Organizational Roles and Responsibility

A security role is the part an individual plays in the overall scheme of security implementation and administration within an organization.

The following roles are presented in the logical order in which they appear in a secured environment:

Apart from these, Auditor is another role is responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate.

Case Study:

For example, say that a data owner requests more room on a system for the storage of data. The data owner strongly believes that the new data being collected will help the sales team be more efficient. However, storage on the system owner’s asset is at a premium. The system owner is unwilling to allow the data owner to use the amount of space he has requested. In this case, the business/mission owner would need to review both sides and decide whether collecting and storing the new data would result in enough increased revenue to justify the cost of allowing the data owner more storage space. If so, it may also be necessary to invest in more storage media for the system or to move the data to another system that has more resources available. But keep in mind that moving the data would possibly involve another system owner.

Security professionals should always be part of these decisions because they understand the security controls in place for any systems involved and the security controls needed to protect the data. Moving the data to a system that does not have the appropriate controls may cause more issues than just simply upgrading the system on which the data currently resides. Only a security professional is able to objectively assess the security needs of the data and ensure that they are met.

Cisco DNA Architecture Principles

So are you ready to do a deep dive into Cisco DNA? If yes, you are actually at the right place. In this blog, I will discuss the principles of Cisco DNA Architecture. As you are aware, any successful network architecture is based on some Principle that builds its logical structure. Thus, Cisco DNA is developed on below architecture principles

Open

Definition of OPEN actually vary from Context to context. In the context of Cisco DNA – It enables the customers to guide with Network operations through following

  • Enabling OPEN APIs to control network elements programmability.
  • Enables third party Virtual network functions such as Virtual Firewall, Virtual IPS/IDS to be integrated with Cisco DNA.
  • Use standard protocols instead of any Proprietary ones; to allow third party vendors to integrate smoothly.

EXTENSIBLe

Extensible principle refers to the flexibility and evolution of Cisco DNA as the business requirement changes.

  • Integration of Network Controllers such as Cisco DNA Controller with Applications.
  • Including third party applications or Virtual network functions in Cisco DNA architecture. e.g. Integrating Checkpoint virtual firewall with Cisco DNA architecture

Security

Security is the one of the core principle in Cisco DNA. We will go through these aspects of Cisco DNA in later blogs. Some of the major things Cisco DNA considers are as follows

  • Securing all APIs to integrate building blocks.
  • All control plane and data plane transactions must be authenticated.
  • Extensive logging capability of Authentication and Authorization transaction for compliance purpose.
  • Applications which are supposed to interact with Network control planes must be Authenticated and authorized.
  • Support security detection by enhancing network sensor to mitigate attacks closer to source.
  • Automating the devices in the network based on a controller. This also adds to heightened security. Mis-typed configuration commands are eliminated when network elements are provisioned from the controller.

Policy

This is something very Unique about Cisco DNA infrastructure. We have used many Policies in our network many times such as “Configuring ACLs” to

  • Determine who can gain access to the network
  • Help classify traffic flows into the right quality of service (QoS) classes
  • Assist in Layer 4 firewall rules

But the question is; are these policies always aligned to the business goal? In most of the cases; these evolve. So, are these scale-able? – Based on my experience, network operators are quite reluctant to remove any entries/fiddle up with these entries if the business requires to risk the existing situation.

Also, beyond above mentioned – There are other major drawbacks of these ACLs. Currently, these are tightly coupled with the underlying Network Infrastructure. Imagine a situation where we have one policy defined for a set of users Present on Building A. If this user moves to Building B; this policy cannot be applied unless we have the same policy configured for these. Hence, in this case, we need to follow the user and configure the policy accordingly.

However, with Cisco DNA infrastructure, “Policy will follow the User.” How? – Cisco DNA primarily focuses business goals align with the services delivered by the network—services that are tied to users, applications, and devices, not topology.

