Thursday, December 4, 2014

Blueprint: Building an IT Security Road Map to Avoid Cyber Attacks

by Matthew Goche
Will you be (or have you been) the subject of a headline? The victim of a damaging cyber attack or intrusion? If you’ve avoided it, count yourself lucky. But if you’ve already been victimized, you aren’t alone. It appears that such attacks and data breaches are practically inevitable today.
However, help is at hand. Organizations can build a strong IT security road map to counter – and more importantly, prevent – what was once an occasional hacking attempt to today’s constant bombardment by savvy cyber gangs.  
Consider this your Cybersecurity Roadmap and Toolkit
The first priority is to perform an initial gap analysis. This will identify weaknesses in your network and other IT infrastructure defenses. It helps you locate where the starting point is, where to spend your time and where you need to improve.
As my colleague Chris Sell advised in a recent article on information security gap analysis, you should compare your security program as it stands versus overall best security practices. This will help pinpoint vulnerabilities and risks. Also, have a clear understanding of the security threats you should be looking for or may find.
In addition, develop a security organizational chart that clearly outlines all participants’ roles and responsibilities to disarm intruders. This is vital because today’s security world has become much more complicated. There’s more hardware and software to monitor – period. Regulators also have become much more in-your-face about protecting their constituents, who likely are your customers and who you are protecting – especially if you’re in the financial services, retail and health-care sectors. Auditors, too, have higher thresholds to examine operations.
Identify your ‘Security Chieftain’
In developing that security chart, first identify the ‘security chieftain’ empowered to lead this group. If you have a chief information security officer (CISO), this is likely your leader. If you’re a smaller organization without a CISO, tap someone with authority – someone who has a seat at the executives’ table but who also doesn’t have a blatant conflict of interest.
The chief information officer (CIO) is fine, unless she or he also holds the CISO role. If an IT professional is responsible for uptime of applications, that person shouldn’t be the security chief because of an inherent conflict. Too many pressures exist in terms of uptime and innovation that can influence that individual’s mindset. In these cases, the security chief’s role usually falls to the lead infrastructure specialist. 
Be sure to build in checks and balances. If the organization chart lists the person responsible for managing a firewall device, also include the person ensuring the firewall device is managed correctly. At every stage, insert in an additional layer of control.
Consider including someone that deals with risk on a broader basis. A trend has begun that converges security roles and budgets into the same hub overseeing continuity and recovery roles, as well as budgets. An organization will likely reap real benefits by assessing the different categories of risk and judging them on their merits while measuring them together. In doing this, you can distill a clear understanding of overall risks and risk tolerance and invest, accordingly, for business continuity and data recovery.
Find a Hacker and Let Him Loose
Here’s a revolutionary suggestion – but a good one. Appoint your own internal hacker to poke holes in your IT systems, identifying vulnerabilities and seeking ways to strengthen those weak links. Initially when enterprises searched for a third-party internal hacker, they could find few candidates without criminal records.
Today, an increase in ethical training grounds has boosted the number of legit IT professionals trained to take on that role. Since most organizations don’t have an IT professional trained for such duties, it’s best to look to a third-party source.
Next, develop a clear methodology that allows for testing of the basics. Why? Because most successful attacks reflect a basic element that wasn’t followed. Also, inject methodologies that test the latest malware and other threats to outages.
Develop a plan for “application interdependence” that identifies where third-party vendors leave companies the most vulnerable to be hacked. Some of the most recent major cyber intrusions involved the attackers getting into an enterprise’s system through a vulnerable third-party security weakness. Target’s data breach late last year is an example.
Retain an external consultancy or partnership with expertise in business continuity/disaster recovery or in the regulatory/compliance sectors. This firm can review your security processes and test the resiliency and compliance of your IT infrastructure.
Consider identifying a partnership with a managed security services provider that, basically, can serve to augment your current resources. Its IT professionals can provide 24/7 eyes and ears monitoring your environment and looking for the gaps and weaknesses in your defenses.  
This managed security services provider is performing, not reviewing, operations. These providers do this for a living, so their specialists maintain constant communication with law-enforcement agencies, perhaps global in nature, that identify new types of security attacks cropping up somewhere and advising companies and organizations to watch out for them. 
While you can never be certain you’ll be completely safe from a cyber attack, you can definitely take measures that will make it more difficult for today’s sophisticated cyber thieves to crack the safe.
Plan. Prepare. Prevent. These three Ps can lead to a hopeful outcome that also begins with a fourth P: Peace. 
About the Author
Matthew Goche is director of Security Consulting at Sungard Availability Services, which helps clients keep mission-critical information and applications available, recoverable and secure.   

