Guest blog post by Srividya Kannan Ramachandran
I attended the Carrier Network Security Strategies conference ( #CNSS2015)held by Light Reading in NYC on Dec 2. I also attended the New Jersey Tech Council’s Data Summit (#NJTechCouncil) on Dec 9. The main topics of discussion in the conference were around securing the perimeter of networks and protecting customer, carrier and network data. Here is brief summary of what I learned in these two conferences about managing and operating networks securely and protecting data.
1. The perimeter of a network as we know it does not exist anymore.
The traditional network security paradigm of securing the perimeter of the network so as to not allow malicious users to enter the network has changed now. The explosion of the devices that connect to networks and the mobility aspect they come with makes this securing extremely challenging.
2. Sharing threat intelligence allows for collaboration in developing strategies to identify and combat threats that occur on the internet.
There are many consortiums of companies today that pledge to share threat intelligence so as to make the information world safer. The Cybersecurity Working Group of the CTIA - The Wireless Association in the US, and the European Telecommunications Standards Institute’s Network Function ... are doing a lot of advocacy and development work in the security area.
Christer Swartz from Palo Alto Networks gave a keynote address at CNSS where he talked about a futuristic model where we have the next generation firewall and advanced endpoint protection software talking with not only each other but also with a cloud based service that hosts threat intelligence – call it the threat intelligence cloud.
Chris Richter from Level 3 Communications also delivered a keynote highlighting the benefits of collaboration amongst carriers in a landscape where cyberattacks are increasing in number. He also mentioned a Wall Street Journal news article that describes how Level 3 thwarted a serious global hacking attack.
Chris Bream from Facebook reinforced the same idea of how Openness is key to increased Security. Lack of collaboration hurts companies that try to protect themselves and protect their customers. He talked about Facebook’s Threat Exchange – an API based platform where companies can share threat data. Companies like Netflix and AT&T have been using this platform already. This type of information exchange platform really helps smaller business to thrive because it helps them gain access to knowledge that was otherwise unavailable and very hard to acquire.
3. The players that are thinking about security are:
- Telcos & internet service provider
- IoT Device manufacturers
- OEMs for networking gear
- Enterprise customers
- End user customer
Merely having antiviruses running on equipment connected to your network isn’t going to solve security needs. The Internet of Things is going to bring 8 billion connected devices online by the end of this decade. Experts from around the industry unequivocally agree that about 70% of these IoT devices are not being secured correctly. And if the perimeter of a network is now the perimeter of the internet, then all the players listed above have to think about security.
4. Big Data : Monetize and Protect
There are primarily two things to do with big data: monetize and protect. And both are equally important. No matter what else we do with big data, security and monetization almost always are also in the mix. Even if we are talking about platforms, and algorithms that we use to analyze big data, we are still talking about security when using cloud computing applications or monetization when describing the purpose of the analysis. Even if we talk about storing the data on the cloud, we are actually talking about being able to store and retrieve that data securely, and being able to perform access control and audits on it.
In the Data Summit at NJTC, there was a panel called Monetizing While Securing Big Data and in CNSS, there was a panel called Security: The Future of Monetization Opportunities for Service Providers.
In the former panel, Paul Zikopoulos from IBM shared an interesting quote – “If you are not paying for it, you are the product being sold.” There was a discussion on the massive governance challenges around the ownership of Meta-data in the big data revolution. Tom Mullen from Level 3 elaborated on how owing to, or actually, despite the inflection point in computing, the world is quickly moving from data collection to the data analysis mode.
In the latter panel, the discussion was pivoted around monetizing security as a service (SecAAS). The panelists helped identify that small and medium businesses will require a lot more handholding when implementing SecAAS products on their network, while large enterprises would either have some form of their own security infrastructure and hence could work with a less customized version secAAS product.
I hope this provides you with a summary of all the current and important topics of discussion amongst practitioners in the field.