Cisco's Security Strategy Explained
Security chief Tom Gillis shares Cisco's approach to keeping company networks safe in an increasingly "borderless" work environment
March 2, 2010
Purpose-built for a world in which workers are increasingly mobile and the companies they work for increasingly "borderless," the new offering will keep people securely connected to their company's network no matter where they are or what device they're using, company executives say. It's the latest move in Cisco's larger security strategy, focused on safeguarding customers against everything from viruses and spam to worms and botnets.
For details about the new offering, the networking giant's security strategy, and how both can help customers meet the challenges of an increasingly "borderless" work environment, News@Cisco spoke with Tom Gillis, vice president and general manager of Cisco's Security Technology Business Unit.
What is Cisco announcing at the RSA Conference?
Tom Gillis: Think of it as a little sliver of software that runs on every PC, laptop and mobile device, and keeps you connected to your company network whether you're behind the firewall, at your home office on a cable modem or at a coffee shop in Australia. It's not a virtual private network, meaning a private network for a business, in the classic sense. It's a reinvention of that notion, using an architecture that combines three existing Cisco security products. It's called the Cisco AnyConnect Secure Mobility Solution, and its sole purpose in life is to make sure that every connection coming on or off a device is connected to a security-scanning element somewhere in the network.
From an end-user perspective, it means your connection to the corporate network is always on, always running, always available. There's no fumbling with passwords and logins. From an information technology perspective, it doesn't matter where the end user is it's the same experience, the same access to information, with much better controls. You don't have to worry what a worker is doing when they're using a device outside the company network. You know what they're doing. You're able to enforce policy all the time on every device. Moreover, it's a simple software upgrade to your existing Cisco virtual private network which, by the way, is the most widely deployed virtual private network in the world by a significant margin.
What changes are you making in the security business at Cisco?
Tom Gillis: My task has been to focus the business unit on Cisco's core markets and to make sure we have a very clear plan for how we can become No. 1 or No. 2 in those markets, in a manner that taps the power and intelligence of the network. Because Cisco has such a high level of trust with our customers, the company could be a plausible vendor in almost every segment of information technology. As a result, in the past we've tended to drift into some segments that we were not really positioned to lead in.
But make no mistake, security is an absolute priority at Cisco. The company has invested more than $1 billion in security acquisitions in the past three years. But more importantly, Cisco's ambitions in areas like virtualization, cloud computing, mobility and collaboration cannot really take hold without security in the network as a foundation. That being so, Cisco has been investing very heavily in security advances for business networks. We are the largest business security vendor in the world, and we are focused on innovation in our key markets, where we are leading with very strong results.
How is Cisco approaching its core security markets?
Tom Gillis: I've already talked about what we're doing with virtual private networks and mobility, so I'll give a brief overview of the other areas. The firewall market is the largest of the segments, the most mature, the best understood and the most in need of reinvention. A firewall is basically a system designed to prevent unauthorized access to or from a private network, or a sub-segment of a private network. Twenty years ago, it was your primary means of enforcing security in a business. But things like mobility, handheld computing and cloud computing are having a profound impact on the way we do security, and firewalls in the traditional sense need some new tricks. At Cisco, there's a significant effort underway to build new security tools to address the needs of what we call "the borderless enterprise" in this new era. I'll come back to that.
Another focus area, intrusion prevention systems, is essentially about identifying the bad guys and keeping them out. We're very good at that. Cisco has been the number one vendor in this market in 11 of the past 12 quarters, and we have more of these devices deployed than any other vendor in this market. At last year's RSA Conference, we introduced a new security technology called "global threat correlation" which boosts the effectiveness of an intrusion prevention system by allowing it to look beyond its realm and correlate a threat between e-mail traffic and Web traffic. We've seen a 200 percent increase in the effectiveness of our IPS systems since we introduced this capability.
