Virtualization has plusses and minuses from the security perspective. On one hand, a lapse can make more data vulnerable. On the other, the inherent consolidation of SDN and NFV can lead to a better overall security posture. For instance, the increasingly unwieldy number of passwords that employees must track can be reduced and more efficiently managed.
In the second installment of a two-part Q&A with Telco Transformation, Masergy Communications Inc. Vice President for Global Technology Ray Watson concluded that the key in both legacy and virtualized networks is the willingness of people to employ good security practices. In part one, Watson talked about the strategies that were being used to compromise security in legacy and virtualized networks. (See Masergy’s Watson on Security: New Networks, Similar Challenges.)
Telco Transformation: How much of the SDN security is focused on the controller?
Ray Watson: This goes back to that air traffic control tower analogy. It's extremely important. It's definitely a nightmare scenario is if the tower gets taken over, but that doesn't mean that you don't need to lock the cockpits too. You still need to worry about the planes.
But one of the things that is kind of nice about this movement to virtualization in networking is that in many cases companies before had 30 or 40 different sets of passwords. By centralizing a lot of that, you hopefully can also bring in better cyber hygiene practices because passwords are all in one place.
So, you can tie it to policies. One of the worst security vulnerabilities for telephone communications carriers is expired or former employee credentials. Now, when they're centralized, you can tie it to "active directory" so you can turn them off on the central server and, boom, none of their credentials works. So that's definitely better. It also gives you the ability to monitor a temp, for instance, who may not use those keys right. So, every time somebody jiggles a lock you can actually say "Wait a minute, why is that person jiggling this lock?"
TT: So there is good and bad in SDN and NFV security?
RW: There's certainly is an upside to it. But, there's also the downside of everything being in one big place. It may be more attractive for somebody to go after that. I do want to point out that what we're generally facing right now in cyberattacks is more like smash-and-grab type exploitation in which somebody would come in and basically get as much as they possibly could in a very, very short order. Whether it's stealing things, launching attacks or whatever else. They are not necessarily going for persistence, for being there long-term and thinking "I'm going to hang out here and be stealthy, delete my logs," and those types of things.
However, if you do see persistence, if you do see long dwell times, that generally is connected to nation states or governments. So, one of the reasons why the really big breach -- the one that's been all over the news since September 7 -- is probably going to end up being a nation state is because they dwelled there for so long.
TT: Is that Equifax?
RW: Yes.
TT: So IoT security and SDN/NFV security are discreet, but related like peanut butter and jelly. They generally go together.
RW: No, I actually don't see them really related like peanut butter and jelly. I really think that IoT security is very different than SDN/NFV, because the SDN/NFV security truly is a carrier challenge, and IoT is very much an enterprise and consumer challenge right now. So, I don't see them as being that intertwined at all. As a matter of fact, I would actually say that even looking at the horizon for what's next, I would be way more concerned about IoT than I would be about SDN/NFV.
TT: But there is that connection, on a technical level, of IoT providing great attack vectors to SDN and NFV.
RW: Sure. I mean it's quite possible. What they do have in common is that ultimately when it comes down to it, whether we're talking about cloud, SDN, NFV or the IoT, we're really just talking about computers. At the end of the day these are computers. They may be tiny computers. But, ultimately we have to secure them as if they were fully fledged computers.
TT: Is the security that we're talking about more of a technical challenge, operational challenge, or a cultural/human challenge?
RW: Oh, it's definitely people. It's 100% people. We love to talk about the technical, because it's fun, and it's interesting, and it makes for great copy and all that other stuff. But about 90% of what we track as being dangerous ultimately comes down to social engineering or human beings clicking the wrong things or giving out the wrong info or calling back the wrong person or having the wrong password. It's very, very much human beings. Computers are not the weakest link in the chain by far.
TT: Even on the SDN/NFV side of this?
RW: For sure. We have a human challenge, and until we can address the human challenge, the computing challenge is definitely secondary. How can we get human beings to better understand the risks of what they're doing?
— Carl Weinschenk, Contributing Writer, Telco Transformation