Cisco Cisco ASA 5545-X Adaptive Security Appliance - No Payload Encryption Libro blanco
- 5 -
©Nemertes Research 2008
systems. Policy will define which of them are allowed to talk to which, with
identity independent from (but not necessarily insensitive to) location. Digital
identity independent from (but not necessarily insensitive to) location. Digital
signatures will allow components to be identified and trust assigned, and will
form the basis of conversation encryption. Federation will allow the integration
form the basis of conversation encryption. Federation will allow the integration
of security rules across cooperating organizations. User identity will be
propagated among components as well, of course: component identity can be
used to make sure that only the right parts of the infrastructure try to access
protected resources, and user identity to make sure that they are doing so only on
used to make sure that only the right parts of the infrastructure try to access
protected resources, and user identity to make sure that they are doing so only on
behalf of those users with the appropriate privileges.
Content-aware security will both ensure traffic among components is well-
formed, and watch for and alert on unusual traffic that is otherwise well-formed.
Traffic may be inbound, and indicate an attempt to compromise systems, or it
might be outbound, evidence of an attempt to leak sensitive data. Either way,
Traffic may be inbound, and indicate an attempt to compromise systems, or it
might be outbound, evidence of an attempt to leak sensitive data. Either way,
data center security will have to be aware of the content in order to properly
secure it.
secure it.
In order to achieve all these ends, securing the new data center will
ultimately require integration of security across all categories of data center
systems: networks, appliances, servers, storage, and applications. This, in turn,
systems: networks, appliances, servers, storage, and applications. This, in turn,
places a high premium on strong, standards-driven interoperability. Such
integration will have to be both reactive and proactive. Reactive, in that any
integration will have to be both reactive and proactive. Reactive, in that any
component should be able to alert the others that something odd is happening.
Proactive, in that the configuration management and provisioning tools driving
the creation and destruction of virtual servers and services will be able to trigger
the necessary changes to security in anticipation of those events.
the creation and destruction of virtual servers and services will be able to trigger
the necessary changes to security in anticipation of those events.
Conclusion
Security has once again trailed production environments somewhat, an
afterthought dealt with once the operational bugs have begun to be shaken out of
virtual environments, SOAs, and Web 2.0. Enterprises with functionality out well
virtual environments, SOAs, and Web 2.0. Enterprises with functionality out well
ahead of matching security will have to play catch up on security again, with the
predictable and oft-repeated consequences of confusion and expense.
predictable and oft-repeated consequences of confusion and expense.
Enterprises just embarking on their own quests for agile and dynamic IT
infrastructures will have the chance to build a well-fitted suit of armor as they go.
infrastructures will have the chance to build a well-fitted suit of armor as they go.
About Nemertes Research: Founded in 2002, Nemertes Research specializes in analyzing
the business value of emerging technologies for IT executives, vendors, and venture capitalists. Recent
and upcoming research includes Web services, security, IP telephony, collaboration technologies, and
bandwidth optimization. For more information about the analyst, please contact Nemertes at
and upcoming research includes Web services, security, IP telephony, collaboration technologies, and
bandwidth optimization. For more information about the analyst, please contact Nemertes at
research@nemertes.com
.