Programmable

Days are gone where a Technology Subject Matter Expert (SME) need to know all hardware and software details, Physical and Logical Topology diagram, Traffic path about a particular network element, troubleshooting into such networks by login into devices & configure these different CLI depending on OS type such as IOS, Air-OS. Traditional practices have following drawback

  • Multiple SMEs
  • Error-prone
  • Slow deployment and troubleshooting

Network automation is essential not only to reduce OPEX but also to increase the speed at which new network, business, or security services are introduced.

Software driven

Cisco DNA is developed with the mindset of Software-driven because a new functionality can be developed in fraction of time in comparison with Hardware.

The majority of Cisco DNA functions are driven by software such as

  • Functions to forward and manipulate IT traffic flows
  • Centralized control of Network elements
  • Intelligent algorithm development for optimized operation
  • Programmable ASICs

cloud integration

There is a greater benefit of using a cloud provider to host applications avoids capital costs to build up data center infrastructure and operational costs to run it.

In Cisco DNA different cloud models are fully integrated, including private clouds, virtual private clouds, hybrid clouds, and public cloud environments. This integration is designed both at the transport layer and the control layer of the network

Value Proposition of Cisco DNA … Part 2 … Business View

Hello Everyone! It is in continuation of my previous blog in Cisco DNA series. Here, we will look at how Cisco DNA maps and implement the Business values as discussed at an earlier blog.

Refer to below picture for a complete summary.

Cost Reduction through ASICs

Cisco has evolved their product via leveraging Custom-engineering programmable and flexible hardware application-specific integrated circuits (ASICs) which will double the average lifespan of devices with their fixed ASICs counterparts thus reducing CapEx.

Cost Reduction via Automation

Concerning OpEx; Automation plays a pivotal role in reducing the following cost

1) Faster Day – 0 deployment
2) Reduction in time it takes to Configure Network devices
3) Reduction in Troubleshooting time
4) Automatic implementation of time-intensive projects such as End to end QoS deployment
5) Automation of bootstrapping and configurations.
6) Automation of Licensing and Authentication

Risk Mitigation with Integrated Security Module

Analytics capabilities allow security tools to establish baselines for a standard security environment and provide automated alerting and, in some cases, remediation when the network security environment shows an anomaly. This use of the network as a security sensor can reduce mean time to repair (MTTR), preventing disruption to the business.

Meaningful Insights with Analytics

With the help of Artificial Intelligence and Machine Learning; Cisco DNA lays the foundation of Auto-Remediation thus a self-healing network.

Network analytics goes beyond – detecting security anomalies to identify customer pattern to achieve Customer experience.

Agility through OPEN API

As discussed previously; Refer to below picture – It explains how does Cisco DNA add value at each layer to deliver business agility.

At Infrastructure Layer – Cisco DNA can detect network failures/threats much faster than any of the previous solution. It can also re-mediate & quarantine policies to the network infrastructure in real time.

At Application Layer – It can be integrated with Business Application to provide network resources on Demand.

At operating layer – It can also integrate with non-network nodes such as a digital display, Lightning, AC resulting in Better experiences, improved efficiency and driving more business opportunity. Also, It reduces significant time & money in network operations & troubleshooting. Thus, It will give more time to your employees to innovate and work on other projects.

At Business layer – It enables business transformation; now businesses can identify and capitalise on new opportunities, markets, and business models to provide their leaders with organisational insights such as.

  • Where are employees working?
  • How long are they in meetings?
  • How much time do employees get to spend with their managers?
  • Do employees work in teams or silos?
  • Which teams work well together? Which don’t?

There are other benefits which Cisco DNA brings in along with the above mentioned

  • Error-free service deployment (Because configuration are done in Automated fashion rather than manually)
  • Consistent network operation across different segment (i.e. Routers, Switches, Access Points, Wireless LAN Controller)
  • Detailed reporting in case of failure 
  • Flexibility in terms of Scale & variety of, i.e. every day’s new clients are getting onboard to the network irrespective of how they connect.  Thus, Flexibility is also required from the Networks to support a variety of network and business applications that are increasingly dynamic.

In 2017, Cisco worked with International Data Corporation (IDC) to develop a five-state Digital Network Readiness Model, as shown in the figure.

