Kelly Brazil, director of systems engineering - APAC at Palo Alto Networks, talks to CIO Asia about designing networks and combating threats.
You have had an interesting career in network design and security across continents--from Silicon Valley to Asia Pacific. What major difference do you see in terms of your work between these two geographies?
Internet facing data centres in Silicon Valley, especially during the dot com boom, were all about performance and security was an afterthought. Router ACLs were about the extent of security. Enterprise data centre security was handled differently everywhere. Lately, though, in both the US and Asia, there has been increased focus on the lifecycle of a data centre attack and not just on single security components like Firewalls and IPS systems.
You have been involved in data centre design and implementation for many well-known companies. What are three most important things that you keep in mind when you design networks for data centres?
For me, simplicity is number one. Check the design and see if there is a way to simplify it further. Complexity is the enemy of security and high availability. Build security into the design from the start and don't leave it as an afterthought. Also, don't only secure the front door, but also look at other entry points malicious actors are now using to penetrate the data centre. This includes the back-end connections to the enterprise.
In the CIO Summit 2012, your topic is Breaking the Life Cycle of Modern Threat. What do you mean by that? Can you please elaborate?
It's important to think about how exploits are actually happening in the real world in a holistic manner instead of just through the lens of individual security components. You need to have protection for all aspects, whether it's the phishing lure to your users, to identifying unknown threats, and also the standard vulnerabilities we all know. Understanding users, applications, and content at a deeper level than we typically have done before is now essential.
What is the source of modern threats for networks?
It used to be bored hackers, but the attacks are coming from much more sophisticated communities now, including organised crime and nation states. They know what they are after and what to do with it once they get it.
How has the threat landscape changed in the last five years and how are network designers dealing with those threats?
Applications are the major threat vector and as we all know, applications have become much more evasive in nature. They are designed to go through standard port-based security devices and modern malware and APT take advantage of this. The key is designing in user, application, and content intelligence so you can reduce your attack surface area. Once you do that, the security becomes much more manageable and effective.
Sign up for MIS Asia eNewsletters.