Академический Документы
Профессиональный Документы
Культура Документы
About SDxCentral
SDxCentral is the leading resource for IT infrastructure
knowledge.
provided by OS vendors to the public. These vendors are Friday without manager approval. The developer codes
close to their communities, are aware of vulnerabilities the system to check the day and time, and then request
before they are made public, and are strongly manager approval if it is 3 p.m. or later. Then, if the
incentivized to keep images safe.” manager approves it, the code can be deployed.
For the greatest degree of control over the process, Policy as code should be the same as any other code.
engineers can build containers from the ground up. Hale It should have the same syntax and the same approach
emphasizes this for images beyond the base OS images. to being changed as other code. Changes should be
tracked and commented on in the same way as well.
Another concern is how much access the container has
to the host OS. Using non-root containers with relatively Gating deployment of applications is another area
few privileges makes it so malicious code does not where automation is key. It would cost a lot of time for
spread as easily. humans to parse through all of the oplicies and enforce
them individually. Another issue is that interpretations of
Third, Kubernetes can widen the attack surface. The
policies are not the same from person to person.
orchestrator itself can be targeted by attackers. The
Kubernetes API can act as a backdoor where hackers Again, immutability has something to offer. It does not
may access any pod (group) of containers they want. cost much in resources to deploy new virtual machines
(VMs) or containers. It makes sense then to keep them
Cloud-Native Security and Infrastructure
static and just replace them with corrected versions.
The security of cloud-native applications does not have
For example, Capsule8, a cloud security company,
to be viewed through microservices and containers.
says that to ensure visibility, and therefore security,
There are infrastructure-based elements as well.
information should be gathered from the host, VMs,
Using a service mesh enhances communication in a containers, apps, and API services. That information
system by connecting the platform monitoring tool with should then be sent to an engine for real-time decision
the security infrastructure. Monitoring becomes more making. Capsule8 also says integration of workload
granular and can be managed in a more automated orchestrators and deployment automation tools allow
fashion with a declarative approach. security tools to be deployed automatically alongside
the workload the tools are protecting.
Policy as code is an approach to security that gives
DevSecOps teams more control and influence over the In Summary
security system.
Traditional security approaches cannot sufficiently
Policy as code means that a rule developers want keep pace in a cloud-native environment. Microservices
the program to always follow is written into code. and containers have their pros and cons: They make
An example from Justin Garrison and Kris Nova’s large attack surfaces but are immutable and easy to
2018 book, Cloud Native Infrastructure: Patterns for fix. Automation is the name of the cloud-native game,
Scalable Infrastructure and Applications in a Dynamic as well as including security teams in development
Environment, is about deployment gating. Say a pipelines to integrate security policies as code.
developer doesn’t want to deploy code after 3 p.m. on a
5G networks support a massive number of connected Smart homes: 5G-enabled smart homes will require
devices. They enable a huge increase of bandwidth stronger methods of authentication, such as biometric
over LTE, and create a threat landscape different from identification, seen in software made by Sensory
previous networks. Security challenges stem from the that uses voice and face recognition, or the bevy of
very attributes that make 5G such an improvement. fingerprint-access door locks available at hardware
stores. In December 2019, a set of breaches into
IoT, which is a major component of 5G network
Amazon’s home camera security product Ring sparked
architecture, remains a major security risk. IoT devices
outrage, as hackers were able to access cameras in
are one of the most-attacked types of hardware,
users’ homes and on their front porches.
making up over 78% of malware detection events in
communication service provider networks in 2018, In general, IoT devices and sensors will demand more
according to a report by Nokia. complex authentication to prevent unauthorized access.
