Information Security: Connecting The DotsBy Sean Martin | Posted 07-08-2010
Cisco announced in late June that it has partnered with some of the security industry's vendors to bring comprehensive security to enterprise systems, networks and data. Cisco intends to deliver on this promise through a Cisco-validated integration of systems that includes the company's own platform coupled with supporting third-party technologies.
This is an important milestone for the information security industry. CIOs & CSOs alike should take note of this collaborative move. Upon a successful delivery of a validated set of integrated systems by Cisco and their supporting partners, CIOs can finally develop a comprehensive information security program that can actually be implemented without vendor-chasing and technology-juggling. By following the solution guidelines and related implementation guides, information chiefs and their staff will be able to connect the dots that are appropriate for their environment, their business, and their operational risk.
This announcement recognizes the simple fact that, even with a tremendous amount of market consolidation, we still see hundreds of security vendors and thousands of technology possibilities from which organizations can choose to secure their systems and information. This will likely remain the state of security for a long time to come as new threats surface, new environment and infrastructure technologies are revealed, and new business models emerge.
The real value behind Cisco's announcement is brought to light through a data point captured in its press release announcing the introduction of its Validated Secure Borderless Network Systems initiative. Here, Cisco quotes IDC, citing a February 2010 presentation entitled "The End of Useless Information: Examining the Multi-Pronged Nature of Current & Future Attacks." IT managers surveyed by IDC in that report said that some of the top IT security management challenges at their organization consisted of:
I would suspect that most organizations have experienced some, if not all, of these challenges. I would suspect that the number of organizations that have found a collection of point products that actually work together in support of a comprehensive information security program would be few and far between.
Time-Consuming RFIs and RFQs
Organizations generally settle for the mundane and frustrating task of putting together time-consuming requests for information and quotes (RFIs and RFQs) with an aim to select multiple technologies designed to handle very specific security requirements. These choices can include a network firewall or UTM appliance, multiple endpoint protections layers, an identity management system, various mobile device and wireless network protections, data loss prevention (endpoint, network, and discovery), and the list goes on. Even if an organization successfully identifies and acquires a 'full set' of technologies, navigating the implementation, defining and enforcing a cohesive policy, and combating the incompatibilities and/or inconsistencies amongst them would have likely become the primary task at hand. There have been attempts to either reduce or eliminate some of the challenges associated with having so many technologies to choose from and manage -- driven by requirements revolving around a particular business scenario and/or a specific information security program project.
While there may be other examples, I have had direct experience with the following two examples.
The first, SecureIT Alliance, is a solid example of a direct attempt at bringing multiple products together. The SecureIT Alliance is an initiative formed by Microsoft and driven mainly by individual participating vendors. This consortium of security vendors identifies business problems that can be overcome through the integration of their individual offerings. In order for these solutions to come to market, the vendors identify a problem, decide on how to work together, and then attempt to approach the market with their integrated offering. This initiative has experienced some momentum where multiple vendors have come together to provide solutions aimed at solving specific information security problems. However, if the vendors (oftentimes, competitors) don't take the initiative to work together, today's enterprises are left to do the dirty work themselves.
The second example, the Security Information and Event Management (SIEM) market, is an indirect approach at solving the same problem. By definition, SIEM vendors are not tasked with providing a selection of integrated products that work together to solve specific information security problems. The SIEM vendors do focus on bringing together multiple products from a data collection, analysis, and reporting perspective, and this is certainly a step in the right direction.
We may see further advancements of collaboration by SIEM vendors, most likely in areas such as integrated response and control. However, since the business success of the SIEM providers relies primarily on supporting a community of often-competing vendors in order to deliver the value they've promised to their customers, his market will likely remain relatively static.
Cisco has chosen a different tack from these two previous attempts at addressing the need for cross-vendor collaboration and interoperability. The company is taking clear, direct ownership of the problem, embracing the reality, and embracing the responsibility to identify the business scenarios and the related business challenges associated with achieving information security.
To use an analogy presented during Cisco's June 24, 2010 media briefing by Pat Calhoun, General Manager, Cisco Security Systems Unit, "airplane manufacturers rely on hundreds of partners to design and build their planes, but they wouldn't expect the airlines -- their customers -- to put the planes together themselves." Applying this analogy to information security, why should each vendor expect the enterprise to piece together an information security program?
Cisco promises to tackle this daunting task of validating the integration of a multitude of information security technologies, providing a trusted platform and the blueprints required to implement an end-to-end information security program. The company is essentially giving enterprises and their CIOs/CSOs a fighting chance to succeed.
The notion of working together with partners is not a new model for Cisco. "The Cisco Developer Network has already experienced success in the areas of telecommunications and wireless integrations, we will simply extend this model to the security space to deliver on these security solution integrations," said Calhoun. It's refreshing to see a vendor step up to the information security canvas, taking the time and energy necessary to connect the information security dots such that many more of our enterprises can succeed in implementing a holistic information security program. It appears we are moving toward a clear path to achieve end-to-end security. Is this a path you'll be looking to take?
Sean Martin, CISSP, is the owner and directing consultant at imsmartin consulting. Write him at firstname.lastname@example.org.