- Security is a data management problem and context is metadata
- Context drives better policy management and better policies drive better risk management
Context is a word you hear an awful lot these days when talking to security vendors. Everything it seems needs to be put into context, and by that security vendors typically mean that knowing the who, what, when, where and why of network traffic is very useful in determining the “legitimacy” of that traffic. It’s kind of like when firewalls became stateful, the realization that it’s better not to look at each packet in a complete vacuum. Context is the back story, if you will, of each packet traversing a network. Viewed from a data perspective, context is metadata.
If context/metadata can be attached to each packet, this information can be used in policy decisions when routing traffic in a network. Cisco, for example, has been working for several years on enabling such capabilities through its TrustSec/SecurX architecture. TrustSec employs Cisco switches, routers and Unified Wireless Network Controllers as enforcement points for applying authentication, authorization and access control to network traffic as it moves through a corporate network. TrustSec enables devices to read policy tags embedded into packet headers and then allow or deny traffic movement based on current context (e.g., user, role, device type, security posture, location, connection method etc.). Earlier this year, Cisco announced an Identity Services Engine to provide a unified policy management and reporting product for TrustSec-enabled devices. This is a multi-year initiative from Cisco that involves numerous security and networking products within its portfolio.
The shift to context does not have to be so comprehensive, however. The emergence of next-generation firewalls can be viewed as a response to the need for more context as well. If data is viewed as the elemental unit that needs protection, and it should be, then everything associated with the delivery and consumption of that data is useful context associated with its use. For example, an increasingly important question is “what application is using that data/ creating that traffic?” Add to that identity information about who is using that application and a (perhaps) surprisingly rich set of policy controls can be applied to data flows. Visibility into applications and users is of course two of the chief initial differentiators for next-generation firewall vendors, such as Palo Alto and others.
Enterprise IT professionals with security, compliance and general QOS responsibilities should be thinking a lot about context awareness these days. Purchase strategies should be viewed through a larger prism of deep network visibility. And, as briefly described above, this visibility is increasingly being built into everything from network infrastructure products to security gateways, but also into traditional tools for providing visibility into network traffic, such as SIEM products. Other traditional security products can also be better appreciated when their ability to provide “context” is considered. These include network access control, mobile device management and DLP. The end game is data-centric risk management enabled by a full understanding of (not just visibility of) network traffic.