“If an IoT device today is plugged into the network, 5G Security and New Network Architectures
and it doesn’t have protection in it, it’s infected in three
Cloud virtualization technologies such as software-
minutes or less,” said Mary O’Neill, VP of security at
defined networking (SDN) and network functions
Nokia at an MWC Los Angeles press conference in 2019.
virtualization (NFV) are thriving in anticipation of 5G
High-profile breaches are on the rise. In 2019, publicly- networks. However, they too come with new security
recorded breaches increased by 25%, and the rate of concerns. Because of their open, flexible, programmable
breaches is “exponentially increasing,” according to nature, SDN and NFV open up a new avenue of security
Wipro’s 2019 State of Cybersecurity Report. threats. For example, a network element of an SDN such
as the management interfaces could be used to attack
Securing New 5G Use Cases
the SDN controller or management system and bring
The coming 5G networks have the potential to explode down the system.
vertical industries, enabling the creation of a wide array
Research from the Journal of ICT Standardization
of new services — all of which will demand new, varying
suggests a multi-pronged approach to 5G security,
levels of security.
including trust models, authentication and key
Autonomous Vehicles: The threat of automotive agreement, and an extensible authentication protocol-
cyberattacks will rise as autonomous vehicles become based secondary authentication, among others.
more widespread. To combat this, the National Highway
The security of 5G network infrastructure must evolve
Traffic Safety Administration employs a multi-layered
alongside the standard. For example, because 5G
approach to cybersecurity as it approves driver
networks can be sliced into uniquely purposed slices,
assistance technologies.
each virtual network slice could demand unique
Healthcare: In the healthcare field, 5G capabilities will security capabilities based on the needs of different
help with faster transfer of large patient files, remote usage scenarios. Also, compromised Radio Access
Network (RAN)-side 5G devices might present a larger exfiltration and VM-based attacks that come from
Distributed Denial of Service (DDoS) threat. east-west and north-south traffic. Network operators
should include hypervisor inspection and hardening
Tackling 5G Security
mechanisms in order to guard against such attacks.
Wipro’s report outlined five network components in
Finally, security through orchestration means taking
ensuring 5G security:
advantage of 5G’s software-defined, disaggregated
• A secure edge architecture, to orchestrate VNFs to automatically react
to a breach. VNFs can alert the orchestrator of a breach.
• A secure SDN controller
The orchestrator then instructs the SDN controller to
• Proactive analytics enact security protocol and control routers and firewalls
to halt the attack, as well as tighten access control.
• Hypervisor and container security
5G Security: Key Takeaways
• Security through orchestration
1. 5G security is more important than ever, as breaches
Securing the edge means ensuring real-time detection
continue to increase in frequency and volume.
capabilities at the edge. The network must find and stop
breaches before they make it to the core. 2. IoT devices pose a huge threat to the network.
Securing the SDN controller means enabling dynamic 3. 5G use cases, such as autonomous driving,
security protocol through northbound and southbound healthcare devices, and smart homes mean that
APIs. Northbound APIs gather intelligence about attackers have more access to personal data than
network activity. Southbound APIs control switches, ever.
routers, and firewalls to end attacks as they occur.
4. A 5G network must be architectured to evolve to
Proactive security analytics uses machine learning growing security needs.
and AI to detect unusual activity in the network that
5. 5G requires end-to-end security that uses its
may indicate a breach. Detection of a brach is based
software-defined architecture to automatically
on previously-learned network patterns and trends in
detect and mitigate threats.
previous breach attempts.
A best practice for security engineers is to consider the It can be risky to rely exclusively on a method so
connection between containers and the kernel of the dependent on encryption for container security.
operating system (OS) that hosts their Docker daemon, Encryption can merely shift the single point of failure
and how exploitable the relationship could be. An exploit to the organization’s key management systems.
delivered by way of a container could conceivably attack However, there is little or no argument against the use of
the kernel of its host, rendering the OS vulnerable. encryption as part of a larger security system.
