Welcome!

Cloud Security Authors: Dana Gardner, Peter Silva, Pat Romanski, Dan Potter, Elizabeth White

Related Topics: @CloudExpo, Microservices Expo, Microsoft Cloud, Open Source Cloud, Release Management , Cloud Security

@CloudExpo: Article

Security Automation Connects Silos

The true promise of security automation

A wealth of security information exists in our networks from a variety of sources - policy servers, firewalls, switches, networking infrastructure, defensive components, and more. Unfortunately, most of that information is locked away in separate silos due to differences in products and technologies, as well as by companies' organizational boundaries. Further complicating the issue, information is stored in different formats and communicated over different protocols.

An open standard from the Trusted Computing Group (TCG) offers the capability to centralize communication and coordination of information to enable security automation. The Interface for Metadata Access Points - IF-MAP for short - is like Facebook for network and security technology, allowing real-time sharing of information across a heterogeneous environment.

IF-MAP, part of TCG's Trusted Network Connect (TNC) architecture, makes it possible for any authorized device or system to publish information to a Metadata Access Point (MAP), a clearinghouse for information about who's on the network, what endpoint they're using, how they're behaving, and many other details of the network. Systems can also search the MAP for relevant information and subscribe to any updates to that information. Just as IP transformed communications, IF-MAP revolutionizes the way systems share data.

Security automation is any part of a security system that is able to operate without - or with only limited - administrative involvement. As shown in Figure 1, a security administrator can define a unified security policy that applies to different types of protective mechanisms, such as next-generation firewalls (NGFW), intrusion prevention systems (IPS), unified threat management (UTM) systems, and more. Best-of-breed components from multiple vendors can share information using a standard information bus.

Figure 1: Effective security automation includes several protection mechanisms.

This coordination can extend beyond front-line access control products to back-end systems such as authorization databases, virtualization technology, and reputation systems. A policy server might create and modify policy based completely on the information received from other resources in the environment.

Logs from multiple sources can be collected and correlated by a security information and event management (SIEM) system, which itself acts as both a consumer of information and a provider of real-time intelligence based on that information. Security operations personnel can easily oversee activities in the network and provide human intervention in cases where full automation may not be achievable or desirable. Security automation enhances fundamental security solutions, adding dynamic, responsive, intelligent decision-making.

Establishing Network Trust
One of the basic solutions enabled by the TNC architecture is Comply to Connect, which incorporates Network Access Control (NAC) principles - an endpoint must first show its compliance with selected endpoint health requirements before being granted access to the network. Figure 2 shows a common Comply to Connect scenario.

Figure 2: The TNC architecture enables evaluation and enforcement of compliance at admission.

The endpoint, on the left, is a device attempting to access a protected network. The enforcement point is a guard that grants or denies access based on instructions from the policy server. The policy server is really the brains of the operation; it looks at the configured policy and decides what level of access should be granted. Then it informs the enforcement point, which executes those instructions.

Many enforcement options exist; the example in Figure 2 shows a wireless access point and a switch, but environments may also use a firewall or a virtual private network (VPN) gateway. Each of these has its own pros and cons; for example, a wireless access point with 802.1X can totally block unauthorized users. But while it provides admission control, it doesn't offer enforcement deeper in the network. For that reason, most NAC solutions support a combination of different enforcement points, which can be used individually or in combination.

The security policy controlling the compliance check shown in Figure 2 is quite simple: every Windows 7 endpoint on the network must have a self-encrypting drive (SED), up-to-date anti-virus protection, and a personal firewall. When a new Windows 7 endpoint comes on the network, the enforcement point will query it and then consult the policy server. If the endpoint complies with security policy, it is given access to the production network. Another endpoint that does not have an SED may be given only limited access to the network. That way, if either endpoint is lost or stolen, protected information is only on the endpoint that could store it securely on an SED.

