Security Strategies

AT&T's Amoroso: Build Botnets of Security

NEW YORK -- The ideal security architecture for virtualized networks will be distributed, diverse and resilient, which means it will look a lot like a botnet, AT&T Chief Security Officer Ed Amoroso said Wednesday at Light Reading's Carrier Network Security Strategies conference.

A year after he told the same conference that the days of just protecting the perimeter were over, Amoroso got a bit more detailed about how AT&T Inc. (NYSE: T) is evolving its security strategy to match its adoption of software-defined networking and the cloud. SDN actually represents a substantial opportunity to improve security by enabling the instant provisioning of per-workload security, he said. (See AT&T Adds Virtual Layer of Security and AT&T Virtualizes Multi-Layer Security.)

"We are at a pretty important point in computer security where we are all changing our architectures," the AT&T executive said. Architecture is the key thing even though it doesn't get the attention from the vendor community it deserves, largely because it's impossible to get venture capitalists excited about architecture, Amoroso said.

AT&T Chief Security Officer Ed Amoroso
AT&T Chief Security Officer Ed Amoroso

As telecom adopts virtualization and begins delivering applications and services in new ways, security has to adapt as well, he noted, and one way to do that is apply the security needed on a per-app or per-workload basis, at the time the virtual network functions are being assembled.

"So you spin up a VM, using your Puppet or Chef provisioning tool, why not spin up security as well?" Amoroso said. That would use only the security required for that particular workload, and it would enable applications or workloads to be protected in a hybrid environment, using public and private clouds, because the security is directly associated with that app or workload.

"The advantage here is, if I am only protecting that app, the rules are real simple," Amoroso said. "You don't need a Fort Knox-style bunker. I can put that in the cloud, and with the magic of SDN, I can service chain through APIs. It's a powerful concept because it takes all of the security functions that are necessary and makes them on demand."

Read the latest on issues around network security in our dedicated security section here on Light Reading.

This approach will work for one of security's looming challenges -- the Internet of Things with its proliferation of connected devices. Amoroso sees IoT as three distinct markets, one being industrial control systems, the second being the industrial Internet and the third being what he termed "whimsical devices." The first one, in particular, will need heavy-duty security.

The AT&T exec also told the CNSS audience that "It's time to think about new ways to do things; not how to bolster the old ways" like firewalls and perimeter security. To date, it's the bad guys who have been more innovative -- they are, after all, the ones who came up with botnets.

A virtualized security landscape with its micro-segments of security, being controlled at a higher layer of the network, looks very much like a botnet, "and that gets an A-plus on my test," Amoroso said.

— Carol Wilson, Editor-at-Large, Light Reading

danielcawrey 12/4/2015 | 2:53:55 PM
Re: SDN and security I think this is a pretty interesting idea. I mean, why not implement the technology that the bad guys are using? When it comes to botnets, we all know that's become pretty effective. I don't see why IT security departments wouldn't consider this as an option. 
cnwedit 12/3/2015 | 12:42:21 PM
Re: SDN and security I thought that was one of the things that Amoroso explained pretty well, which was how to get around the complexity issues - because you are right, when things get virtualized and services are chains of VNFs that are stored in different places, keeping all of that secure is a potential nightmare.

But Ed laid out this idea of spinning up just enough virtual security at the time you spin up an instance or workload or whatever and that seems to make a lot of sense to me, at least. He has a way of simplified difficult concepts that makes you think you understand them. 
msilbey 12/3/2015 | 12:39:05 PM
SDN and security I love the idea that SDN could actually improve the security outlook - makes sense in that you can be much more agile about protecting different applications and sets of data in different ways, although the potential complexity strikes me as a challenge. 
Sign In