Regarding e-mail security, Cisco has always been a leader and continues to be so with the introduction of our hybrid hosted e-mail security capability. It allows you to do spam scanning on an appliance that sits on premise or in the cloud, and from an administrator perspective you can't tell the difference. It just works. It looks like one system. We believe that is the right architecture moving into the future. For most customers, it's not cloud versus premises. It depends on what makes sense. For example, if you want to filter for and encrypt sensitive e-mail messages, you want to do that on premise. But virus and spam scanning is capacity intensive so you might want to do that in the cloud, meaning Cisco will take care of it. A significant portion of the market is choosing a cloud-based e-mail security service because it's easier to manage, and it shifts e-mail security from a capital-expenditure model to an operating-expense model. The hybrid approach is not limited to e-mail. It's something that all of our security services will have.
In the Web gateway category, we're also way ahead of the market. A Web gateway offers protection against spyware, targeted attacks and other Web-borne malicious software while allowing a business to take advantage of Web 2.0 capabilities. As more and more major applications move to the Web as an interface, it's not enough for a security device to say simply block this site or block that site. We need to be able to give our customers more fine-grained controls so that, for example, we can let the marketing department access YouTube videos, while allowing the engineering department to do so in a way that doesn't compromise other bandwidth-sensitive applications. You don't have to block Facebook, but we want to make sure you don't take a spreadsheet full of credit card numbers and inadvertently post it on your Facebook site. More nuanced, more intelligent policies for Internet-facing traffic are what's needed.
"E-mail and Web are like Bonnie and Clyde they work together to commit crimes. If you're only looking at e-mail, you're missing more than half the picture."
We are also introducing a very innovative feature called SaaS Access Control, which allows a business to use cloud-based applications like Salesforce.com or Cisco Webex, and still retain complete access control independent of the application. So if an employee leaves the company, their access to cloud-based data is immediately shut off, and the company has a control point they can use to replay that employee's access to the cloud-based application. ScanSafe, which we acquired in December, allows us to take these advanced Web controls and deliver them from the cloud. The combination of ScanSafe and Cisco IronPort (we acquired IronPort in 2007) will allow us to offer our customers advanced Web controls, delivered in an appliance, in the cloud, or a hybrid mixture of both, just as we can do with e-mail.
In the area of Network Admission Control, which restricts access to a network based on a user's identity or security standing, we're taking a major step forward with the introduction of a virtual private network client and using it to authenticate a user. Cisco has a technology initiative called TrustSec that allows us to identify, authenticate and control the access to your network, whether it's a virtual private network, wired or wireless. By putting more intelligence into the network, we're providing unified access control to the network across all different media types.
What key trends are driving Cisco's security strategy?
Tom Gillis: There are two big trends that are driving a rethink of all security offerings. First is the trend toward mobility. More users are accessing more content from more different types of devices than ever before, and it's not just employees. Companies need to find safe ways to allow "outsiders" such as customers, contractors and partners to access sensitive information on devices the company can't directly control.
We're also seeing a trend toward mobility of data through cloud computing, where data is stored not on the company premises but in the cloud whether it's software as a service (SaaS), security as a service, infrastructure as a service, platform as a service. Pick your flavor. The point is, it's more and more likely that your users and the data they're connecting to may or may not be behind the firewall.
What challenges do these trends present to security vendors, and how is Cisco addressing them?
Tom Gillis: When you combine these two trends together, you have a significant security challenge. We're all moving into a world of "borderless" businesses, where the delineation between employees and the rest of the world is increasingly blurry. Imagine a sales executive checking the company's sales forecast on Salesforce.com using his smartphone in a local Starbucks. That's a worst-case scenario from a security perspective, because there's no firewall or traditional security device in that connection. How does the security professional have basic controls over who accessed what data and when? Simple stuff like that all of a sudden becomes complicated.
In order to address this problem holistically, we need security tools that will allow our customers to embrace these changes. Go ahead, use your smartphone. Have a contractor come in and access company data. That's OK because we have a policy and a set of tools that limit their access to information. And in order to do that, you have to be able to leverage the power of the network. You have to be able to build tools that understand who you are, what application you're accessing and the content itself. They also need to be able to distribute that policy enforcement across not one, two or five locations in the world, but 10, 100 or 1,000 locations. In order to do that, you have to build it into the network. Any other approach becomes too unwieldy. And that is the Cisco advantage.