Expanding Network Trust Evaluation
Behavior monitoring is another way to evaluate an endpoint. Many security-related sensor devices are already deployed in networks to monitor behavior: intrusion detection systems, leakage detection systems, endpoint profiling systems, and more. The TNC architecture lets users integrate those existing systems with each other and with the NAC solution by sharing information via a MAP.

Figure 3 shows an approach to check behavior. Security sensors in the network monitor behavior, and a security policy identifies acceptable behavior.

Figure 3: Behavior checking enables automated response to changes in the endpoint's activity.

Once an endpoint has connected to the network, even if it has passed authentication and compliance checks, it could behave in an unauthorized fashion. If the endpoint starts violating security policy by trying to spread a worm, that traffic is detected and stopped by an IPS sensor.

Even more important, that sensor publishes information to the MAP about the attack it stopped. The MAP notifies the policy server, which evaluates its security policy and instructs the enforcement point to move the endpoint to a remediation network until it can be addressed.

The end result is an entire network security system that is working together. Each part performs its function, and each piece is integrated with the whole using the open IF-MAP standard.

Extending Security to Mobile Devices
TNC standards have enabled NAC to evolve into a foundation technology for business requirements such as mobile security and Bring Your Own Device (BYOD). A common scenario in today's connected world occurs when a mobile user accesses the Internet and social networks on a personal device, such as a smartphone, which they also use to access their corporate network. If the smartphone inadvertently becomes infected with malware, corporate data on that device is now at risk. And it's even worse when the user connects their smartphone to the corporate network; the attacker, who has taken control of the device, can access sensitive information.

This situation occurs when a company's security team lacks the tools to accommodate employees using their own consumer devices to improve productivity. Without the appropriate technology, the IT team cannot:

  • detect malware on the mobile device
  • protect the user from cloud-based threats
  • control access based on user identity, device, and location
  • coordinate security controls to protect sensitive information

This clearly needs a new approach!

Addressing the new requirements of BYOD and providing broad protection involves flexible deployment models that can be tailored to individual environments and security context, and coordination to keep users protected against the dynamic threat landscape.

Security automation makes it possible to detect and address compromised mobile devices; protect the user from malicious sites and applications; restrict network and resource access based on user identity, device, and location; and correlate endpoint activity monitoring across the corporate network infrastructure.

Leveraging Standard Network Security Metadata
These capabilities are enabled by TNC's standardization of basic metadata for network security. Metadata is the information stored in a MAP, representing anything that is known about the network: traffic flows, scan results, user authentications, or other events. In the case above, metadata represents information about network components and applicable security policies. The MAP is a clearinghouse for metadata; MAP clients can publish metadata to it, search it for specific metadata, and/or subscribe to metadata about endpoints in the network.

These inquiries include common things that it might be helpful to know about an endpoint - the type of device, identity of the user operating the device, role assigned to that user, association between the MAC address and IP address of the endpoint, location of the endpoint, and any events related to that endpoint.

Extending Security Automation to Other Use Cases
While standard metadata is useful for out-of-box interoperability, much more information about an endpoint or a network is available. IF-MAP can be extended by creation of vendor-specific metadata, similar to Vendor-Specific Attributes (VSAs) in RADIUS, enabling anyone to publish anything that can be expressed in XML!

Imagine a manufacturing line, where a physical process is controlled by a digital component called a Programmable Logic Controller (PLC). An operator display panel, the Human Machine Interface (HMI), is typically physically remote from the actual process that needs monitoring. As changes in the process occur, the operator display updates in real-time.

Many HMIs use a legacy protocol called Modbus to poll the PLC, retrieve these process variables, and display them. Originally designed to be run over a serial connection, Modbus has been ported to TCP. One of the problems with the Modbus protocol and many others in this space is that there are zero security features in the protocol - no authentication, no authorization - which means no way of knowing whether a requestor is authorized to gain access requested, or even who is sending data the request. If an endpoint (or intruder) can ping the PLC, it can issue commands to it!