In an attempt to reduce the risk of kernel-OS In November 2015, Docker Inc. addressed the issue of
exploitation, organizations may deploy their Docker key management for Docker security by announcing
environments on virtual machines — rendering the support of YubiKey, a physical, USB-based digital
containers’ host kernels virtualized. Therefore, the kernel key manufactured by Yubico. YubiKey can be used
is partitioned exclusively from the processor’s native OS. in conjunction with an access control system that
While this eliminates the threat from one known exploit verifies the physical presence of the user logged in at a
vector, it also diminishes the performance of containers particular terminal. Operations involving the acquisition,
in production. composition, and deployment of containers can be
restricted to individuals whose YubiKey is accessible to
Compliance Guidelines
the host kernel.
Docker Inc. and its platform subscribe to container
compliance guidelines set by governmental and non-
governmental organizations, such as the Information
Technology Laboratory (ITL) of the National Institute
of Standards and Technology (NIST) and the Center for
Internet Security.
Software-defined networking (SDN), a complementary to other servers in their network. By segmenting the
technology to network virtualization, also makes network, a data center limits the risk of attacks being
RBAC easier by centralizing network management and able to move to other applications or servers because
enabling direct programmability in the network. This there are fewer instances of them talking to each other.
means administrators can program the network to adjust
The security policies that are part of virtualizing the
to the needs of the organization on-demand and modify
network can route traffic through virtual firewalls within
user permissions when needed.
a segment before it goes to another server. This is
Microsegmentation commonly implemented through service chaining. In a
traditional data center network, traffic steering would
Microsegmentation enables security architects to
send information through multiple different devices
separate different parts of the data center into precise
for each of the security and networking functions. This
segments. The granularity can go down to a server’s
slowed processes down and was inefficient compared
individual workloads. Unique policies can be established
to the more modern technique in use by VMware’s NSX
to the different segments that have been created. The
platform. The platform uses service chaining, which is
degree of security established by the policies depends
the insertion of multiple functions, like firewalls or load
on the regulatory and compliance requirements of the
balancers, into a forwarding path
segment’s data.
Data Center Security: Key Takeaways
Microsegmentation is possible thanks to network
virtualization. It is similar to how VMs split up the space 1. The three core elements of data center security are
on a server to have multiple distinct instances run at the authentication, authorization, and accounting.
same time. Virtualized networks are overlays on physical
2. Access control software is able to identify users, find
infrastructure, which is basically used as the connections
out how much access to network resources they are
data travels through. Changes to the network can be
assigned, and keep them within those limits.
done as needed because the virtual network is an
abstracted overlay. Changes include microsegmentation 3. Software definition of a data center brings
to new workloads to keep them isolated and secure. intelligence and centralized control to the data
center’s network.
Isolation of VMs, for example, can prevent the lateral
spread of an attack from application to application. This 4. Microsegmentation of the network can be highly
east-west communication has become more common in granular and prevents attacks from spreading from
data center networks as servers are increasingly talking application to application or server to server.
In addition, because multiple virtual networks Microsegmentation applies specific security policies to
can operate across the same underlying physical workloads and applications, in a manner that can enable
infrastructure, security must address each layer of the security functions to follow workloads around the
virtualization. VMs, for example, have additional security network if they are moved, an approach that is common
complexity. They pose security risks because they in today’s virtual infrastructure.
operate as digital files that can be moved, regardless of
Security virtualization is a strong trend and is likely
physical infrastructure. These trends have driven more
to remain that way as more applications are run in
security virtualization.
the cloud and networks grow increasingly virtualized.
Segmentation and Isolation New forms of security software than can be installed
to monitor and manage security policies on virtual
Security virtualization uses software installed on virtual
infrastructure will be needed.
networks to monitor workloads, applications, and access
The network edge can be a weak point in the network • Suggested security mechanisms include encryption,
because of a lack of physical security and the absence integrity audits, and features like authentication and
of or weakness of security measures in the devices using access control.
edge computing.
Who or What is Targeted on the Edge?
