For this post, Michael Ritter and I talked with Peter Klostermaier of Computacenter about the need to integrate the five areas of security, the importance of protecting data as it leaves the premises and how the “Snowden effect” has changed attitudes to data protection.
Prayson: Could you tell us a little bit about what Computacenter does and, in particular, how you’re driving innovations in security?
Peter: Computacenter is Europe’s leading independent provider of IT infrastructure services, enabling users and their businesses. We advise organizations on IT strategy, implement the most appropriate technology, optimize its performance, and manage our customers’ infrastructures. In doing this we help CIOs and IT departments in enterprise and corporate organizations maximize productivity and the business value of IT for internal and external users.
We don’t just offer hardware or software. We provide solutions. And we implement a lot of mock-ups with our customers, including proofs of concept and proofs of technology where we combine different vendor technologies into one solution and build it up in our solutions center’s test areas.
The Secure Information business line has two directions. On the one hand, the business line stands as a service area. On the other, there can be no networking solution, no workplace and no datacenter solution without security – so it’s also a part of all other areas. For this reason, Computacenter is not only Europe’s preferred IT provider, but also Europe’s preferred secure IT provider. We are not only dealing with digital security. Mostly it’s core IT, which is networking and datacenter solutions, of course.
This broad range of the security landscape is very important. I just came back from a customer meeting where a vendor asked, “Who’s involved in security?” There were about 15 people in the meeting, but only two raised their hands. I said, “This is wrong, everybody has to raise their hands. Because security is not only for firewall administrators.”
When we talk about security, we have to take a look to five areas:
First – endpoint security, with virus protection;
Second – infrastructure security for networks and data centers, and ADVA’s product is a part of that;
Third – identity access management;
Fourth – identity security management;
Fifth – cybersecurity.
For these five areas, we have about 100 consultants and technology specialists helping our customers secure data in their businesses.
Prayson: You put infrastructure security for networks and for data centers together. Can you expand on that?
Peter: If we talk about infrastructure security for data centers, we talk about securing a server and its services. This doesn’t work with a regular perimeter firewall anymore. Server workloads are now moving from one part of the data center to another, and so we need virtual firewalls, the integrated firewalls in products like OpenStack, like VMware. That’s mainly what I mean with data center security.
And if it comes to networking security, networking encryption is the hardening of network devices and the traffic going through. It’s Layer 1 encryption that we talk about. That’s mainly infrastructure security with regard to networking.
Prayson: I think you made a very good point that security is not only a service; it’s a component of all the other services. And then, by extrapolation, everybody is in security. I think that’s a tremendous point that people need to understand. But going back to network security and Layer 1 encryption as a component supporting the rest of it, are you finding that this is becoming important to your customers, and if so, why?
Peter: Yes, I think it’s very important. Security has to be important for every user and every customer in every branch. We have to secure the availability of services and applications, and we have to secure data integrity. We have to ensure that the correct data are where they should be and nowhere else.
Intellectual property should be protected – especially the engineering part. There’s a lot of engineering business in Germany that should be secured. And regarding the public and finance sectors, there are huge compliance regulations – internal as well as external ones.
Wherever metropolitan area networks exist, there is a need to secure them. There are countless tools, protocols, processes, Layer 2 encryption, end-to-end encryption - so many different tools. And if it comes to scalability or fast-growing production, all these management tools do not work together very well.
When one uses high bandwidth of 10, 40, 100 Gig connections outside the customer premises and this traffic needs to be encrypted, then there is almost no affordable security solution available. And here’s the gap where your product comes in. Whenever personal data leaves the premises or where the regular onsite security isn’t applicable anymore, then you need something that is scalable, cost-effective and works with wire speed. So whenever this is the case, our customers think about Layer 1 encryption.
In dialogue with our customers, I say: “There is another alternative. Why don’t you light your dark fiber by yourselves? Why don’t you put the encryption in here? If you do, you’ll have a lot of advantages over other features.”
It’s very easy to operate. We don’t have to care about overheads and packet sizes and challenges like that. So that’s why I think it’s important for our customers. There’s a security gap outside the premises and this gap isn’t easy to close with a low budget.
Prayson: So, our scale, compliance, simplicity, speed, cost, reliability – sounds like a great list of features. I think I have to go and buy some of that. It’s a very simple solution for when the data has to go outside, and it solves a lot of those problems.
But, nothing’s standing still. So what’s changing? What needs to happen in the next 12 months? You mentioned the software-defined everything. Does encryption need to become more integrated with applications? What are the problems that we as suppliers and you as a trusted consultant to your customers collectively need to solve?
Peter: As I said before, these five major security areas need different skills, and every area in the past was handled separately. So there was a group of people taking care of adding to the access management, another group taking care of infrastructure security, and so on. And our approach in the past was to choose the best product for our customers.
But now, since we have all these compliance regulations, restricted resources, restricted budgets and changing security threats we have to follow a different approach. And this different approach doesn’t focus on the prevention of attacks anymore – as it will get more and more difficult to prevent attacks completely. It goes into detection and into advanced response management. It becomes necessary to integrate all these best-of-breed parts. It’s not just best-of-breed anymore. It’s not the sum of every single part. It’s the integration of all these parts to multiply security.
