Security: Protecting Ourselves, Our Businesses, Our Customers and Our Future

While Operation Aurora, Zeus, and Conficker have garnered some national attention (fading), the mainstream user population remains relatively unphased by these security risks and the dangers they pose to both their workplace and home. High profile breaches from the likes of Blue Cross and HSBC have done little to raise awareness and anger over security mishaps. Heck, even attacks against the beloved site Facebook are nothing more then annoyances that are becoming commonplace for their millions of loyal users.

I find it humorous when people refer to Operation Aurora attacks as primitive or unsophisticated. The question is not how sophisticated or elegant an attack is, but rather how effective is the attack itself? Early denial-of-service attacks were not sophisticated but they were deadly. Remember the old SYN Flood or Ping of Death attacks?

Like all industries, cyber criminals come in varying levels of expertise and knowledge. Let’s face it, some are down right brilliant across multiple areas; finding exploits, writing virus or malware programs, finding a delivery mechanism, and avoiding detection. Others aren’t as gifted, but they do have the ability to cook up schemes and piggy back on the work of others (Zeus) to create havoc and personal gain. Remember, the good guys have to be right all the time while the bad guys only have to be right once.

IT security is a waltz between classic security elements such as firewalls and virus scanners, applications, servers, clients, networking, storage, virtualization, and people. While it is always exciting to deploy the latest security gadget, one cannot discount the role people play in IT security. Communication, understanding, flexibility, and a willingness to work together are just a few of the keys to creating and maintaining a positive environment for meaningful IT security.

Finally, IT security must transcend silos to view the big picture and think strategically. If we view each discipline as a puzzle piece, then only by putting all the pieces together does the true picture reveal itself. Like any piece of art, the picture must be shared across the disciplines and various levels within an organization to garner perspective and insight. This can only be accomplished via automation, correlation, reporting, and more; a must-have not a nice-to-have in any enterprise. Why is this principle accepted for financial data displayed within multi-million dollar business intelligence portals yet not understood for security?

In the end, we are all human and no piece of hardware or software is perfect. However, through communication, visibility, and vigilance we can protect ourselves, our companies, our customers, and our future.

Is Cisco for or against automation?

Cisco has long understood the need to market to the Executive/Board Room as-well-as to the Network Engineer; Wall Street and Main Street.  Throughout the years, we have watched John Chambers and company move from an obscure little company to the bell weather of high technology.  Additionally, we have watched Cisco’s certification program move from an obscure “nice to have” to the gold standard of networking professionals.

Today, Cisco Certified X (CCx) is not only obtained by network engineers, but by sales, marketing, and other executives alike.  Why?  Simply put, CCx materials give individuals an excellent education on just about any modern day network infrastructure; routing, switching, cable infrastructure, and more.  Whether or not you take the test is usually based on career/industry advancement (who pays) as well as personal preference toward certifications.

Of course, Juniper Networks has a program of their own and offers a demanding certification called Juniper Networks Certified x (JNCx).  However, Juniper does not have the breadth and depth of products or the market penetration of Cisco, particularly in the enterprise.

The brilliance of Cisco’s certification program is twofold; it gives network engineers a career path and it provides Cisco an army of loyal and trained users.  Resellers and Customers were willing participants in training thousands of network professionals proudly displaying their CCx’s on desks and resumes.  In fact, some companies base career advancement, bonuses, and salary grades on the level of certification that one obtains.  A byproduct of this has been the elevation of Cisco’s IOS CLI to the standard of networking devices; a fact that Juniper continues to fight everyday with JUNOS.   In-turn, this creates bias and a competitive advantage for Cisco vs. competing devices because it’s “just IOS or an IOS derivative” and I know that already.

Today, the winds of change may be blowing as Companies are realizing the economic impact of this system.  In a way, organizations around the world have subsidized Cisco’s growth by providing the means for their staff to become a CCx to the detriment of their bottom line.  This includes hiring of individuals with top-of-the-line CCx certifications, paying for training, paying for tests, promotions, and losing certified individuals to rivals or other organizations.

Compounding the need for CCx or JNCx certifications is the utter lack of automation within the networking industry.  Enterprise Management Systems are inadequate, PERL (the adopted language of networking) knowledge is not easy to find and a bit too powerful for many and third party Network Change and Configuration systems are fighting the commodity label.

In a world where the ratio of network engineers to network devices is ever increasing and the notion of single-vendor (Cisco Powered) deployments is losing steam, why do we accept the idea that manual intervention is the best way to manage our networks?  Why are CCx or JNCx working on less complex activities?   Why are operations personnel beholden to the networking engineering teams?  What good are BPM and BRE if the end result is a human rather than an automated action?  Why allow a PERL developer to be in command of complex changes without guardrails, auditing trails, or (in some cases) networking skills.

Companies are beginning to realize that automation within networking will improve operational efficiencies, reduced downtime, improve SLAs, and reduce MTTR.  They are awakening to the fact that the best use of a CCx is not to be turning up or down ports or building initial configurations; instead it is performing advanced troubleshooting, deployment, or visionary functions.

Automation is paramount to cloud computing, PAAS, SAAS, or whatever else you want to call it.  We can no longer allow networking, or storage, to be the last bastion of manual over automated management.  For a datacenter to be truly cloud-like, most activities across the OSI stack must be automated.   Perhaps, networking is the most important piece as without it nothing works.

It is time for Cisco to get serious about network, storage, server, and security automation.   What happened to the early ideas of a self-managing, self-healing, self-defending network?  If Cisco wants to transform itself into a software company, then transform network management into true network automation.