Cisco Digital Network Readiness Model (Source: www.cisco.com/go/dnaadvisor)

In the next blog of this series; we will do a deep dive on Cisco DNA architecture on technical front. Till then, please stay tuned.

Enterprise Architecture & Security Control Framework

A security program is a framework made up of many entities: logical, administrative, and physical protection mechanisms; procedures; business processes; and people that all work together to provide a protection level for an environment. Each has an important place in the framework, and if one is missing or incomplete, the whole framework may be affected. The program should work in layers: each layer provides support for the layer above it and protection for the layer below it. Below mindmap explains most of the Enterprise Architecture and Security frameworks discussed in CISSP exam.

The most important security planning steps is to consider the overall security control framework or structure of the security solution desired by the organization.

One can choose from several options in regard to security concept infrastructure; however, one of the more widely used security control frameworks is Control Objectives for Information and Related Technology (COBIT). COBIT is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). COBIT is based on below 5 principle

Principle 1: Meeting Stakeholder Need
Principle 2: Covering the Enterprise End-to-End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance From Management

There are many other standards and guidelines for IT security. A few of these are:

  • Open Source Security Testing Methodology Manual (OSSTMM): A peer-reviewed guide for the testing and analysis of a security infrastructure
  • ISO/IEC 27002 (which replaced ISO 17799): An international standard that can be the basis of implementing organizational security and related management practices
  • Information Technology Infrastructure Library (ITIL): Initially crafted by the British government, ITIL is a set of recommended best practices for core IT security and operational processes and is often used as a starting point for the crafting of a customized IT security solution

Intent Based Networking (IBN)

This blog is in continuation of my previous blog where I discussed the Business requirement of Enterprise Network Architecture. Refer to mentioned hyperlink for details. Before I start with Cisco DNA, Let’s understand Intent Based Networking.

So what’s Intent Based Networking (IBN) mean? I am sure everyone agrees with me:- this is the latest buzz word in the market we have heard from last one year. So, do you think? It is something new? – Well, if you ask me; Yes it is a new buzz word, but the concept has been there with us from the last two decades.

Then, the next question comes – What is it?

SDN framework considered for the definition of Intent-Based Networking (IBN). It begins with the expression of Business Intent. So, what is business Intent?

  • This application is very critical to my business & should be up 100%.
  • Only specific group of users can access these applications and services.
  • If one of the device is infected; It must be quarantined.

Business Intent explains only “what” you want; not how you want, e.g., placing an order of phone using an online shopping portal. In this case, you intend to get the phone; But, How this phone get delivered to you? Which retailers used to procure this phone? It does not matter at all. This decision is up to the Shopping portal.

Therefore Intent Based Networking help us to deliver this Business Intent by expressing them over Network. Below picture depicts “Behind The Scene” involved in an IBN system.

In Translation phase, the input is Business Intent which defines “what.”

In the Validation phase, IBN system validates the Business Intent to make sure It is possible & network device configuration gets generated for network devices which explains “How.”

This business intent needs to be expressed across the network; therefore this configuration must be pushed on to hundreds, or thousands of network devices such that these deployments are error-prone. Hence, it needs an Automation/Orchestration which allows a network operator to treat thousands of network devices as a single software-enabled, programmable entity.

This network state must be analyzed and provides assurance which tells us if the intent was delivered; if not, remediation action should be taken.

Additionally, IBN system should be continually self-learning, so that it can understand

  • What is normal versus abnormal?
  • What are the most common root causes of issues?
  • What are the most effective remedial actions for a given issue?

With these capabilities of IBN, such a system becomes not only smarter, but also more reliable, available, and adaptable to ever-evolving business requirements.

If you take a look at last 15 years, IT vendors have promised dynamic, self-configuring/self-optimizing infrastructures but for most enterprises, this promise remains largely unfulfilled. That’s why I said earlier, concepts of IBN has been around us with two decades.

Hence, IBN system is changing the way networking was supposed to happen in the past. It enables network managers and engineers to deal with the network less concerning port-by-port and device-by-device configurations and more in terms of the desired outcome at a higher level.