Carelessly-made Internet of Things (IoT) devices, or
The edge network user, IoT devices, the data on the
weak passwords on employee-owned devices, create
network, and the edge network itself are all targets for
vulnerabilities for the whole network. Establishing a
attack on the edge.
uniform level of security for all hosts, and keeping all of
them patched, is a way to make edge computing less IoT devices are major targets because they have implicit
risky. trust for other devices and do not verify the credibility
of connections. They are also often released before networking (NDN) instead of a traditional IP addressing,
they have suitable security measures included so the and authenticated users.
company can be the first to market.
VPN and General Encryption of All Data
Edge computing’s vulnerabilities come from its
Whether the edge is being used for IoT or to increase
distributed nature, whether there is limited physical
throughput at an enterprise’s location, data encryption is
security, or difficulties around total network visibility.
recommended.
How Companies Can Secure Edge Nodes It is not guaranteed an edge computing device will be
Visibility encrypted or support transport layer security (TLS),
although devices can have these capabilities. If there
A key component to securing any network is visibility.
is no form of encryption, a VPN is a good option for
An operator needs to know what is happening on the data encryption and secure transmission because of its
network to ensure that it is working properly and that availability and reliability with options like OpenVPN.
users are behaving properly.
User Access Management
This is particularly important in the IoT world, as devices
send potentially sensitive data to clouds that users The IEEE paper referenced above included specifications
cannot be certain are safe. Moreover, the vast majority on user access control, which regulates who can access
the network and how they can use it, specifically the
of applications for users to interact with or monitor IoT
reading and writing of data.
devices have little to no security testing.
Authentication mechanisms are necessary to keep out
Secure Operating System for Edge Platforms
malicious users and deny unauthorized users access
Internet Technology Letters published a proposal to resources in the edge and core. The IEEE paper
regarding a new security architecture for when IoT recommends a fine-grained access control system
devices use edge computing. The architecture focuses for every trust domain in the edge network by using
mainly on an operating system for edge computing. attribute-based encryption or role-based encryption.
Elements of a secure edge operating system include Another approach to ensure security is to use trusted
authenticated network nodes, using named data platform modules (TPMs).
This depiction of end-to-end segmentation from Cisco shows the path of data in an SD-WAN to and from the WAN edges through
the network connections. The vSmart component is Cisco’s SD-WAN controller that handles routing. Source: Cisco
NEWS
The secure access service edge (SASE) promises and instead shifts to a model that connects users and
to address changing enterprise traffic patterns, and equipment at an individual level to a centralized cloud-
threatens to render SD-WAN stalwarts irrelevant in the based service.
coming years, according to a recent Gartner report.
In traditional enterprise networks the data center
In its 2019 Hype Cycle report, Gartner defines SASE is the focal point for access. Gartner contends that
— pronounced “sassy” — as an emerging market that this approach has become increasingly ineffective as
combines elements of SD-WAN and network security businesses transition to software-as-a-service (SaaS),
into a single cloud-managed package. cloud services, and edge compute platforms.
It’s a technology that Gartner has called Gartner acknowledges that the enterprise data center
“transformational.” isn’t going anywhere soon, but maintains that it will
become less relevant as service move to the cloud. The
“SASE will be as disruptive to network and network
enterprise data center effectively becomes just another
security architectures as [infrastructure-as-a-service]
branch.
was to the architecture for data center design,” the
report claims. “A branch office is simply a place where multiple users
are concentrated,” the Gartner report states. The same is
SASE vs. SD-WAN
true for a salesperson working remotely, only they are a
Unlike a traditional WAN, SASE does away with the branch of one.
concept of connecting the branch to the central office
According to Gartner, SASE brings with it several
NEWS
advantages over existing technologies, not the least Emerging SASE Market
of which include greater flexibility for the end-user,
While still a relatively new technology with less than 1%
reduced operational complexity and costs, and better
adoption, Gartner anticipates many vendors will begin
performance.
rolling out SASE products over the next several months.
