Day: July 12, 2016

Software-defined networking (SDN) is the next big focus in network intelligence. When the network is virtualized into the software-driven layer, the operations become more automated with less administrative overhead, allowing administrators to deeply penetrate the network fabric, giving better control through the programming ability in addition to reducing cost. However, as enterprises look to adopt  SDN, the top issue is the concern for security. As with any software and interconnected system, whenever we shift the responsibility of day-to-day activities and operations to a programmable software, we also invariably introduce an element of risk. Whenever resources are available over a network, there is always a chance of them being compromised.

Whether the use of SDN takes the role of being a straightforward standards-based SDN solution or proprietary technology from a single vendor, the fact is that all SDN technologies create the same problem for organizations:  Organizations are forced to trust and depend on software that is new, relatively complicated and not fully understood. Although the positives of SDN are well known and widely discussed, the negative impact of it being exploited is still a black box. For example, what are the SDN vulnerabilities of which the organization must be aware? Do these vulnerabilities take different forms in the control layer as compared to the data layer? What do an SDN rootkit or man-in-the-middle attack look like? Does an SDN worm have a different DNA  structure, making it harder to be identified than a traditional worm? The problem with SDN is that each control point on the network becomes a potential target of attack. If weak, it can be converted into an entry point for attackers who can further conceal these golden gates and cover them up from detection from monitoring and management watchdogs.

It should also be noted that with new generation technologies overhauling the traditional network setup, the organization’s operational support systems (OSS) becomes more dependent on automation and software. Humans could face challenges in identifying network security issues with the use of the SDN fabric on the network.

The future of SDN is promising with its obvious business benefits. In the early days of application programming, however, security was not given enough attention to ensure that it was embedded in each line of code and reflected in the architecture and design of applications. The impact of this misstep is still seen by the industry today. Organizations can only try to anticipate what the attackers may target with SDN. The implementation of SDN, its protocols and the controller programming software are all new, and our knowledge on SDN attacks is limited. Before an organization embarks on an SDN deployment effort, the key will be how it will strategize in securing the system during the early design stage and continue to implement strategies and processes around it based on the growing knowledge of the vulnerabilities around the use of SDN.

Read Nikesh Dubey’s recent Journal article:
“From Static Networks to Software-driven Networks—An Evolution in Process,” ISACA Journal, volume 4, 2016.

Nikesh Dubey, CISA, CISM, CRISC, CCISO, CISSP

[ISACA Journal Author Blog]

“If your security sucks now, you’ll be pleasantly surprised by the lack of change when you move to cloud.” — Chris Hoff, Former CTO of Security, Jupiter Networks

The chances are, almost everyone in your organization loves the convenience of the cloud for data storage and for collaborative workflow needs. And why wouldn’t they when documents and files are now easily accessible to all team members, whether down the hall, in another state or even on another continent? From a cost and operations perspective, cloud storage is certainly pretty compelling. However “almost everyone” might not include CIOs, CISOs and their teams, who often harbor concerns about the security of data in the cloud, and particularly where sensitive data is involved. I have similar misgivings. I’m not saying that we should not use the cloud, but I do believe that we can improve how we secure sensitive data stored on it.

Blue Skies or Dark Clouds Ahead?
In a recent report titled “Blue Skies Ahead? The State of Cloud Adoption,” Intel Security said that IT decision makers are warming to the cloud along with the rest of us with 77 percent saying they trusted the cloud more than they did a year ago. This hides a darker reality that only 13 percent of respondents actually voiced full trust in the public cloud, with 37 percent trusting their private cloud. Surprisingly, a full 40 percent of respondents claim to process sensitive data in the cloud, indicating that there is both room and a real need for cloud security improvement.

Adding Peace of Mind to Cloud Storage
When I hand over data to a third party, I want to be sure that they are not only contractually obliged to look after it properly but are actually equipped to do it. This means protecting it from accidental loss, malicious attacks and from silent subpoenas, among other threats. Logging and multi-factor authentication are part of the tool kit that can be implemented, as is encryption. There is an existing (and growing) awareness of the importance of encryption which is why most cloud service providers offer encryption options of one kind or another. But too frequently the third-party vendor is doing the encrypting, and holding the keys, which isn’t very reassuring to say the least.

Fundamentally, the best way to ensure data is safe and managed well is to pre-encrypt it before it’s sent to the cloud. Coupled with a policy of keeping key management in house, these precautions should allow for several hours of blissful sleep each night for members of the IT security team whether the cloud is public, private, or a hybrid of the two! Other approaches include using 2 or more different vendors to handle the different parts of the storage solution: one vendor can manage the keys while the other manages storage itself. Key wrapping is another way to reduce risk: the end customer can manage master keys that in turn wrap the document keys, giving you some assurance of isolation between your data and that of other customers stored on the same cloud, as well as control for document access. Through these approaches, you can provide a significantly higher level of protection for data stored in the cloud.

Encryption is the best tool we have for protecting sensitive information so we need to use it to support and enable our expansion to the cloud. As seen above, the devil is in the details of how we do it, but keeping control of keys is fundamental. Of course, there is also the issue of how strong the keys are that you are using, but that is a topic for another day….

Jane Melia, VP/Strategic Business Development, QuintessenceLabs

[Cloud Security Alliance Blog]