Got an idea for a Blueprint column?  We welcome your ideas on next gen network architecture.
See our guidelines.

ON.Lab Releases its Open Source SDN Network Operating System

The Open Networking Lab, ON.Lab, and leading service providers, including AT&T, NTT Communications and key vendors, are releasing an open source SDN Open Network Operating System (ONOS) for Service Providers that enables agile service creation and deployment at scale on any hardware, including white boxes.

ONOS will be available for download starting later today, Friday, Dec. 5.

ONOS features a highly available, scalable SDN control plane featuring northbound and southbound open APIs and paradigms for a diversity of management, control, and service applications across mission critical networks. ON.Lab said it was architected to provide high availability, scalability, performance and rich northbound and southbound abstractions.

Key features of the first ONOS release include:

  • A clean-slate, clustered, modular architecture with distributed core for high availability, performance and scale-out
  • Application Intent Framework providing a high-level policy driven, network-agnostic programmatic abstraction and interface
  • Pluggable southbound for supporting a diversity of devices and protocols.
  • OpenFlow 1.3 and 1.0 support
  • GUI for visualization, visibility and configuration
  • Apache Karaf for modularity, customization and extensibility
  • Service provider use cases to demonstrate capabilities such as—
  • Multilayer SDN control for packet-optical networks
  • SDN-IP for seamless peering of SDN islands within legacy networks
  • Proof of concept Network Functions as a Service (NFaaS)
  • SDN-based WAN control with segment routing (developed with ONF) 
  • Developer and end-user on-boarding resources
  • QA infrastructure and processes
  • Black Duck audit certifying usability and cleanliness of open source ONOS codebase

"The ONOS project partnership was formed with a unique blend of service providers, vendors and ON.Lab to accelerate the adoption of SDN by providers," said Bill Snow, vice president of Engineering at ON.Lab. "A highly available and scalable open source SDN OS platform will help transform service provider networks by delivering significant CapEx and OpEx savings and enabling new revenue-generating services. The first release of ONOS is the start of the journey towards service provider network transformation."

"2015 will be a pivotal year for the open source ONOS project," said Guru Parulkar, executive director of ON.Lab. "We will grow the ONOS community, harden and enhance the current architecture and code, and focus all of our efforts on accelerating SDN adoption in service provider and mission critical networks."

Founding members who are funding and contributing to the ONOS initiative include AT&T, NTT Communications, Ciena, Fujitsu, Huawei, Intel, NEC; and members who are collaborating and contributing to ONOS include Infoblox, SRI, Internet2, CNIT and Create-Net.

Cisco Teams with IBM on VersaStack Data Center Solution

Cisco and IBM are teaming up to offer an integrated data center solution that combines Cisco UCS Integrated Infrastructure with the IBM Storwize storage system.

The new VersaStack solution, which will be sold through business partners, is aimed at cloud, big data and analytics, and mobility deployments.  Specifically, the VersaStack solution includes the Cisco Unified Computing System (UCS), ACI-Ready Cisco 9000 Nexus switches, Cisco MDS switches, and Cisco UCS Director and the IBM Storwize V7000 storage.

Over time, the platform will be optimized for IBM business applications, while integrating Cisco innovations such as Cisco Application Centric Infrastructure (ACI) and Cisco Intercloud Fabric.

"VersaStack will help our mutual customers streamline deployment and operation of their IT infrastructure. It will also provide a foundation for innovation between Cisco and IBM—from mobility and data analytics to Intercloud and application centric infrastructure," stated Satinder Sethi, Vice President, Data Center Solutions, Cisco.

"As cloud, mobile, and big data continue to challenge and transform data centers, more organizations are turning to innovative solutions, like the VersaStack, for help," said Laura Guio, Vice President, Business Line Executive Storage Systems, IBM.

  • In October, EMC agreed to take over VCE as Cisco agreed to sell all but 10% of its equity stake in the joint venture to EMC. VCE was the joint venture formed in 2009 by Cisco and EMC with investments from VMware and Intel.  VMware is a subsidiary of EMC. Going forward, VCE will be a subsidiary of EMC and will serve as  "an integration point for technologies from across the company."  VCE's flagship product is its Vblock Systems, a converged infrastructure offering that combines VMware vSphere software running on Cisco Unified Computing Systems (UCS) connected with Cisco Nexus switches, attached to EMC Symmetrix storage. More than 1,000 enterprises and service providers have deployed over 2,000 Vblock Systems worldwide.

