Who’s Securing Your Security Solution?

As highlighted in my recent blog, ‘The Brave New World of Network Security,’ cybersecurity is top of mind for IT leaders across the globe. The increased frequency of new security breaches is startling. The advent of the Internet of Things (IoT) era has brought new challenges that require a new approach to security.

The irony is not lost on anyone that sometimes it is the very security solutions that we put in place to protect us that can put us at risk.

For example, consider video surveillance. In the past, video surveillance systems were analog and typically resided on physically segregated networks that were ‘locked down’ from a security perspective. However, with the transition from analog to IP-based video surveillance, many security integrators now look to deploy video surveillance on converged IP networks.

The converged enterprise IT network now must support high-resolution video surveillance traffic alongside all of the other applications, such as voice, video collaboration, data, etc. As a result, network security requirements become more important as every physical security device on the IP network can now create another potential backdoor path for a hacker. For example, an unprotected surveillance camera could provide the backdoor entry into the entire enterprise network.

As customers continue to demand more secure IP video surveillance deployments, manufacturers must work together to build validated solutions that drive “Better Together” performance and a higher level of cybersecurity.

This week, Axis Communications, the global leader in network video, in partnership with Avaya, EMC, and Genetec announced the Secure Surveillance Platform, the security industry’s first validated surveillance solution that helps secure video from the device all the way to the storage. It offers a cyber-hardened solution that provides scalability and reliability for enhanced security management while helping to reduce the possibility of a cybersecurity breach.

This partnership ensures customers have the best solution to deliver surveillance at scale with the confidence they have come to expect from market leaders.

Avaya’s industry-leading Fabric Connect technology offers a secure network infrastructure that is optimized for video surveillance. Avaya’s Fabric Connect technology uses the IEEE standard Shortest Path Bridging (SPB). This innovative technology enables a dynamic, agile and resilient network that simplifies IP video surveillance deployments. It allows customers to deploy video surveillance system over a converged, secure, segmented network fabric.

This ensures video surveillance traffic is kept in its own secure zone and is completely isolated from other corporate IT traffic. Sometimes even security solutions need a little extra security.

To learn more about how this validated, end-to-end architecture can help secure your business, visit us at ISC West 2016 Booth 14051 or online.

Related Articles:

Avaya Demos Wireless Location Based Services at Avaya ENGAGESM Dubai

Wireless Location Based Services (WLBS) are usually discussed in the areas of customer or guest engagement. However, there are also valuable use cases in the areas of employee engagement and facility safety. The WLBS demo at #AvayaENGAGE in Dubai highlights the employee engagement use case. Further, it demonstrates the power of the Avaya Breeze™ Platform and Unified Communications.

As a real world example … think about a public area, a store, a hotel, school, etc. A window is broken. A call reporting the incident comes to the control center. The controller needs to identify which resources are closest to the event. The closest member of the security team needs to respond to cordon off the area and determine if anyone was injured. A member of the janitorial team needs to be dispatched to clean up the glass and a member of the engineering team needs to respond to temporarily cover the opening and have the glass company implement a replacement.

The WLBS display shows the location of all devices probing the WLAN. The user interface allows the controller to sort displayed devices by role, for instance, eliminating all guest devices from the display or simply displaying the security team members. Further, the device indicators can be color coded based on the role to simplify identification. Once the correct person is identified, they can be selected on the screen, and either sent an SMS or called on their mobile device. This allows the controller to quickly identify the appropriate resource based on their location and contact them to respond to the situation.

For the #AvayaENGAGE Dubai demonstration, Avaya employees are being tracked in the common areas of the pavilion. Information about each employee has been captured in a database, including MAC address, device phone number, name and skill or role at the event. For instance, subject matter experts (SMEs) in Networking, Contact Center, and Unified Communications have been identified. If a guest has a question requiring an SME, the closest SME can be identified and contacted to see if they’re available to answer questions.

The following diagram shows all devices being tracked by the 23 WAPs participating in the WLBS demo. There were 352 guests at the time the screenshot was taken, so most of the circles are light blue. However, if you look closely, you can see a few other colors, such as the dark blue Executive and the tan Network SME. Solid dots indicate the devices are connected to the Avaya WLAN. Hollow dots indicated that the device is probing the network, but not connected to the WLAN.

