Putting a strong lock on a weak door is unlikely to deter thieves, particularly when there are valuables inside. Yet all too often in the battle against cyber attacks, businesses do just that: they attach advanced digital security systems to inherently insecure corporate network infrastructures. The net result is enterprise IT capabilities that keep those tasked with maintaining risk registers and ensuring data security awake at night, and frustration for those who want to embrace next generation mobility and cloud technologies to generate efficiencies and competitive advantage.
The attraction of cyber criminals to a company rises as the intrinsic value of companies’ digital platforms grows. While the commercial benefits of a company’s digital platforms far exceed the cost of cyber attacks, evidence remains that some CIOs in Fortune 500 companies view cyber security as a barrier to incorporating new technologies such as ‘Bring Your Own Device’, social networking and public cloud technologies. This is not entirely surprising; most cyber security strategies today are based more on a defensive or reactive approach, rather than an offensive methodology.
“Business is all about balance,” said one CIO who asked to remain anonymous when interviewed for this article. “We have long worried about the stolen laptop, the files left on trains or the misplaced memory stick carrying sensitive customer records. But now, faced with systematically putting our business into the cloud while ensuring all employees have useful and appropriate access is a much more daunting prospect.” Such a view is not uncommon across many industry sectors today.
Whilst CIOs and defenders of technology infrastructure ponder the right approach to balancing security with agility and innovation, cyber criminals are becoming increasingly sophisticated operators deploying next generation tools and techniques to infiltrate enterprise-wide networks. For the defenders all is not lost. Next generation networking technology based on software-defined networking, or SDN, can offer enterprises a step change, a new generation defensive arsenal for the CIO, but only when the SDN is engineered from the outset to be inherently secure.
The challenge with today’s traditional, legacy networks is they are based on TCP/IP, an inherently insecure architecture developed in the days when ‘hackers’ referred primarily to high handicap golfers. TCP/IP is the enterprise network’s weak door. Even with increasingly stronger digital locks attached, the overall architecture remains vulnerable. This offers encouragement rather than a deterrent to cyber-criminals.
Software defended networks
Today’s SDN-based networks can be developed with security integrated into the design rather than as an overlay or afterthought. Because of this, SDN represent a cyber security game changer for the industry. The key change is they can allow the enterprise to actively protect against what security teams call advanced persistent threats (APTs), distributed denial of service attacks, unknown malware and zero day attacks.
Active SDNs can de designed to continuously monitor for and block vulnerabilities by default, across all networks elements, from simple access devices to a range of network elements to the data centre. The key difference is that in an SDN design, the capability can be fully virtualized and embedded. With an SDN, security policies can be created to match the type of service they are designed to protect, CIOs can, for the first time, go on the offensive and secure devices, applications, network elements. Employee access can be actively controlled by time of day, location, time zone and other factors that can be configured into the network through centralized management and control tools. The CIO’s priority, for the first time, can now be on ensuring useful access rather than restrictive characteristics of a strategy based on reactive responses and restrictive policies.
However, just because the capability exists doesn't mean that all SDNs are being developed with an equal focus on security. Also, there is a significant cyber security industry that depends on the spread of fear, uncertainty and doubt. If the SDN-based architecture doesn’t combine security reputation, big data, sandboxing, as well as other technologies to prevent unknown threats, it’s essentially replacing an old weak door with a new weak door, despite the stronger locks being fitted.
Cyber security is a technical challenge but it is also a human challenge. Every CIO and network security engineer knows only too well about the continuous battle to improve the behavior of employees to underpin existing security procedures. While this challenge remains, SDNs, for the first time, have the ability to materially transform the technical defenses and provide added security capability to protect against human weaknesses.
Less well recognized, perhaps, is the continued risk of ‘the illusion of security’. The time to ask a vendor searching questions about the integrity and security of an SDN is before purchase. Any SDN architecture or roadmap that promises ‘security measures to follow’ is effectively replicating the flaws, the weak doors with strong locks of the past.
John Suffolk is Huawei’s chief security officer and a former CIO and chief information security officer with the UK Government.