Distributed Access
Gartner reports that no vendors are offering a
The distributed nature of SASE will make the number comprehensive SASE product today, but notes there
of points of presence (P0Ps) offered by a vendor an are several SD-WAN and cloud-based security providers
important factor for customers evaluating a solution. well-positioned to move into the space in short order.
Even then the technology isn’t expected to reach
“The SASE solution should offer distributed [PoPs] and
mainstream appeal for another five to 10 years, and is
a portfolio of traffic-peering relationships,” the report
likely to undergo significant changes within that span of
notes.
time.
This approach means enterprise data will only rely on
Because of this, Gartner warns early adopters to limit
the open internet to get to one of the SASE vendor’s
contracts to no more than two years and include
PoPs.
acquisition protection clauses. It also warns customers
An Emphasis on Security should be wary of vendors trying to link several services
together using virtual machine (VM) service chaining to
SASE will also open the door to enhanced security
reduce the time to market.
features including support for content inspection and
zero-trust network access. Enterprises using a SASE “This approach may speed time to market but will result
platform supporting content inspection could scan in inconsistent services, poor manageability, and high
active sessions for malware and sensitive content latency,” the vendor explains.
regardless of where the device or user are located.
NEWS
“Mitigating Cloud Vulnerabilities.” and how it works. Cloud providers like Amazon Web
Services (AWS) and Microsoft Azure are responsible
The report targets companies’ leadership and for protecting their public cloud infrastructure and
technical staff. It highlights the basic components of implementing logical controls to separate customer data.
cloud architecture and threat actors. And then it also The customer, however, is responsible for configuring
ranks four different types of cloud security risks — application-level security controls, and for protecting
misconfiguration, poor access control, shared tenancy
its workloads running on cloud servers. In other words,
vulnerabilities, and supply chain vulnerabilities — that,
both the cloud provider and the customer have a shared
according to the NSA, account for the vast majority of
responsibility when it comes to cloud security.
known security flaws.
“Shared-responsibility model is a tough one,” said James
While each cloud service providers’ architecture will be
Christiansen, VP of cloud security transformation at
slightly different, most clouds have four components in
Netskope. Part of the difficulty comes from “a mindset
common. This includes identity and access management
that when you outsource something, you wash your
— these are controls in place for customers to protect
hands of it.”
access to their resources and controls that the service
providers use to protect back-end cloud resources — as In other words, when companies move from their
well as compute, networking, and storage. on-premises infrastructure and into the public cloud,
NEWS
often they just assume that AWS or Azure is responsible Organizations can mitigate poor access control by
for all the security measures needed to protect the enforcing strong authentication protocols such as multi-
resources running in the cloud. However, this is not the factor authentication and using automated tools to audit
case. access logs.
Also, Christiansen says he’s not a fan of the term No. 3, shared tenancy vulnerabilities, remain rare,
“shared responsibility.” Instead, “I would just go with according to the report, and require a high level of
a responsibility matrix: these are your responsibilities, sophistication. But these types of vulnerabilities in cloud
and these are ours,” he added. “There are very distinct hypervisors or container platforms can be especially
responsibilities, and when you see those failures, it’s severe.
often the failure of not understanding the part that they
To mitigate these, the NSA advises enforcing encryption
are responsible for.”
of data at rest and in transit. And for especially sensitive
NSA’s Top 4 Cloud Vulnerabilities workloads, companies should use dedicated or bare-
metal cloud instances.
The NSA categorizes cloud vulnerabilities and
mitigations into four groups. It also says how prevalent If companies don’t use a dedicated instance,
each one is, and what level of sophistication it requires Christiansen suggests requiring that the cloud provider
for an attacker to pull it off. perform a forensic analysis of the logs, separating your
logs from those of the other tenants. Organizations
Misconfiguraiton, a widespread threat that requires a should write this into the contract when they initially buy
low level of sophistication, tops the list. According to the cloud services, he said.
