We felt that security is too important a function to do in silos. How could we preach to our customers that they should be approaching security in a more holistic fashion if we weren't practicing what we were preaching? So our CEO John Chambers, along with senior vice president Mario Mazzola, decided to bring a whole technology group together that would be focused around security for the whole organization. Today it consists of about 1,500 engineers, and is largely focused on five or six major sectors: routers, switches, appliances, end-user systems and security management. Eight months later, how has that organizational change made Cisco's products more secure?
There's a difference between adding security as a forethought versus as an afterthought. So we're designing and developing common technologies for all our products. For example, when we used to build firewalls, we would build them in our appliances, and we would try to bring the technology into appliances and switches. Now when we build a function, we think about it in all three form factors: routers, switches and appliances. When we introduced our application firewall in February, the application inspection capability we built for it is a common implementation in all form factors. From the customer's point of view, that equates to operational advantages, ease of use and common commands. What's the greatest challenge about your role?
My greatest challenge is keeping up with how rapidly security technology is changing. The type of threats are always different and more dangerous than ever before, so my greatest challenge is keeping up with the innovation required to stop blended threats.
The industry can't take hours and days to develop signatures, and that's why we're trying to build an "Anti-X" threat detection engine -- and X can be a virus, Trojan, malware, etc., so the key is to have a very unique anomaly detection engine that can be based on signatures, anomalies or heuristics. Let's talk about Cisco's self-defending network strategy. Say I'm a chief information officer or enterprise executive in charge of the network. How would you convince me that it's worth buying new Cisco products to enact Cisco's vision of a self-defending network?
I think they have to recognize they have a problem; if they don't have a problem you can't convince anyone to do anything. The average network admin spends countless hours each year dealing with threats, fraud, internal security and hackers, so it's not just an annoyance, it's an acute problem. Eventually, they realize they have to have an architectural approach. They can't just throw an antivirus system here and a firewall there because the security is only as good as each individual solution.
Our self-defending networks strategy is about building multiple security tiers. The first phase involved integrating security with an IP fabric, so you don't have to think of VoIP and data security differently. Next Cisco took on the responsibility of building Cisco Trust Agent (client software for ensuring policy adherence on end-point devices), which we give to our partners, and the benefit is that now there's a connection between the network and the end point. Then our most ambitious phase, adaptive threat defense, implements port-level security at the network edge.
Cisco has long been rumored to be developing an XML security product. Why is XML security important to Cisco?
We believe XML security will be an important frontier for Cisco because as more applications have an XML front end, we have to recognize the special XML schema validation and secure them like we're doing with e-mail and Web traffic. It's a natural extension of where we already are and where we are today with VoIP traffic. Today I would say XML is probably deployed in less than 5% of enterprises, but in the next five to 10 years that number will grow much higher. A key part of the February self-defending network announcements was the unveiling of a new SSL VPN concentrator. Analysts have said that Cisco's SSL VPN trails competitors such as Juniper Networks and F5 Networks. What in particular about this release evens the playing field?
First, I must acknowledge that we were late to the SSL game. Many of our competitors have had products for as much as a year ahead of us. SSL VPNs are something we didn't view as a separate box, but as an extension of how people build their networks. We wanted to take the same VPN 3000 concentrator and have an SSL option in it. But SSL VPNs are good and bad things: good because they give you application access, bad because you don't want confidential application data sitting in the end-user system. That's why we offer Cisco Secure Desktop, which ensures that important data isn't left behind before, during and after the SSL VPN session. Your rivals might say the self-defending network strategy is not intended to help increase security, but rather is part of a plan to encourage customers to build end-to-end Cisco networks. What's your response?
I think Cisco has always conformed to standards. For instance, we have standard [Gigabit Ethernet] interfaces where there's not reason we couldn't interoperate with other vendors. But standards shouldn't be confused with value-adds our customers need. And when we offer value-adds, it's the customer's choice to deploy them or not. We have about 32% market share in network security, so Cisco is a major player, but by no means the only player. It's been more than a year now since Juniper acquired NetScreen. What was the impact of that acquisition on Cisco, and do you believe it was good for the industry?
I think the acquisition validated Cisco's strategy, namely that you can't build point products to solve network security issues. The difference is Juniper paid $4 billion and Cisco was investing in smaller acquisitions. We saw NetScreen as very viable and focused security competitor in the standalone appliance category, perhaps greater a year ago than we're seeing right now. As with any acquisition, it takes time for the benefits to manifest. Time will tell.
We have no regrets. We don't look back. We look forward. A Gartner analyst recently told us that because Cisco gear is widely used, it is becoming a target for hackers. Do you agree?
I wouldn't put is in the same category as Microsoft because everybody has a Windows desktop, while Cisco networks are under the more direct control of network managers. Part of our focus on Anti-X is finding proactive ways of dealing with the possibility of attacks. It's all about managing risk. It can never be perfectly managed, but the concept of a "riskometer" is what's on the mind of CIOs -- they're trying to take it from a high to a manageable moderate to low. Microsoft and Cisco this past fall announced an end-point security partnership that resulted in the sharing of technology such as application programming interfaces, but some have said it will be years before tangible results will emerge. Do you agree?
I think anytime you take a very complex subject like end-point security and ask that we have interoperability of two very complex subjects from two large vendors, it's not a simple equation. There are a lot of variables, but this is what our customers want. Our customers expect us to work together. These things will take time, but we will show critical milestones in standards committee within the next year -- there's a link encryption standard that we've both been working on and an 802.1x standard. A lot of it will be a function on both when Microsoft and Cisco have products shipping, but both companies strongly believe in this effort and are strongly committed to security to satisfy our customers. Is there room in the market for both Microsoft's NAP strategy and Cisco's NAC strategy?
There's room for both, because Microsoft comes at it from a Windows and client-server perspective, and Cisco comes from a network perspective. I subscribe to the 80-20 rule here; 80% of the time there will be no overlap at all, and 20% of the time there will be and we'll discuss it with those customers and add more clarity. It's always said that social engineering and uneducated users are an enterprise's biggest security challenge. Is there any way to win that battle?
It's like seatbelt laws. We've had them for a long time, but until it became the law people didn't wear them. Customers haven't always laid down the law, but some important policies and guidelines are required. Technology can only solve a piece of the security problems out there. Usage of the technology and dos and don'ts become as important. In the past, trust was implicit. In an organization we trusted and empowered everyone, but all it takes on one bad guy in a population of a million or more to wreak havoc.