Juniper and VMware Extend Collaboration

Juniper Networks and VMware have closely aligned their private cloud products and sales teams to support customers in the APAC region.  The companies said their increased collaboration will provide the following:

  • Interoperable products, which are available in APAC today, to deliver smart forwarding across physical and virtual infrastructures and provide end-to-end visibility and management of physical and virtualized infrastructures from a single pane of glass. These include:

    * Layer 2 Gateway Services for VMware NSX certified on the Juniper Networks' MX Series 3D Universal Edge Routers to enable seamless bridging between virtual and physical environments.

    * Full VXLAN routing on the EX9200 and MX Series platforms to extend virtual networks seamlessly across multiple data centers. This capability leverages custom silicon and employs native L3 capabilities on EX9200 and MX platforms for connectivity of L3 LANs and WANs at wire speed, effectively making VXLAN a fully functioning replacement for legacy VLANs

    * Juniper Networks' Junos Space Network Director layer with VMware vCenter® enables discovery, management and monitoring of virtual networks including vCenter servers, hosts, VMs and virtual switches. It also provides detailed virtual to physical network connectivity information. This will help ensure consistency and visibility across virtual and physical networks.
  • A proof-of-concept (POC) lab that will be open to customers for the purposes of conducting testing and analysis of the interoperable VMware NSX and MetaFabric solution.

"While it is no secret that the entire IT landscape is undergoing a dramatic shift toward mobile applications delivered from the cloud, nobody should underestimate the challenge this represents to data center operations. Together with Juniper Networks, we have a strong focus on addressing data center complexity by leveraging the power of network virtualization to radically simplify IT, while delivering services at the speed of today's business," stated Sanjay Mirchandani, senior vice president and general manager, Asia Pacific and Japan, VMware.

HP and Alcatel-Lucent Expand Alliance

HP and Alcatel-Lucent are expanding their global alliance to include selected Alcatel-Lucent IP routing and optical products in HP's existing routing and storage portfolios.

Specifically, HP Storage will extend its solutions between datacenters to provide joint HP and Alcatel-Lucent customers with fully validated end-to-end business continuity and disaster recovery capabilities. The companies have certified long distance synchronous, low-latency replication using HP 3PAR RemoteCopy for distances up to 130 kilometers. The solution components include HP 3PAR StoreServ Storage, HP 3PAR Remote Copy software, HP StoreFabric Storage Networking and Alcatel-Lucent 1830 PSS optical products.

HP Networking is also expanding its WAN router portfolio for large organizations with the targeted adoption of selected Alcatel-Lucent Carrier-grade routers.

Under their previously announced alliance, Alcatel-Lucent has comprehensively adopted HP IT technologies and HP supply chain efficiencies. Alcatel-Lucent has also recently joined as a member of the HP's Early Access Forum for HP Helion, HP's open-source, distributed cloud computing platform based on OpenStack technology.

"HP and Alcatel-Lucent's expanded alliance demonstrates our deep joint commitment to help large organizations and service providers transform and disrupt their respective industries and markets," said Antonio Neri, senior vice president and general manager, HP enterprise group. "We do this by taking each other's best-in-class flagship products from our respective IT and networking portfolios, to deliver a unique set of data center and network solutions that reduce complexity, lower OPEX and boost agility to accelerate innovation of new products and services."

"This expanded alliance with HP allows us to continue doing what we do best -- building networks that help meet our customers' objectives. And it will allow us to leverage the strengths of both companies to increase the value we deliver to those customers," said Basil Alwan, President Alcatel-Lucent IP Routing and Transport. "Together, we will continue to innovate and offer large enterprises and service providers the industry's most agile and flexible solutions with the right performance and economics for the cloud era."

  • HP and Alcatel-Lucent first announced their global alliance in June 2009.

Brocade Partners With Mirantis on OpenStack

Brocade announced a partnership with Mirantis to provide cloud service providers with a new turnkey, OpenStack-based, on-demand data center solution.

Mirantis, which is a start-up based in Mountain View, California, offers software and services for running production-grade OpenStack clouds. Its solution provides a visual interface as a single control plane for OpenStack clusters and enables automated hardware discovery and network verification.

Brocade said it is building on the Mirantis OpenStack platform and Fuel, an open source deployment automation tool for OpenStack, to enable multitenant network orchestration across the data center. Brocade also provides additional network services to OpenStack environments with the Brocade Virtual ADX and Brocade Vyatta vRouter offerings. Both of these offerings will be certified with Mirantis OpenStack 5.x in the near future.

