Cisco CTO Bret Hartman on how to secure BYOD, wearable tech

Tools

BYOD and wearable gadgets are but a couple of the new trends that have emerged in recent years. As these devices make their way onto the corporate network, the inevitable question to security administrators and executives is how they, as well as emerging technologies such as software defined networking (SDN), impact enterprise security.

To better understand this, we approached Bret Hartman, a veteran from the field of enterprise security for his take. Hartman joined Cisco late last year as the CTO of the company's Security Technology Group, and was the CTO of security vendor RSA before that.

FCIO: BYOD is here to stay. How should enterprises prepare to manage it?

BH: Here are four steps enterprises can take towards managing BYOD.

  • Use cryptographic certificates to ensure enterprise access is coming from a known mobile device.
  • Use mobile device management (MDM) and mobile application management (MAM) tools to ensure that the mobile device is properly configured with a trustworthy operating system and set of applications that maintain separation of user and corporate data.
  • Use strong authentication mechanisms to ensure that the user is who he or she claims to be.
  • Use contextual information based on who/what/where/when/how data points--to decide whether the user should be allowed on the network. Services like the Cisco Identity Services Engine address this need for the enterprise in a flexible, dynamic way.

FCIO: What do you see as some security implications of wearable tech like Google Glass?

BH: Wearable computers--Google Glass, smart watches, etc.--are just another step in the natural continuum of mobile devices in the workplace. That means IT departments need to consider evolving and existing BYOD policies to match the corporate security and personal privacy concerns that will come about.

The first and most important step is to ensure that every "wearable" device on the corporate network is subject to a progressive BYOD policy that allows IT departments to configure these devices so they can be trustworthy enough to protect corporate information. At a high level, that means companies need to have a say in what kinds of software are installed and configured--while enforcing limited access privileges for sensitive devices.

On a day-to-day level, we're seeing controlled, mobile quarantines for sophisticated wearable devices. That could limit access for devices abroad in countries where security measures are less sophisticated--or granting regular access when devices operate on safe, trusted networks. With wearables operating on open platforms that can feature apps of questionable pedigrees, it is critical that IT departments are proactive in preventing malware access to corporate data.

What will be interesting to track is how IT departments and employees negotiate the tenuous border of work/life and privacy on these devices. As much as an enterprise doesn't want their data leaking to personal devices, employees don't want personal data leaking to enterprise servers. Nor would these employees want to suffer a remote wipe--a common tactic for BYOD devices that have gone off the grid--of their wearable device, should they overstep boundaries.

But IT departments can't count on employees to be sophisticated enough to always know where those boundaries are. So as wearables--and other highly personal devices beyond smartphones and laptops--permeate the workplace, it'll be necessary for IT departments to evolve beyond brute force tactics in dealing with these devices.  

FCIO: What are your thoughts on Software Defined Networking from a security perspective?

BH: SDN provides presents several opportunities and challenges for security. The APIs of SDN (including OpenFlow and Cisco OnePK) give visibility and control across the entirety of network devices. This level of access brings several opportunities for improvements in security and stands to disrupt the security industry as a whole. The Cisco Security Services Platform is based on these concepts, and is the foundation for the Cisco security technology strategy.

Of course, the openness of SDN potentially offers new places for attackers to gain entry into network infrastructure. With that in mind, Cisco is working hard to ensure that Cisco OnePK is built on a secure foundation so that SDN security is trustworthy.

FCIO: What are some security measures that enterprises should look into when getting a wireless access point?

BH: From a security perspective, as customers transmit sensitive data at faster rates over the new wireless standards, they should make sure to use encrypted Wi-Fi with an enterprise authentication system. The 802.11ac standard incorporates efficient and strong cryptographic algorithms that provide government-grade security. Cisco has worked on security standards in support of strengthening security for 802.11ac.

FCIO: Any last words on the relevance of network security?

BH: Because of the continued challenges in securing the huge variety of mobile endpoints, as well as cloud services, expect the trend for security to rely more heavily on the network in the future. There is no alternative, since the network will be the only consistent, pervasive place to enforce security in the diverse universe of endpoints and cloud services.

More TechWatch one-on-one interviews:
"The biggest security issue I see right now": Tenable Networks CEO Ron Gula
What to make of the cloud and BYOD: BMC CIO Mark Settle
Using OpenStack to build your own private cloud: Shuttlestock VP Chris Fischer