Another area that's causing a complete rethink of the way we do security is virtualization the use of multiple operating systems on one computer. It's fantastic that customers are waking up to the value of virtualization, but it has significant security implications. We're also leading the industry in this area, and we have a number of efforts underway for how we redefine security in a virtualized world.
What makes Cisco unique, or at least different from competitors, in the security arena?
Tom Gillis: It's the breadth of our product line. One of the things we have focused on very heavily is providing a holistic view of security threats. We don't just look at e-mail traffic or Web traffic or IPS traffic or firewall traffic. We look at all of it. And by looking across these realms, we're able to identify and stop traffic substantially more accurately and more quickly than our competitors. There are very good companies out there that just look at e-mail, for example. But e-mail and Web are like Bonnie and Clyde they work together to commit crimes. If you're only looking at e-mail, you're missing more than half the picture.
We can block viruses on average 14 hours ahead of when their signatures are available. We can block 90 percent of incoming spam just by looking at the behavior of the mail server. We've tripled the effectiveness of our intrusion prevention systems because of this holistic approach. Cisco, I would argue, has the strongest portfolio in all of these realms, but also the most broadly deployed portfolio. That's very important because as the Internet evolves into a more collaborative, video-based, virtualized, mobile, and experience-based vehicle, the network has to evolve with it.
Our core networking business is inextricably linked to all the market transitions you hear John Chambers talk about video, collaboration, virtualization and so on. And these are simply manifestations of the next Internet, which the next-generation network must support. Cisco is the best-positioned company to deliver this network to customers, and in doing so, its broad security portfolio goes along for the ride as part of its fabric. So with Cisco, you get to capitalize on the next-generation of the Internet as it unfolds by way of its core business, its new innovative technologies, and the security that supports it all.
You often talk about "secure borderless networks." What do you mean by that?
Tom Gillis: It goes back to what I said about trends. Cisco talks about the "borderless network," and it's a very powerful idea. Five or 10 years ago, there was a really clear delineation between employees and rest of the world. You came into work, you worked on a desktop machine that had a wire connected to an Ethernet switch, and you could access all your applications and any information from there. That clear delineation is gone. Now people both inside and outside the organization are accessing this information from devices that are moving all around. A secure, borderless network is one that allows partners, contractors, employees whoever your constituents are to access information safely, securely and reliably, wherever they are and whatever devices they're using.
Cisco as a company is on the cutting edge of this borderless model. We have more than 30,000 contractors, partners and vendors a very large community of nontraditional employees that we allow to access Cisco information. Internally, we are already using many of the advanced security products I've talked about, and we're actively rolling out our Secure Mobility Solution. We are also quite forward thinking in terms of our policies about allowing heterogeneous device support. We support Macs and PCs of different shapes and sizes, as well as an increasing array of mobile devices. We're also very Web 2.0 oriented. We allow the use of Facebook and YouTube. In fact, we embrace these new tools and techniques because we're using our own tools to make sure they're used responsibly and safely.
Where do you see things going in the next three to five years?
Tom Gillis: I believe the onset of the handheld Internet is going to change the way we do computing in all organizations. The iPhone is a profound step forward in that evolution. It's not just a nifty gizmo we're going to forget in a few years. Five years from now, I think organizations will be much more heterogeneous in terms of operating systems. We're going to have different devices with more proprietary, closed, custom-built operating systems. From a security perspective, they'll be much "lighter" devices in the sense that you're not going to implement security using your traditional antivirus suite that you know and love today. I'm not going to run a big antivirus suite on a smartphone, for example.
Cisco's borderless security architecture involves a very lightweight agent on all these myriad devices, and the role of that agent is to make sure that every connection coming on or off the devices gets connected to a scanner in the cloud. These scanners, driven by multi-core silicon, are becoming incredibly fast, powerful and accurate. We can process five layers of antivirus, run advanced data algorithms, do advanced threat defense and acceptable use enforcement. We can run all of these policy enforcement tools in the network that you could never possibly run if you tried to run them on the end-point device. I think we're going to see a seismic shift away from the heavy end-point device to a light end-point device with a heavy network component.