Brocade also announced that the company's OpenStack plugin for Brocade VDX Switches is now certified for Mirantis OpenStack.

"Cloud service providers face a number of challenges in hosting modern data centers that hinder innovation, including the lack of automation, limited resources, and high costs. To address this, Brocade and Mirantis have partnered to provide a best-in-class solution for cloud service providers based on Mirantis OpenStack distribution and Brocade networking technology -- all designed to support the ever-increasing demands of cloud environments," said Jason Nolet, Vice President Data Center and Enterprise Networking, Brocade.

  • In October, Mirantis raised $100 million for its pure-play OpenStack solutions. Mirantis offers software and services for running production-grade OpenStack clouds. Its solution provides a visual interface as a single control plane for OpenStack clusters and enables automated hardware discovery and network verification.
    For this round, Insight Venture Partners was joined by August Capital, as well as existing investors Intel Capital, WestSummit Capital, Ericsson, and Sapphire Ventures (formerly SAP Ventures). Alex Crisses, managing director at Insight Venture Partners, will join the Mirantis board of directors.

    Mirantis has helped more than 130 customers implement OpenStack – including Comcast, DirecTV, Ericsson, Expedia, NASA, NTT Docomo, PayPal, Symantec, Samsung, WebEx and Workday.  Among these is the largest OpenStack deal on record: a five-year software licensing agreement with Ericsson. Mirantis is also the largest provider of OpenStack products and services for the telecommunications industry, serving Huawei, NTT Docomo, Orange, Pacnet, Tata Communications, and others.

Cinia Plans Terabit-class Cable from Finland to Germany with ALU

Cinia Group (previously Corenet), a Finnish Government-owned venture, has selected Alcatel-Lucent to deploy a terabit-class undersea cable system linking Finland and Germany.

The project, named Sea Lion, calls for the deployment of a new 100G system that will span more than 1,100 km from Helsinki in Finland, to the Rostock-Ribnitz area in Germany. It will have a design capacity of 15 Terabits per second (Tbps) and is expected to enter service in early 2016.

Philippe Dumont, President of Alcatel-Lucent Submarine Networks, said: “We are delighted to support the Cinia Group in its rollout of this new cable system, which will be a catalyst to strengthen global digital connectivity. Alcatel-Lucent’s 100G undersea technology will boost the speed and security of Finland’s infrastructure, building a strong digital cluster for data center connections.”

Institutional investors Ilmarinen and OP Financial Groups insurance and pension affiliates are matching the Finnish governmen's EUR 20 million investment for a total of EUR 40 million capitalization.

IBM and Docker Announce Strategic Partnership

IBM and Docker announced a strategic partnership.

The Docker platform will make it easier for enterprises to build and run the next generation of applications on the IBM Cloud and on prem. The idea is to develop portable, distributed applications that are rapidly composed of discrete interoperable Docker containers, have a dynamic lifecycle, and can scale to run in concert anywhere from the developer’s laptop to hundreds of hosts in the cloud.

IBM will be a premier provider of Docker Hub Enterprise (DHE).

“This partnership with IBM is a great win for the rapidly growing number of enterprises that see Docker as the foundation for a new generation of business critical distributed applications,” said Ben Golub, CEO of Docker  “IBM’s commitment to delivering enterprise-grade Docker native solutions will drive dynamic, new business initiatives for enterprises through portable, highly dynamic Docker-based applications.”

Biddding for AWS-3 Spectrum tops $40.7 Billion

After 49 rounds, bidding in the FCC's Advanced Wireless Services (AWS-3) auction has reached $40.7 billion.

A total of 1,614 licenses total are up for auction, covering 65 MHz of spectrum in the 1695-1710 MHz, 1755-1780 MHz, and 2155-2180 MHz bands ("AWS-3" bands).

The 1695-1710 MHz band is authorized for low-power mobile transmit (i.e., uplink) operations only. The 1755-1780 MHz frequencies in the paired 1755-1780/2155-2180 MHz band are authorized only for low-power mobile transmit (i.e., uplink) operations; the 2155-2180 MHz frequencies are authorized only for base station and fixed (i.e., downlink) operations. Mobiles and portables in the 1695-1710 MHz and 1755-1780 MHz bands may only operate when under the control of a base station, and AWS-3 equipment is subject to a basic interoperability requirement.