NSA, misconfiguration of cloud resources remains the
most prevalent cloud vulnerability. Supply Chain Security
“Often arising from cloud service policy mistakes or Finally, the NSA says the No. 4 vulnerability — supply
misunderstanding shared responsibility, misconfiguration chain security flaws — remain rare, and require highly
has an impact that varies from denial of service sophisticated attackers. But many threat hunters and
susceptibility to account compromise,” the report says. security vendors agree supply chain security risks are
“The rapid pace of [cloud service providers’] innovation becoming more common and they expect to see these
creates new functionality but also adds complexity to types of attacks increase this year.
securely configuring an organization’s cloud resources.” Supply chain vulnerabilities include inside attackers,
intentional flaws and backdoors in hardware and
The report says least privilege and defense in depth
software, as well as companies’ partners and suppliers
are two of the security principles that organizations
whose security may not by up to par, and thus, allow
should apply from the planning phase. A least-privilege
attackers to access their targets’ cloud resources via
model restricts access for accounts to only the resources
their suppliers’ networks.
required to perform routine, legitimate activities.
Defense in depth involves placing multiple layers of Christiansen agrees that attackers need be pretty
security controls throughout an IT system. sophisticated to pull off a supply chain attack, but says
he was surprised to see it rated rare.
The No. 2 vulnerability — poor access control — happens
when companies have weak authentication methods in “You think about the big corporations and they have
place to allow access to cloud resources, or when these done a really good job of fortifying their security,” he
cloud resources have flaws that enable attackers to said. “But then when they go to a third party, the third
bypass these methods. The NSA deems this vulnerability party doesn’t have the same level of security, and that’s
widespread and says it requires a moderate level of when you are seeing the weakest-link problem. We’ve
sophistication to pull off. seen this as far back as the Target breach. It’s a very
NEWS
big attack surface, and I believe that third parties are cloud environment, where organizations may run some
absolutely a target for state-sponsored attacks and workloads on AWS, others on Azure, and still others in
organized attacks.” a private cloud. “How do we bring all these multi-cloud
threat detection tools and be able to monitor these
While cloud service providers “mitigate the risk of inside
different environments? That point got a little lost. You
attackers through controls such as role separation,
have to look at not just one cloud provider, but all the
two-person integrity for especially sensitive operations,
cloud providers, and bring those all together in a single
and alerting on suspicious administrator activities,”
pane of glass.”
enterprises can improve their security posture against
supply chain compromise, the report says. This includes He also suggests putting controls in place to ensure that
encrypting data at rest and in transit, and also selecting the security and IT teams know when a business unit
cloud offerings that have had critical components uses a company credit card to purchase a new cloud
evaluated against National Information Assurance instance or even software-as-a-service. “A business unit
Partnership (NIAP) Protection Profiles (PPs). could do this, load confidential information on it, and it
would be completely insecure because we didn’t even
You Can’t Secure What You Can’t See
know about [it],” Christiansen said. “You can’t do all
Christiansen suggests the NSA report could have those things in the [NSA] guidance if you don’t know
included a couple additional pieces of cloud security about it.”
guidance.
Meet with the procurement and financial groups to
“The real salient parts are the right ones, and those are review credit card statements and look for cloud
the things companies should be looking at when they purchases, he said. And then, implement a policy that
evaluate their security strategy,” he said. “But where says “thou shalt not do this, enforce that policy, and
it’s less obvious” is in companies’ multi- and hybrid- educate your staff.”
NEWS
IoT and SD-WAN might not sound like they belong According to Casey, SD-WAN not only has the potential
to address many of the security concerns associated
together, but ask VMware’s VeloCloud or managed
with IoT, but it can also solve the operational challenges
service provider Apcela and you might be surprised by
of managing large deployments.
what they have to say. The two companies see SD-WAN
as the key to making large IoT deployments manageable Here, Apcela has some experience. The company has
at a human scale. been working with Itron, one of the leading makers of
smart water and energy meters, for the past two years.