Many control systems components operate this way. Until now, they have been small islands of automation with very little interconnection to other systems. Running over a serial bus required physical serial connections - typically, the operator had to be present in front of the machine to affect it, so physical security was sufficient. And once these systems are in place, they are designed to stay in production for decades. So now these systems are getting more and more interconnected with the enterprise network - and, by extension, to external networks - and they encounter the same types of security issues as enterprise systems.

Overlaying Security onto Industrial Control Systems
A single manufacturing line could have hundreds, or even thousands, of these PLCs. Replacing them is out of the question, as is retro-fitting them to add on security. But what if a transparent security overlay was inserted to protect these legacy components?

Deployment and lifecycle management for such an overlay would be a huge challenge - unless there was a mechanism for provisioning certificates, communication details, and access control policies to the overlay components. That's exactly what one manufacturing company has done with IF-MAP, by using vendor-specific metadata for provisioning of certificate information and access control policy, as shown in Figure 4.

Figure 4: IF-MAP enabled security overlay protects industrial control system components.

The first step is to add the overlay protection. In this case, the enforcement points are customized components, designed for Supervisory Control And Data Acquisition (SCADA) networks, that can create an OpenHIP "virtual private LAN" on top of standard IP networks. This requires no changes to the underlying network, protects communications between SCADA devices, and is completely transparent to the protected SCADA devices.

A MAP and a provisioning client enable centralized deployment, provisioning, and lifecycle management for the myriad enforcement points. The provisioning client publishes metadata to the MAP to define the HMIs and PLCs and to specify security policies that allow them to talk to each other, but do not allow external access to them.

For example, when an HMI comes into the network and queries for a PLC, the HMI does an Address Resolution Protocol (ARP) lookup. The enforcement point receives that traffic, searches the MAP, and finds the access control policy determining whether this specific HMI can talk to that particular PLC. Enforcement points can be moved around the network without requiring manual reconfiguration or reprovisioning, since all of the provisioning is centralized via the MAP.

This is not just a neat thought experiment - it is actually in production deployment on hundreds of endpoints in critical manufacturing lines today!

The Future of Security Automation
We've barely scratched the surface of security automation. For one thing, it goes far beyond access control. Imagine...

  • A content management database (CMDB) receives notification of a new device on the network and scans the new endpoint, then updates its data store
  • An analysis engine observes some behavior on the network and requires more information about the associated endpoint, so it requests an investigation by another component such as an endpoint profiler or vulnerability scanner
  • Carrier routers redirect traffic through deep packet inspection based on suspicious user activity
  • A security administrator modifies an existing security policy, or adds a new policy, and various policy servers / sensors are notified, triggering a re-evaluation of the network's endpoints
  • An application server publishes a request for bandwidth for a particular user based on the service the user is accessing, and network infrastructure components change QoS settings for those traffic flows based on that request
  • An IF-MAP enabled OpenFlow switch controller makes packet-handling decisions based on information from other network components
  • An analysis system determines that there's an attack underway; in addition to triggering a response, it notifies security administrators of the attack taking place, populating a dashboard with information to create a "heat map" of the attack

All of these are examples of a common three-step process: sensing, analysis, and response. Security automation is enabled by the abstraction and coordination of these functions across multiple disparate components in the network.

Imagine the power gained by linking together information from all of the various infrastructure and security technologies in a network and using that information to make dynamic, intelligent, automated decisions. That's the true promise of security automation - and the realization of that promise is in its infancy.