So, Are you ready for Intent Based Networking? – Understanding that IBN system benefits Enterprise organization to a great extent; we should also keep in mind the implication of it to your IT Staff.

  • Considering the new technology; it can take some of your IT staff out of their comfort zone.
  • Evolution of automation in networking is already given bitter experience to network engineers.

Cisco DNA is an IBN system which promises to fulfill all of the mentioned above.

In my next blog, we will take a close look at the mapping of the business requirement mentioned in the previous blog via IBN systems such as Cisco DNA.

Value Proposition of Cisco DNA … Part 1

In this Blog (First one in Cisco DNA); I would like to share some of the Value Proposition offered by brand new Cisco Solution for Enterprise industry, i.e. Cisco DNA (Digital Network Architecture).

Last week; my few colleagues and I were discussing over a cup of Tea (In India also known as “Chai Pe Charcha”), and suddenly This topic popped up; All of us started talking about this technology :- one said, this might be another Marketing/technology Jargon and does not help much in the real world. Blah…Blah…Blah.

Coincidentally I don’t agree with their thoughts & said, there must be something interesting with this product/technology because the whole Enterprise industry is shifting towards it. If most of the companies are adopting and doing pilot installation or early field trials, in that case, It must be solving some purpose. Therefore, I decided to do some research on it & share some gained knowledge among us.

Before I start with the DNA; Let’s understand the Business requirement of Enterprise Network Architecture.

Based on the industry trend most of the Organizations are in the phase of digital transformation to gain Competitive benefits. Since, the network infrastructure serves as a common point among all elements of digital change, including users, end devices, applications, and the Internet of Things (IoT) devices. Let’s take a look at the below picture:-

In a typical Enterprise environment, We can flex the “Compute” at any point in time similarly We can flex the “Storage” very quickly, but when it comes to network, it is not that easy. It will require numerous efforts to plan, design, implementation, Testing, and handing over to operations.
Therefore, the network plays one of the most significant barrier to business evolution. Traditional networks are disconnected from growing businesses, end users and application needs. Therefore we need to evolve these networks such that these are secure, agile, flexible, intelligent and simple to operate.

These evolving requirements demand a new architecture and design approach that can add significant Business value to the enterprise. There could be many business requirements for digitally transforming networks, but these all can be categorized into four categories.

  1. Cost Reduction & Innovation
  2. Risk Mitigation
  3. Meaningful Insights driving experience
  4. Agility

1. Cost Reduction & Innovation

There are two major costs associated with Network
1) Operational Expenditure (OpEx)
2) Capital Expenditure (CapEx)

Based on 2016 McKinsey study of Network Operations for Cisco – Companies spend over $60B in network operations and labor. Imagine this cost if we consult recently study on IP Traffic, IP traffic will increase by more than 2.x folds by 2020 (per the Cisco Visual Networking Index forecasts); and with the addition of more and more IoT devices; these numbers are going to increase drastically. Traditionally managing these devices is going to be a cumbersome job for IT infrastructure operation. Hence, operational cost is increasing day by day.

As the businesses are evolving, infrastructure is increasing and thus require the scale of a network as well. For example, capital expenditures can also be economized by network infrastructures that are elastic, flexible, and agile. Such gains realized when scalability is flexible and easily achieved, with seamless ability to make moves, adds, and changes (MAC) as specific network demands shift.

In the coming years, the network must operate to comply with the evolving application needs. Hence, we need an agile network which can reduce cost without the need for expensive hardware, installation man-hours.

In this article, innovation specifically refers to move resources into new business or organizational areas to drive new business. Due to the reduction in the time spent on network operations enterprise can now focus on further investment in innovation.

Another measure of innovation could be an increase in the percentage of network staff time allocated for new projects. What did those organizations do with the additional time? e.g.

  • Employees can focus on more trending technologies such as Cloud and SDN.

2. Risk Mitigation

As more and more IP devices including IoT are onboarding on networks; therefore new security challenges/threats arise. A malicious actor can exploit one of the vulnerability and breach enterprise networks to harm the organization.