Sanjay Uppal, who co-founded VeloCloud and now
serves as the head of VMware’s SD-WAN division, said Is SD-WAN the IoT Security Antidote?
the expanding scope of SD-WAN has opened the door Of all the challenges facing widespread IoT adoption,
to several applications that the technology wouldn’t security is undoubtedly the biggest concern. To this
normally be associated with, and IoT is one of them. point, Mary O’Neill, VP of security at Nokia, said IoT
devices represent just 16% of traffic but account for 78%
“You think of IoT, it’s not just IoT running on a cellular
of the malware on mobile networks.
network or IoT running on Bluetooth. You could
absolutely run IoT on your enterprise SD-WAN,” Uppal “If an IoT device today is plugged into the network,
said in an earlier interview. “Just think of that IoT traffic and it doesn’t have protection in it, it’s infected in three
as a new data type that you will steer across the WAN minutes or less,” she said during a press conference at
and you can add services to it as it is steered.” MWC Los Angeles in 2019.
While IoT may not be a new concept, with some Opening the edge to all of these devices poses a
companies having been in the business for decades, security challenge that isn’t easy to address, adds Casey.
the rise of IoT to the mainstream is forcing networks to “It’s one of the big things that companies are struggling
with.”
change, said Apcela CEO Mark Casey. “The evolution of
IoT requires a more agile and more nimble environment He explained that in a traditional architecture
to accelerate it, and for [IoT companies] to accelerate maintaining security would involve forcing device traffic
and grow their own revenue.” back to the data center.
NEWS
“So the ability to process things at the edge, manage to manually log into 100 routers to change the
security at the edge doesn’t really exist because of this configuration to accommodate the new traffic.
security issue,” Casey said. But that changes when you
“With SD-WAN everything is templatized. I can simply
apply an SD-WAN, he added. “Now we can treat traffic
enable a template for a new type of IoT traffic or a
very specifically.”
new customer, and I’m able to immediately deploy that
Itron builds smart meters for all kinds of customers, segmentation instantaneously because I have centralized
including water and energy companies as well as utilities orchestration, and that orchestration pushes the
and municipalities. configuration out to all of the edge locations,” he said.
“That doesn’t matter whether I have 10, 100, 1,000, or
“SD-WAN enables us to treat those traffic types — all
10,000 [locations].”
the way down to an individual IoT device — with an
independent profile,” Casey said. “We can take a specific Seeing the Problem
device for a specific customer and give that a specific
But even with the advantages SD-WAN offers in terms of
template that allows us to treat it from a security automation and orchestration, there remains a visibility
perspective uniquely and it allows us to treat it from an challenge. Just how do you manage a network with
edge processing standpoint uniquely.” the millions or billions of IoT devices that 5G networks
The result is finer-grained control over these massive IoT promise to enable? Some say the answer is artificial
deployments. “That’s one of the powerful things about intelligence (AI).
software-defined WAN,” he said. According to Ken Gold, director of test, monitoring,
But while SD-WAN may help address IoT’s security and analytics solutions at EXFO, the implicit complexity
challenges, not everyone is convinced it will be enough. associated with massive 5G IoT deployments is only
going to make identifying and resolving network
“Security is one of the biggest factors limiting IoT anomalies all the more challenging.
expansion,” said Bill Curtis, resident analyst at Moor
He said for most customers, a dropped call or
Insights & Strategy in an earlier interview with
broadband service outage isn’t a big deal. But
SDxCentral. “The bottom line,” he said, is that ”IoT
IoT deployments are less forgiving. And as these
security has to be built-in, not added on.”
deployments march toward large-scale adoption, the
IoT Management on a Human Scale need for accurate bandwidth and traffic demands is
going to accelerate rapidly.
However, even if SD-WAN can’t fully address IoT’s
security challenges, it at least stands a chance to make Gold says machine learning, and eventually AI, has the
the networks supporting them more manageable. potential to make these networks more reliable and
manageable.
