|By Lisa Lorenzin||
|October 18, 2012 02:00 PM EDT||
A wealth of security information exists in our networks from a variety of sources - policy servers, firewalls, switches, networking infrastructure, defensive components, and more. Unfortunately, most of that information is locked away in separate silos due to differences in products and technologies, as well as by companies' organizational boundaries. Further complicating the issue, information is stored in different formats and communicated over different protocols.
An open standard from the Trusted Computing Group (TCG) offers the capability to centralize communication and coordination of information to enable security automation. The Interface for Metadata Access Points - IF-MAP for short - is like Facebook for network and security technology, allowing real-time sharing of information across a heterogeneous environment.
IF-MAP, part of TCG's Trusted Network Connect (TNC) architecture, makes it possible for any authorized device or system to publish information to a Metadata Access Point (MAP), a clearinghouse for information about who's on the network, what endpoint they're using, how they're behaving, and many other details of the network. Systems can also search the MAP for relevant information and subscribe to any updates to that information. Just as IP transformed communications, IF-MAP revolutionizes the way systems share data.
Security automation is any part of a security system that is able to operate without - or with only limited - administrative involvement. As shown in Figure 1, a security administrator can define a unified security policy that applies to different types of protective mechanisms, such as next-generation firewalls (NGFW), intrusion prevention systems (IPS), unified threat management (UTM) systems, and more. Best-of-breed components from multiple vendors can share information using a standard information bus.
Figure 1: Effective security automation includes several protection mechanisms.
This coordination can extend beyond front-line access control products to back-end systems such as authorization databases, virtualization technology, and reputation systems. A policy server might create and modify policy based completely on the information received from other resources in the environment.
Logs from multiple sources can be collected and correlated by a security information and event management (SIEM) system, which itself acts as both a consumer of information and a provider of real-time intelligence based on that information. Security operations personnel can easily oversee activities in the network and provide human intervention in cases where full automation may not be achievable or desirable. Security automation enhances fundamental security solutions, adding dynamic, responsive, intelligent decision-making.
Establishing Network Trust
One of the basic solutions enabled by the TNC architecture is Comply to Connect, which incorporates Network Access Control (NAC) principles - an endpoint must first show its compliance with selected endpoint health requirements before being granted access to the network. Figure 2 shows a common Comply to Connect scenario.
Figure 2: The TNC architecture enables evaluation and enforcement of compliance at admission.
The endpoint, on the left, is a device attempting to access a protected network. The enforcement point is a guard that grants or denies access based on instructions from the policy server. The policy server is really the brains of the operation; it looks at the configured policy and decides what level of access should be granted. Then it informs the enforcement point, which executes those instructions.
Many enforcement options exist; the example in Figure 2 shows a wireless access point and a switch, but environments may also use a firewall or a virtual private network (VPN) gateway. Each of these has its own pros and cons; for example, a wireless access point with 802.1X can totally block unauthorized users. But while it provides admission control, it doesn't offer enforcement deeper in the network. For that reason, most NAC solutions support a combination of different enforcement points, which can be used individually or in combination.
The security policy controlling the compliance check shown in Figure 2 is quite simple: every Windows 7 endpoint on the network must have a self-encrypting drive (SED), up-to-date anti-virus protection, and a personal firewall. When a new Windows 7 endpoint comes on the network, the enforcement point will query it and then consult the policy server. If the endpoint complies with security policy, it is given access to the production network. Another endpoint that does not have an SED may be given only limited access to the network. That way, if either endpoint is lost or stolen, protected information is only on the endpoint that could store it securely on an SED.
Expanding Network Trust Evaluation
Behavior monitoring is another way to evaluate an endpoint. Many security-related sensor devices are already deployed in networks to monitor behavior: intrusion detection systems, leakage detection systems, endpoint profiling systems, and more. The TNC architecture lets users integrate those existing systems with each other and with the NAC solution by sharing information via a MAP.
Figure 3 shows an approach to check behavior. Security sensors in the network monitor behavior, and a security policy identifies acceptable behavior.
Figure 3: Behavior checking enables automated response to changes in the endpoint's activity.
Once an endpoint has connected to the network, even if it has passed authentication and compliance checks, it could behave in an unauthorized fashion. If the endpoint starts violating security policy by trying to spread a worm, that traffic is detected and stopped by an IPS sensor.
Even more important, that sensor publishes information to the MAP about the attack it stopped. The MAP notifies the policy server, which evaluates its security policy and instructs the enforcement point to move the endpoint to a remediation network until it can be addressed.
The end result is an entire network security system that is working together. Each part performs its function, and each piece is integrated with the whole using the open IF-MAP standard.
Extending Security to Mobile Devices
TNC standards have enabled NAC to evolve into a foundation technology for business requirements such as mobile security and Bring Your Own Device (BYOD). A common scenario in today's connected world occurs when a mobile user accesses the Internet and social networks on a personal device, such as a smartphone, which they also use to access their corporate network. If the smartphone inadvertently becomes infected with malware, corporate data on that device is now at risk. And it's even worse when the user connects their smartphone to the corporate network; the attacker, who has taken control of the device, can access sensitive information.
