Bret Hartman joined Cisco late last year as chief technology officer of the company's Security Technology Group....
He currently works under Chris Young, senior vice president of the Security and Government Group. Like Young, Hartman is a former executive at RSA, the security division of EMC. How will this infusion of executive talent from RSA steer the Cisco security strategy? We sat down with Bret Hartman to find out.
What was your goal in taking the security CTO position at Cisco?
Brett Hartman: Expanding and getting more focused around security at Cisco and ensuring it is strategically relevant and central to Cisco's strategy. It's all about how do we embed security directly into that network fabric to make it so that, as you use these [network] devices, security is inherent in everything that Cisco sells. Our strategy is all about riding on the rest of Cisco's strategy, so the notion of onePK and software-defined networking capabilities are all really relevant to security.
A lot of vendors talk about making security a part of the network fabric. What is different about the Cisco security strategy?
We are leveraging Cisco ONE and the onePK interface to create a security services platform that can span that whole stack.
CTO, Cisco Systems Inc.
Hartman: When Cisco talks about embedded security in the network fabric, it's a little bit different from most other companies considering the massive footprint Cisco has ... because it's all about enabling enforcement of policies. You can have the best security polices in the world, but if you can't get in there, intercept traffic and control traffic flows, then the policies don't really matter. This is about leveraging that massive deployment that's out there in the Cisco landscape.
In a sense, it's some of the same ideas as [Cisco's former security strategy, self-defending network], but the more recent trends around things like onePK open up the network in a way to make that far more feasible. First of all, there are two problems to solve when you think about addressing security: First, you need visibility. You need to be able to see what's going on in an infrastructure stack. And once you see it -- you have to be able to enforce policies. You have to decide what to do in terms of what to protect.
If you think about what the APIs [application programming interfaces] are around onePK, it's exactly about visibility and enforcement. You can take advantage of all the existing routers and switches and the rest of the stack to be able to see far more content than you can see today. And then you can push policies back down into that fabric.
Another way to put it is that most of the focus on security is around devices -- appliances that get deployed today mostly on perimeter -- firewalls, anti-malware. The problem is that the kind of security challenges we face are distributed security problems. Mobile phones connected to the cloud, etc. It's a big huge distributed system. It can never be solved by just dropping in a box or two. It's got to be pervasive. You have to be able to enforce polices regardless of what device I'm using, where I am on the planet, and what cloud service I'm accessing. We call that the any-to-any problem. When you have really huge connectivity, where do you enforce policy on that big complicated mess? You can't just drop in a box to solve that problem. It has to be pervasive across that fabric. That's exactly where we're going.
We are leveraging Cisco ONE and the onePK interface to create a security services platform that can span that whole stack; that can be embedded in routers and switches, and deployed as physical appliances if that makes sense. It can be deployed in a virtualized environment, in the private cloud and in the public cloud. You get the same set of security services, but rather than just one box; it gets distributed across that whole stack.
Does that mean the boxes go away, like firewalls and IPS?
Hartman: I think they transform. Many go away and get absorbed. As a case in point, if you look at the intrusion prevention space, you can focus the box on doing analytics, the inspection of the network content. You can do that on a physical device that has a lot of x86 cores to make that really fast and relatively inexpensive. But then to enforce those policies, you can push those policies out to existing routers and switches. Rather than [enforcement] being done on one node on the network, you can do it pervasively. You can do it within the corporate network. You can prevent propagation of an attack within that LAN.
If you look at the trends of IT security more broadly, you can see that many security vendors are adding more and more security services. You start with access control. Then you have content awareness and context awareness, and anti-malware and threat protection. All the vendors just keep adding more and more security services. The trend is to have the security services deployed across that network stack where they are most effectively enforced.
There are going to be some customers who are going to say, "I don't want my security boxes to go away." How do you serve them?
Hartman: The point is to leverage the existing footprint and those same boxes. That's the appealing part of this new architecture. It's really a software architecture that can run on the existing hardware footprint that Cisco has. onePK is a software firmware upgrade for existing products. The intent of this whole approach is to make it evolutionary. The last thing you want to do is tell people you have to throw away all your boxes and start again. What we're seeing in terms of onePK is just natural evolution. Our existing next-generation firewall is already leveraging onePK under the covers. I know we'll see each generation of our products continue to leverage more and more of onePK within our own products.
How does the ASA-CX firewall use onePK?
Hartman: In terms of on the management side -- being able to connect to the underlying network fabric, primarily in terms of a management interface.
Do you see the Cisco security strategy embracing other aspects of SDN? For instance, is there a place for OpenFlow in security?
Hartman: Yes, totally. First of all, standards support is crucial for credibility. This is never just about Cisco gear or Cisco products. If this is going to work, it has to be able to interoperate with the rest of the products that organizations have. It certainly starts with OpenFlow. OpenStack is certainly relevant as we build out cloud support. There are also emerging security standards that are important for sharing different kinds of context information.
Doesn't this approach introduce a lot of complexity compared to dropping a security appliance into the network?
Hartman: If you have a single physical appliance, one of the attractive things is that it's manageable as a standalone box. But that's a little deceptive because you're not really managing that one box. You have to manage everything around it. Lots of large organizations might have 50 of those standalone security products that they have to administer and manage. The point of an architecture like this is that we can consolidate and converge the management, as well.
This makes our investments on the security policy and management side very important. Otherwise you do risk that complexity. This is where we've made investments in the Identify Services Engine, a very strong offering in terms of managing access policies for different users and devices.
It also ties into Cisco Prim and Prime Security Manager, which is a convergence of security that we've been working on. But to your point, when you have a distributed architecture, you better have a management framework that sits on top of it. Otherwise you have huge challenges. You can't really manage those services as individual, distinct services. You have to manage it as a system.
How does that work within Cisco, because Cisco Prime is a different business unit?
Hartman: Security is viewed as a key strategic component in terms of Cisco's overall strategy and in terms of really expanding and delivering that broader IT solution, not just the network infrastructure. So the strategy that we continue to build and deliver is how that security strategy fits in across every single group at Cisco.
For example, as the CTO, I work with the other CTOs across each of those groups, including the folks responsible for Prime, so that we have a single coherent security strategy. There is actually a lot of motivation in all the different business groups across Cisco to coordinate and have a converged security strategy. That hasn't always been the case.
It's in each business group's best interests, because all of the groups view security as an important differentiator, whether you're talking to the data center group, the enterprise networking group or service provider group, or in mobility and collaboration. And we're really providing that core technology across Cisco. My role is making sure we have that converged security and we don't have fragmentation.