Casey explained that SD-WAN enables network
programmability and automation. This means that new In the near term, Casey sees these kinds of tools as a
types of devices can be added to the network without way to enable network operators to quickly address
the need for additional backend hardware. “I can just and resolve performance issues, and perhaps eventually
reprogram the software to deal with a new type of IoT resolve them automatically based on policy.
device or a new type of IoT traffic,“ he said.
“The reality is when you have an application
This has the potential to reduce the operational performance problem, 80% of the time is spent finding
requirements of managing these networks at scale. the problem, and only 20% is spent fixing it,” he said.
NEWS
On the eve of World Privacy Day (Jan. 28), findings from surveyed saw at least double the return on their privacy
Cisco‘s 2020 data privacy study show that privacy is, in investment.
fact, a very good investment.
“I think companies are beginning to recognize that this
Where companies used to prioritize things like function privacy thing is important, not just as a compliance issue
and scalability over data privacy and security, consumer or a boardroom issue, but because it matters to the
backlash to privacy leaks in recent years has elicited customers, building loyalty and trust in the company,”
a global response for new legislation. Regulatory data explained Robert Waitman, Cisco’s director of privacy
privacy laws like the EU’s General Data Protection insights and innovation, in an interview with SDxCentral.
Regulation (GDPR) paved the way for countries
from China to Brazil and even individual states — like Privacy Pays Profits
California and its new California Consumer Privacy Act 70% organizations said they found significant business
(CCPA) — to follow suit. In fact, U.S. legislators are also benefits from privacy, and 74% of respondents believed
considering an updated federal privacy law. that going above and beyond privacy regulation
For the report, Cisco researchers spoke with 2,800 compliance helped them build loyalty and trust with
security professionals in 13 countries about privacy and their customers.
data security practices within their organization. A key
“This is about doing the right thing so that your
finding quantified the return on investment (ROI) on
customers believe that you’re taking good care of their
privacy, which averaged a 270% ROI.
data, and want you to continue to do that,” Waitman
Organizations with an increased focus on privacy said. “Because, again, at the end of the day, privacy is
saw shorter sales delays, better security, and fewer about protecting people. And those people are your
data breaches. And more than 40% of the companies customers.”
NEWS
The survey reported 82% of companies had a breach in store them somewhere else,” Waitman said. “You might
the past year. make them even harder to get access, because at some
point an intruder is going to come in.”
Companies with higher accountability scores — as
assessed using the Centre for Information Policy Legislative processes such as GDPR have pressured
Leadership’s Accountability Wheel, which is a framework businesses to get their data houses in order —
for managing and assessing organizational maturity — protecting valuable assets and throwing out old ones
experienced shorter sales delays and higher financial to minimize the loss that might occur when and if that
returns. break in does happen.
In fact, of the companies with advanced privacy efforts, Although some businesses might see privacy regulations
28% went breach-free compared to the 13% of those as another hurdle to clear, Cicso’s findings position
with minimal privacy efforts. The more advanced legislative processes as a worthy ally in driving net
organizations had 90% less downtime from records benefits for businesses. Furthermore, the findings also
exfiltrated, which translates to cost. reaffirm Cisco’s 2019 privacy report, which found GDPR-
Get Your Data House in Order ready firms had fewer data breaches.
Data privacy and security converge in what Waitman While the study proves the positive benefits of
called the “data house,” and he used the analogy of regulation, Waitman stressed the need to proceed
preparing for a home invasion. He explained how you with caution. He said Cisco supports federal legislation
might prepare for a home invasion if you knew someone that would allow companies to pursue one standard to
was going to break into your house sometime this year establish consistency across all 50 states.
— even with no knowledge of when or where the break
“I think the idea of having a federal legislation would
in would occur.
be to avoid 50 different state regulations, but not
“You would probably take the most sensitive assets that to change, or perhaps hamper some of the valuable
you have, your most valuable things, and you would do protections that are in place for some of the industries
something further to either protect them, encrypt them, today,” Waitman said.