This situation occurs when a company's security team lacks the tools to accommodate employees using their own consumer devices to improve productivity. Without the appropriate technology, the IT team cannot:
- detect malware on the mobile device
- protect the user from cloud-based threats
- control access based on user identity, device, and location
- coordinate security controls to protect sensitive information
This clearly needs a new approach!
Addressing the new requirements of BYOD and providing broad protection involves flexible deployment models that can be tailored to individual environments and security context, and coordination to keep users protected against the dynamic threat landscape.
Security automation makes it possible to detect and address compromised mobile devices; protect the user from malicious sites and applications; restrict network and resource access based on user identity, device, and location; and correlate endpoint activity monitoring across the corporate network infrastructure.
Leveraging Standard Network Security Metadata
These capabilities are enabled by TNC's standardization of basic metadata for network security. Metadata is the information stored in a MAP, representing anything that is known about the network: traffic flows, scan results, user authentications, or other events. In the case above, metadata represents information about network components and applicable security policies. The MAP is a clearinghouse for metadata; MAP clients can publish metadata to it, search it for specific metadata, and/or subscribe to metadata about endpoints in the network.
These inquiries include common things that it might be helpful to know about an endpoint - the type of device, identity of the user operating the device, role assigned to that user, association between the MAC address and IP address of the endpoint, location of the endpoint, and any events related to that endpoint.
Extending Security Automation to Other Use Cases
While standard metadata is useful for out-of-box interoperability, much more information about an endpoint or a network is available. IF-MAP can be extended by creation of vendor-specific metadata, similar to Vendor-Specific Attributes (VSAs) in RADIUS, enabling anyone to publish anything that can be expressed in XML!
Imagine a manufacturing line, where a physical process is controlled by a digital component called a Programmable Logic Controller (PLC). An operator display panel, the Human Machine Interface (HMI), is typically physically remote from the actual process that needs monitoring. As changes in the process occur, the operator display updates in real-time.
Many HMIs use a legacy protocol called Modbus to poll the PLC, retrieve these process variables, and display them. Originally designed to be run over a serial connection, Modbus has been ported to TCP. One of the problems with the Modbus protocol and many others in this space is that there are zero security features in the protocol - no authentication, no authorization - which means no way of knowing whether a requestor is authorized to gain access requested, or even who is sending data the request. If an endpoint (or intruder) can ping the PLC, it can issue commands to it!
Many control systems components operate this way. Until now, they have been small islands of automation with very little interconnection to other systems. Running over a serial bus required physical serial connections - typically, the operator had to be present in front of the machine to affect it, so physical security was sufficient. And once these systems are in place, they are designed to stay in production for decades. So now these systems are getting more and more interconnected with the enterprise network - and, by extension, to external networks - and they encounter the same types of security issues as enterprise systems.
Overlaying Security onto Industrial Control Systems
A single manufacturing line could have hundreds, or even thousands, of these PLCs. Replacing them is out of the question, as is retro-fitting them to add on security. But what if a transparent security overlay was inserted to protect these legacy components?
Deployment and lifecycle management for such an overlay would be a huge challenge - unless there was a mechanism for provisioning certificates, communication details, and access control policies to the overlay components. That's exactly what one manufacturing company has done with IF-MAP, by using vendor-specific metadata for provisioning of certificate information and access control policy, as shown in Figure 4.
Figure 4: IF-MAP enabled security overlay protects industrial control system components.
The first step is to add the overlay protection. In this case, the enforcement points are customized components, designed for Supervisory Control And Data Acquisition (SCADA) networks, that can create an OpenHIP "virtual private LAN" on top of standard IP networks. This requires no changes to the underlying network, protects communications between SCADA devices, and is completely transparent to the protected SCADA devices.
A MAP and a provisioning client enable centralized deployment, provisioning, and lifecycle management for the myriad enforcement points. The provisioning client publishes metadata to the MAP to define the HMIs and PLCs and to specify security policies that allow them to talk to each other, but do not allow external access to them.
For example, when an HMI comes into the network and queries for a PLC, the HMI does an Address Resolution Protocol (ARP) lookup. The enforcement point receives that traffic, searches the MAP, and finds the access control policy determining whether this specific HMI can talk to that particular PLC. Enforcement points can be moved around the network without requiring manual reconfiguration or reprovisioning, since all of the provisioning is centralized via the MAP.
This is not just a neat thought experiment - it is actually in production deployment on hundreds of endpoints in critical manufacturing lines today!
The Future of Security Automation
We've barely scratched the surface of security automation. For one thing, it goes far beyond access control. Imagine...
