questions?
NEWS
“So the ability to process things at the edge, manage
security at the edge doesn’t really exist because of this
security issue,” Casey said. But that changes when you
apply an SD-WAN, he added. “Now we can treat traffic
very specifically.”
Itron builds smart meters for all kinds of customers,
including water and energy companies as well as utilities
and municipalities.
“SD-WAN enables us to treat those traffic types — all
the way down to an individual IoT device — with an
independent profile,” Casey said. “We can take a specific
device for a specific customer and give that a specific
template that allows us to treat it from a security
perspective uniquely and it allows us to treat it from an
edge processing standpoint uniquely.”
The result is finer-grained control over these massive IoT
deployments. “That’s one of the powerful things about
software-defined WAN,” he said.
But while SD-WAN may help address IoT’s security
challenges, not everyone is convinced it will be enough.
“Security is one of the biggest factors limiting IoT
expansion,” said Bill Curtis, resident analyst at Moor
Insights & Strategy in an earlier interview with
SDxCentral. “The bottom line,” he said, is that ”IoT
security has to be built-in, not added on.”
IoT Management on a Human Scale
However, even if SD-WAN can’t fully address IoT’s
security challenges, it at least stands a chance to make
the networks supporting them more manageable.
Casey explained that SD-WAN enables network
programmability and automation. This means that new
types of devices can be added to the network without
the need for additional backend hardware. “I can just
reprogram the software to deal with a new type of IoT
device or a new type of IoT traffic,“ he said.
This has the potential to reduce the operational
requirements of managing these networks at scale.
Casey said if an IoT company with 100 locations
across the United States wants to add a new device,
that traditionally would mean someone would have
© 2020 SDxCentral LLC. All Rights Reserved.
to manually log into 100 routers to change the
configuration to accommodate the new traffic.
“With SD-WAN everything is templatized. I can simply
enable a template for a new type of IoT traffic or a
new customer, and I’m able to immediately deploy that
segmentation instantaneously because I have centralized
orchestration, and that orchestration pushes the
configuration out to all of the edge locations,” he said.
“That doesn’t matter whether I have 10, 100, 1,000, or
10,000 [locations].”
Seeing the Problem
But even with the advantages SD-WAN offers in terms of
automation and orchestration, there remains a visibility
challenge. Just how do you manage a network with
the millions or billions of IoT devices that 5G networks
promise to enable? Some say the answer is artificial
intelligence (AI).
According to Ken Gold, director of test, monitoring,
and analytics solutions at EXFO, the implicit complexity
associated with massive 5G IoT deployments is only
going to make identifying and resolving network
anomalies all the more challenging.
He said for most customers, a dropped call or
broadband service outage isn’t a big deal. But
IoT deployments are less forgiving. And as these
deployments march toward large-scale adoption, the
need for accurate bandwidth and traffic demands is
going to accelerate rapidly.
Gold says machine learning, and eventually AI, has the
potential to make these networks more reliable and
manageable.
In the near term, Casey sees these kinds of tools as a
way to enable network operators to quickly address
and resolve performance issues, and perhaps eventually
resolve them automatically based on policy.
“The reality is when you have an application
performance problem, 80% of the time is spent finding
the problem, and only 20% is spent fixing it,” he said.
22
The Big Security Guide | Cisco Study: Data Privacy ROI for Businesses
NEWS
Cisco Study: Data Privacy ROI for Businesses
by Sydney Sawaya
On the eve of World Privacy Day (Jan. 28), findings from
Cisco‘s 2020 data privacy study show that privacy is, in
fact, a very good investment.
Where companies used to prioritize things like function
and scalability over data privacy and security, consumer
backlash to privacy leaks in recent years has elicited
a global response for new legislation. Regulatory data
privacy laws like the EU’s General Data Protection
Regulation (GDPR) paved the way for countries
from China to Brazil and even individual states — like
California and its new California Consumer Privacy Act
(CCPA) — to follow suit. In fact, U.S. legislators are also
considering an updated federal privacy law.
For the report, Cisco researchers spoke with 2,800
security professionals in 13 countries about privacy and
data security practices within their organization. A key
finding quantified the return on investment (ROI) on
privacy, which averaged a 270% ROI.
Organizations with an increased focus on privacy
saw shorter sales delays, better security, and fewer
data breaches. And more than 40% of the companies
© 2020 SDxCentral LLC. All Rights Reserved.
January 27, 2020
surveyed saw at least double the return on their privacy
investment.
“I think companies are beginning to recognize that this
privacy thing is important, not just as a compliance issue
or a boardroom issue, but because it matters to the
customers, building loyalty and trust in the company,”
explained Robert Waitman, Cisco’s director of privacy
insights and innovation, in an interview with SDxCentral.
Privacy Pays Profits
70% organizations said they found significant business
benefits from privacy, and 74% of respondents believed
that going above and beyond privacy regulation
compliance helped them build loyalty and trust with
their customers.
“This is about doing the right thing so that your
customers believe that you’re taking good care of their
data, and want you to continue to do that,” Waitman
said. “Because, again, at the end of the day, privacy is
about protecting people. And those people are your
customers.”
23
The Big Security Guide | Cisco Study: Data Privacy ROI for Businesses
NEWS
The survey reported 82% of companies had a breach in
the past year.
Companies with higher accountability scores — as
assessed using the Centre for Information Policy
Leadership’s Accountability Wheel, which is a framework
for managing and assessing organizational maturity —
experienced shorter sales delays and higher financial
returns.
In fact, of the companies with advanced privacy efforts,
28% went breach-free compared to the 13% of those
with minimal privacy efforts. The more advanced
organizations had 90% less downtime from records
exfiltrated, which translates to cost.
Get Your Data House in Order
Data privacy and security converge in what Waitman
called the “data house,” and he used the analogy of
preparing for a home invasion. He explained how you
might prepare for a home invasion if you knew someone
was going to break into your house sometime this year
— even with no knowledge of when or where the break
in would occur.
“You would probably take the most sensitive assets that
you have, your most valuable things, and you would do
something further to either protect them, encrypt them,
© 2020 SDxCentral LLC. All Rights Reserved.
store them somewhere else,” Waitman said. “You might
make them even harder to get access, because at some
point an intruder is going to come in.”
Legislative processes such as GDPR have pressured
businesses to get their data houses in order —
protecting valuable assets and throwing out old ones
to minimize the loss that might occur when and if that
break in does happen.
Although some businesses might see privacy regulations
as another hurdle to clear, Cicso’s findings position
legislative processes as a worthy ally in driving net
benefits for businesses. Furthermore, the findings also
reaffirm Cisco’s 2019 privacy report, which found GDPR-
ready firms had fewer data breaches.
While the study proves the positive benefits of
regulation, Waitman stressed the need to proceed
with caution. He said Cisco supports federal legislation
that would allow companies to pursue one standard to
establish consistency across all 50 states.
“I think the idea of having a federal legislation would
be to avoid 50 different state regulations, but not
to change, or perhaps hamper some of the valuable
protections that are in place for some of the industries
today,” Waitman said.
24
SDxCentral, LLC
3511 Ringsby Ct, #101
Denver, CO 80216 USA
www.sdxcentral.com