More Stories By Lisa Lorenzin

Lisa Lorenzin is a member of the TNC Work Group at Trusted Computing Group and a Principal Solutions Architect at Juniper Networks.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Almost two-thirds of companies either have or soon will have IoT as the backbone of their business in 2016. However, IoT is far more complex than most firms expected. How can you not get trapped in the pitfalls? In his session at @ThingsExpo, Tony Shan, a renowned visionary and thought leader, will introduce a holistic method of IoTification, which is the process of IoTifying the existing technology and business models to adopt and leverage IoT. He will drill down to the components in this fra...
Data is an unusual currency; it is not restricted by the same transactional limitations as money or people. In fact, the more that you leverage your data across multiple business use cases, the more valuable it becomes to the organization. And the same can be said about the organization’s analytics. In his session at 19th Cloud Expo, Bill Schmarzo, CTO for the Big Data Practice at EMC, will introduce a methodology for capturing, enriching and sharing data (and analytics) across the organizati...
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement. In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
With so much going on in this space you could be forgiven for thinking you were always working with yesterday’s technologies. So much change, so quickly. What do you do if you have to build a solution from the ground up that is expected to live in the field for at least 5-10 years? This is the challenge we faced when we looked to refresh our existing 10-year-old custom hardware stack to measure the fullness of trash cans and compactors.
The emerging Internet of Everything creates tremendous new opportunities for customer engagement and business model innovation. However, enterprises must overcome a number of critical challenges to bring these new solutions to market. In his session at @ThingsExpo, Michael Martin, CTO/CIO at nfrastructure, outlined these key challenges and recommended approaches for overcoming them to achieve speed and agility in the design, development and implementation of Internet of Everything solutions wi...
Cloud computing is being adopted in one form or another by 94% of enterprises today. Tens of billions of new devices are being connected to The Internet of Things. And Big Data is driving this bus. An exponential increase is expected in the amount of information being processed, managed, analyzed, and acted upon by enterprise IT. This amazing is not part of some distant future - it is happening today. One report shows a 650% increase in enterprise data by 2020. Other estimates are even higher....
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
Smart Cities are here to stay, but for their promise to be delivered, the data they produce must not be put in new siloes. In his session at @ThingsExpo, Mathias Herberts, Co-founder and CTO of Cityzen Data, will deep dive into best practices that will ensure a successful smart city journey.
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
Identity is in everything and customers are looking to their providers to ensure the security of their identities, transactions and data. With the increased reliance on cloud-based services, service providers must build security and trust into their offerings, adding value to customers and improving the user experience. Making identity, security and privacy easy for customers provides a unique advantage over the competition.
SYS-CON Events announced today that 910Telecom will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and ...
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devices - comp...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
There is growing need for data-driven applications and the need for digital platforms to build these apps. In his session at 19th Cloud Expo, Muddu Sudhakar, VP and GM of Security & IoT at Splunk, will cover different PaaS solutions and Big Data platforms that are available to build applications. In addition, AI and machine learning are creating new requirements that developers need in the building of next-gen apps. The next-generation digital platforms have some of the past platform needs a...
19th Cloud Expo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterpri...
SYS-CON Events announced today Telecom Reseller has been named “Media Sponsor” of SYS-CON's 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Pulzze Systems was happy to participate in such a premier event and thankful to be receiving the winning investment and global network support from G-Startup Worldwide. It is an exciting time for Pulzze to showcase the effectiveness of innovative technologies and enable them to make the world smarter and better. The reputable contest is held to identify promising startups around the globe that are assured to change the world through their innovative products and disruptive technologies. There w...
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportuni...
I wanted to gather all of my Internet of Things (IOT) blogs into a single blog (that I could later use with my University of San Francisco (USF) Big Data “MBA” course). However as I started to pull these blogs together, I realized that my IOT discussion lacked a vision; it lacked an end point towards which an organization could drive their IOT envisioning, proof of value, app dev, data engineering and data science efforts. And I think that the IOT end point is really quite simple…
Personalization has long been the holy grail of marketing. Simply stated, communicate the most relevant offer to the right person and you will increase sales. To achieve this, you must understand the individual. Consequently, digital marketers developed many ways to gather and leverage customer information to deliver targeted experiences. In his session at @ThingsExpo, Lou Casal, Founder and Principal Consultant at Practicala, discussed how the Internet of Things (IoT) has accelerated our abil...