Which means we need to have cascades, like in the food industry, where you have “hurdle technology” to prevent food poisoning. You just add those technologies in cascades. There is a need for management reports, for KPIs – measuring the security level to help our managers to use their budget more specifically, to have a targeted action plan.
Prayson: You made some very good points about the need for open interfaces, and the integration of the transport systems with the other systems. And we certainly support that here at ADVA Optical Networking with open interfaces.
I want to go back to what you were talking about in terms of benefits of Layer 1 encryption and compliance. You mentioned specifically some sectors like the financial sector and public, and you briefly touched on police. But I think there are many other public sector organizations that may not be putting the focus on security that they should. I think there’s a lot of concern about the lack of security around water, power, gas lines, etc.
Do you see those types of government entities coming to realize the importance of security and taking measures to address that?
Peter: Access network providers will start to build up fiber to the curb and to the home networks: and I guess as a result they will start to roll out those monitoring devices for power and other smart grid applications in the household. And whenever they start doing that, they open up a complete new area for security hacks and threats.
They cannot do this without having the proper security measures on hand. If you have this in mind, I see a lot of security efforts coming – providing every household has a connection on the power and water flow meter and so on. I don’t know whether this answers your question, but this is definitely something that they have to take into account.
Prayson: That’s a great point, Peter. I was thinking more about protecting their own backbone networks and data centers, but I hadn’t really thought about what you just mentioned, that by virtue of moving to more access and, if we take it a step further, into the internet of things, there are going to be many more ways for people to attack their networks.
This is all a very good approach, but sometimes there are gaps. What’s the worst issue that you’ve seen, and how have you or your company moved to prevent future breaches? And it could be something that happened before you were at Computacenter.
Peter: Yes, well I can’t talk about any of our customers in public – even if I had a few good stories in mind. But, I think the most difficult security issues are data leaks. Let me remind you of the Edward Snowden case and what’s happening in the banking sector.
We all talked a lot about the content and the consequences of data leaks or what happened to the documents that Snowden published. But nobody really talked about how the data was leaked. What can we do against this loss of data within our companies? Or within organizations like the NSA? I’m sure that NSA has professional and actual firewalls and functions. But these measures may have not been integrated enough to detect what’s coming.
If you integrate the individual parts you might see that someone is taking data from somewhere that is not within the usual pattern – and this should trigger some other functions. I think this alerting and those alarming mechanisms don’t work right now because all these systems work for themselves.
Michael: You said that you see your customers asking more and more for full data encryption. I assume this is not only encrypting data at rest. This is more and more encrypting data in motion, as we do in some projects together. Is this a requirement for many of the connectivity networks your company is providing and deploying?
Peter: Well, you can ask a customer, “Is it required to encrypt your data over a fiber?” And every single customer will tell you, “No, I may not have that requirement.” And then you write down, “Okay, there is no need to encrypt the data if it leaves your premises.” You will not find anyone who signs that letter. At the end, you end up with, “Okay, let’s encrypt everything.”
It’s about having end-to-end encryption. And most of our customers don’t even know that their application is encrypted, so they encrypt it themselves. They encrypt the data, and then it’s encrypted again if it goes over the line.
In most cases I don’t know what software or database or web applications is transported over ADVA systems. The good news is that it’s not really necessary. I don’t need to know because your encryption solution is very agnostic.
Michael: Yes, you’re making a good point. In fact, this is something we hear from many other customers, that as soon as you start encrypting on a higher layer, and let it be IP, or even on the application layer, then you have to consider each and every application on its own. Once you have something at the very bottom, Layer 1, you don’t have to worry about this so much.
Peter: Yes. So, that’s basically it. They don’t realize that it’s encrypted. It’s wire speed. The delay is negligible, so there’s no need to say, “No, I don’t want encryption.”
Michael: And the operational complexity is rather low. I think that’s a very good point, which is driving this market.
Peter: I talked about the Snowden effect, which has a very fascinating effect for ADVA. The next step will be the legal requirements around IT security, which will give another push in the public sector.
So, if our customers within the public sector are realizing that there’s something like an encryption solution for Fibre Channel and Ethernet, with 16G Fibre Channel, 100G Ethernet, and if cloud providers are finalizing their efforts to build German-based clouds, then the public sector will have a lot of data center interconnections within metropolitan areas. They will have a lot of interconnections to external resources like public clouds.
Previously, they were very hesitant to go into the cloud, because they didn’t know where the data would go. Now, with Microsoft or Amazon Cloud solely within Germany, there is no reason not to go into the cloud anymore. And to secure this part outside with high bandwidth, I think Germany’s Federal Office for Information Security (BSI) – in combination with the German-only clouds – will give a huge push in the government area in the next few months.
Michael: Sometimes, you need an event which breaks the ice, and I think, on the security side, people start to realize it only when something has happened. And this goes back to Snowden and many other events.
Peter: Right. I don’t know whether your encryption would eliminate phishing attacks like we saw lately!
Peter: But it’s another piece in the huge puzzle of security.