However, with the rapid growth of public/private cloud–hosted applications, Bring Your Own Device (BYOD), and mobile workers, threat actors, find multiple ways to the network from both the inside and the outside; it mandates the requirement for network security to take a 360-degree approach.

Also, the Organization must comply with regulatory compliance such as PCI-DSS. Failing to do this can result in harsh fines and penalties which may further impact productivity. In such a case, organizations may benefit significantly by having an automated and systematic approach to enforcing compliance through their architecture.

Reliable and secure operations are essential not just for risk mitigation but also for enabling the organization to further its digital transformation. Another significant benefit that can provide the organization that level of confidence to roll out new digital capabilities and services with minimum risk (on-time delivery, compliance, service levels, etc.)

3. Meaningful Insights driving experience

In today’s world, every enterprise is having tons of data which is increasing very rapidly. However, very few enterprises get any meaningful insights out of it. These insights are constructive for Customer experience. For example for a retail customer might be interested to know

  • Who is buying our products?
  • Where are our customers buying it?
  • When are they buying it?
  • Why are they buying it?
  • What do they like about it?
  • What don’t they like about it?
  • Is our product or service meeting their needs?
  • Are there customer needs that our product or service doesn’t meet?

Similarly, the same customer might be interested to know insights which will help to understand employee experience.

  • Are our employees able to achieve their work goals?
  • What applications are our employees using to meet their goals? the Categories of applications could be one of the below
    • Unified communications (voice, video) and collaboration applications
    • Cloud-based/SaaS business applications
    • Mobile applications
    • IoT applications
    • Business transactions applications
  • Where are they using these applications?
  • Are these applications meeting their needs?
  • Are there any needs that are not addressed?
  • What do they like about these applications?
  • What don’t they like about these applications?
  • How well are these applications performing?
  • How much does it cost to run these applications?

Similarly, there could be many insights which could help IT Network operations team such as Compliance & Security purpose.

4. Agility

So, Do you think; just insights would help the enterprise in today’s world? – The answer is “No.” Because the enterprise wants to take certain actions to improve its employee/customer experience. It is something like; you visit a doctor and doctor tells; you got an infection, but Doctor does not tell you “which medicine to take”

Hence, we need to know the right set of actions that need to take if there is any abnormality. Term “Agility” varies differently with a different context. Refer to below picture to understand the Agility to different layers of Enterprise.

@ Infrastructure layer; Agility refers to Self-defending/Self-healing networks such as

  1. If one of the Access Point goes down; another access point should be able to increase their power levels automatically.
  2. Resolving the error-disable interface
  3. Patching/fixing on the known bug knowledge base.
  4. Fixing memory leak/CPU utilization issue.

@ Application layer; Agility refers to the applications interacting with network infrastructure to deploy services

  1. QoS policies for Enterprise VoIP application
  2. WAN policies for Critical Application data replication, i.e. backup and restore.

@ Operate layer; Agility refers to Automation which can help to automate the Mundane tasks. Few examples could be

  1. Executing a command script to all routers and switches.
  2. Taking a compliance report
  3. Rebooting a set of devices

@ Business layer; An agile organization can reduce the time needed to deploy new business-enabling applications and services and bring new products and services to market faster and more reliably with a higher customer acceptance rate. Below could be the examples

  1. Time to bring new branch online
  2. Time to market new product and services

Please stay tuned for my next blog in this series; We will look at How does DNA meet above mentioned Business Requirement.

Till then, appreciate your comments/feedback; I will update this blog based on your inputs.

Intellectual Property Law

So far we have seen who is “RIGHT” or who is “WRONG.” Let us take a look at how does a company or individual can protect their Intellectual Property from being Reproduced.

Intellectual property can be protected by several different laws, depending upon the type of resource it is. Intellectual property divided into two categories: industrial property—such as inventions (patents), industrial designs, and trademarks—and copyrighted property, which covers things like literary and artistic works. These topics are discussed in more details in the following mindmaps.

A simple rule of thumb to understand difference between Patent and Copyrights is; consider “Patent” is an “Idea” & “Copyrights” as “Implementation of Idea”