Software-defined defences - keeping the cyber-risk at bay

Combatting tomorrow's cyber-security threats with yesterday's flawed technology approach is an unreliable strategy, says John Suffolk.

Software-defined defences - keeping the cyber-risk at bay
Software-defined defences - keeping the cyber-risk at bay

Putting a strong lock on a weak door is unlikely to deter thieves, particularly when there are valuables inside. Yet all too often in the battle against cyber-attacks, businesses do just that: they attach advanced digital security systems to inherently insecure corporate network infrastructures. The result is two-fold: those tasked with maintaining enterprise risk registers and ensuring data security are kept awake at night. And secondly: frustration for those keen to embrace next-gen mobility and cloud technologies to generate efficiencies and competitive advantage.                                       

The attraction for cyber-criminals to a company rises as the intrinsic value and spread of companies' digital platforms grow. While the commercial benefits of a company's use of digital platforms exceed the cost of cyber-attacks, evidence remains that some CIOs in Fortune 500 companies view cyber-security as a barrier to incorporating new technologies such as ‘Bring Your Own Device', social networking and public or hybrid cloud technologies. This is not entirely surprising; most cyber-security strategies today are based more on a defensive or reactive approach, rather than an offensive methodology.

One CIO recently told me: “We have long worried about the stolen laptop, the files left on trains or the misplaced memory stick carrying sensitive customer records. But now, faced with systematically putting our business into the cloud while ensuring all employees have useful and appropriate access is a much more daunting prospect.” Such a view is not uncommon across many industry sectors today.

Whilst CIOs and defenders of technology infrastructure ponder the right approach to balancing security with agility and innovation, cyber-criminals are becoming increasingly sophisticated operators deploying next generation tools and techniques to infiltrate enterprise-wide networks. For the defenders all is not lost. Next generation networking technology based on software-defined networking, or SDN, can offer enterprises a step change, a new generation defensive arsenal for the CIO, but only when the SDN is engineered from the outset to be inherently secure.

The challenge with today's traditional, legacy networks is they are based on TCP/IP, an inherently insecure architecture developed in the days when ‘hackers' referred primarily to high handicap golfers. TCP/IP is an enterprise network's weak door. Even with increasingly stronger digital locks attached, the overall architecture remains vulnerable. This offers encouragement rather than a deterrent to cyber-criminals. 

Software-defended networks

Today's SDN-based networks can be developed with security integrated into the design rather than as an overlay or afterthought. Because of this, SDN represent a cyber-security game changer for the industry. The key change is they can allow the enterprise to actively protect against what security teams call advanced persistent threats (APTs), distributed denial of service (DDoS) attacks, unknown malware and zero-day attacks.

Active SDNs can be designed to continuously monitor for and block vulnerabilities by default, across all networks elements, from simple access devices to a range of network elements to the data centre. The key difference is that in an SDN design, the capability can be fully virtualised and embedded. With an SDN, security policies can be created to match the type of service they are designed to protect.

This means CIOs can go on the offensive and secure devices, applications, network elements. Employee access can be actively controlled by time of day, location, time zone and other factors that can be configured into the network through centralised management and control tools. The CIO's priority can now be ensuring useful access rather than restrictive characteristics of a strategy based on reactive responses.

However, just because the capability exists doesn't mean that all SDNs are being developed with an equal focus on security. Also, there is a significant cyber-security industry that depends on the spread of fear, uncertainty and doubt. If the SDN-based architecture doesn't combine security reputation, big data, sandboxing, as well as other technologies to prevent unknown threats, it's essentially replacing an old weak door with a new weak door, despite the stronger locks being fitted.

Cyber-security is a technical challenge but it is also a human challenge. Every CIO and network security engineer knows only too well about the continuous battle to improve the behaviour of employees to underpin existing security procedures. While this challenge remains, SDNs, for the first time, have the ability to materially transform the technical defences and provide added security capability to protect against human weaknesses.

Less well-recognised, perhaps, is the continued risk of ‘the illusion of security'. The time to ask a vendor searching questions about the integrity and security of an SDN is before purchase. Any SDN architecture or roadmap that promises ‘security measures to follow' is effectively replicating the flaws, the weak doors with strong locks of the past. 

John Suffolk is president of global cyber security and privacy at Huawei; and former CISO and CISO with the UK government