- A content management database (CMDB) receives notification of a new device on the network and scans the new endpoint, then updates its data store
- An analysis engine observes some behavior on the network and requires more information about the associated endpoint, so it requests an investigation by another component such as an endpoint profiler or vulnerability scanner
- Carrier routers redirect traffic through deep packet inspection based on suspicious user activity
- A security administrator modifies an existing security policy, or adds a new policy, and various policy servers / sensors are notified, triggering a re-evaluation of the network's endpoints
- An application server publishes a request for bandwidth for a particular user based on the service the user is accessing, and network infrastructure components change QoS settings for those traffic flows based on that request
- An IF-MAP enabled OpenFlow switch controller makes packet-handling decisions based on information from other network components
- An analysis system determines that there's an attack underway; in addition to triggering a response, it notifies security administrators of the attack taking place, populating a dashboard with information to create a "heat map" of the attack
All of these are examples of a common three-step process: sensing, analysis, and response. Security automation is enabled by the abstraction and coordination of these functions across multiple disparate components in the network.
Imagine the power gained by linking together information from all of the various infrastructure and security technologies in a network and using that information to make dynamic, intelligent, automated decisions. That's the true promise of security automation - and the realization of that promise is in its infancy.
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and analyzed? As an area of investment, how might a retail company move towards an innovation methodolo...
Aug. 27, 2015 06:15 PM EDT Reads: 377
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of streaming data in the cloud with an enterprise grade SLA. It features built-in integration with Azur...
Aug. 27, 2015 05:45 PM EDT
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Aug. 27, 2015 02:45 PM EDT Reads: 374
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
Aug. 27, 2015 02:15 PM EDT
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
Aug. 27, 2015 02:00 PM EDT Reads: 320
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Aug. 27, 2015 01:00 PM EDT Reads: 282
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Treloar, President and COO of Bebaio, will explore examples of brands transforming their businesses by t...
Aug. 27, 2015 11:30 AM EDT
The Internet of Things (IoT) is about the digitization of physical assets including sensors, devices, machines, gateways, and the network. It creates possibilities for significant value creation and new revenue generating business models via data democratization and ubiquitous analytics across IoT networks. The explosion of data in all forms in IoT requires a more robust and broader lens in order to enable smarter timely actions and better outcomes. Business operations become the key driver of IoT applications and projects. Business operations, IT, and data scientists need advanced analytics t...
Aug. 27, 2015 10:45 AM EDT Reads: 310
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of technology leadership, Micron's memory solutions enable the world's most innovative computing, consumer,...
Aug. 27, 2015 10:00 AM EDT Reads: 117
Through WebRTC, audio and video communications are being embedded more easily than ever into applications, helping carriers, enterprises and independent software vendors deliver greater functionality to their end users. With today’s business world increasingly focused on outcomes, users’ growing calls for ease of use, and businesses craving smarter, tighter integration, what’s the next step in delivering a richer, more immersive experience? That richer, more fully integrated experience comes about through a Communications Platform as a Service which allows for messaging, screen sharing, video...
Aug. 27, 2015 06:15 AM EDT Reads: 505
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevOps to advance innovation and increase agility. Specializing in designing, imple...
Aug. 26, 2015 08:00 AM EDT Reads: 153
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device access to health records while reducing operating costs and complying with government regulations.
Aug. 26, 2015 07:00 AM EDT
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Aug. 3, 2015 06:45 PM EDT Reads: 772
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducted a live demonstration of how quickly application development can happen when the need to comply wit...
Aug. 2, 2015 11:15 AM EDT Reads: 538
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
Aug. 1, 2015 10:00 AM EDT Reads: 467
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Architect for the Internet of Things and Intelligent Systems, described how to revolutionize your archit...
Jul. 30, 2015 07:30 PM EDT Reads: 1,555
MuleSoft has announced the findings of its 2015 Connectivity Benchmark Report on the adoption and business impact of APIs. The findings suggest traditional businesses are quickly evolving into "composable enterprises" built out of hundreds of connected software services, applications and devices. Most are embracing the Internet of Things (IoT) and microservices technologies like Docker. A majority are integrating wearables, like smart watches, and more than half plan to generate revenue with APIs within the next year.
Jul. 30, 2015 02:30 PM EDT Reads: 267
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Opening Keynote at 16th Cloud Expo, Sandy Carter, IBM General Manager Cloud Ecosystem and Developers, and a Social Business Evangelist, d...
Jul. 30, 2015 12:00 PM EDT Reads: 2,213
In his keynote at 16th Cloud Expo, Rodney Rogers, CEO of Virtustream, discussed the evolution of the company from inception to its recent acquisition by EMC – including personal insights, lessons learned (and some WTF moments) along the way. Learn how Virtustream’s unique approach of combining the economics and elasticity of the consumer cloud model with proper performance, application automation and security into a platform became a breakout success with enterprise customers and a natural fit for the EMC Federation.
Jul. 30, 2015 09:00 AM EDT Reads: 2,305
The Internet of Things is not only adding billions of sensors and billions of terabytes to the Internet. It is also forcing a fundamental change in the way we envision Information Technology. For the first time, more data is being created by devices at the edge of the Internet rather than from centralized systems. What does this mean for today's IT professional? In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists addressed this very serious issue of profound change in the industry.
Jul. 29, 2015 03:00 PM EDT Reads: 1,436