Wireless Location Based Services1

As you can see, an unfiltered display, while providing crowd level information, isn’t very helpful in finding specific people or skills. The filter selections on the right of the screen provide filtering functions. Displayed devices can be limited to one or more skills or by name.

The next screenshot shows filtering enabled for executives. The dot for Jean Turgeon (JT) was selected. At this point, the operator could select to send an SMS message to JT or call his mobile device.

Wireless Location Based Services2

The WLBS solution consists of three Avaya components:

The WLAN at #AvayaENGAGE Dubai is implemented with Avaya 9144 WAPs. Each 802.1 wireless network client device probes the network every few seconds to determine which WAPs are available to provide service. Every WAP within the broadcast range of the network device will detect and respond to the probe message. The probe and response messages enable better network service, particularly when the device is moving and needs to change WAPs to get better service. The probe messages are done at the MAC level, therefore, each WAP in the broadcast area receives a message from every MAC address in range every few seconds.

When location services are enabled in the 9100 WAP (simple non-disruptive change via web interface or profile update in Avaya WLAN Orchestration System), each WAP sends the MAC address and distance information to a network address. In this demo, the information is sent to a Avaya Snap-in that collects the data from all of the WAPs, sorts the data based on MAC address and runs the data through a triangulation algorithm to calculate the location of the client device based on the known locations of the WAPs.

A second Avaya Snap-in manages device identity management. This Snap-in could work with something like Avaya Identity Engines to provide user information for the MAC addresses detected by the WAPs. Since the #AvayaENGAGE Dubai demo is a temporary environment, the Snap-in simply provides the ability to load a CSV (comma-separated value) file with the Avaya employee information. This provides the ability to map Avaya employee identities to the MAC addresses of their mobile devices.

The user interface Snap-in provides the display shown above. It takes the output from the triangulation Snap-in and displays it on a map in a Web browser window. It also uses information in the identity Snap-in to sort devices owned by Avaya employees vs. Engage guests, hotel employees and other hotel guests. The skill classification captured in the CSV file enables finer level filtering and skill based color indication on the screen.

When the icon for an employee on the map is selected, the pop-up frame shown above appears. Communication to the Avaya employees is performed via the Zang cloud-based communication platform. When the user selects the SMS button shown above, a screen appears to enter the message, which is sent to the Zang service which then sends to the employee’s device. If the Call button is selected, the Zang service initiates a phone call between the number shown in the Call-me-at field above and the Avaya employee’s phone number listed in the CSV import.

I’d like to say this is rocket science, but the Avaya infrastructure components and Avaya Breeze make it straight-forward architecture. Avaya believes a key to scalability is putting power in the edge devices to minimize back haul data, but also to simplify management. The intelligence of the AOS software running in the 9100s makes it simple to collect device location information. The Breeze Platform provides a full JAVA-based programing environment with object classes for Avaya communication product functionality. Finally, Zang was designed for business people to be able to programmatically integrate communication functionality into business processes without a major investment in infrastructure or expertise.

Keep watching this space. We’re already planning for the WLBS Demo at Avaya Engage 2017, in Las Vegas, February 12-15.

Aiming Towards an Unfettered and Secure IoT

Last week, we heard bold claims by a networking vendor that they could make the Internet of Things (IoT) safe because they “own” the network. One of the ways they plan to do this is to certify products to take advantage of network security capabilities.

As a player in the networking space that is addressing IoT security, Avaya agrees “that there aren’t enough people on Earth to run the network the way it’s being run today, when you look at the scale of IoT.”

But, we strongly disagree on a number of other claims and respectfully offer these counterpoints:

  • One Pipe, One Gatekeeper:

    Their point of view shouldn’t be surprising—they are a vendor that has long relied on proprietary approaches designed to keep out the competition. The plan to certify devices to run on their network is yet another cog in the wheel whereby they soundly eliminate competitors and increase their revenue instead of allowing the market to decide who has the better approach to securing IoT. This brings us to our next point.

  • Innovation: Supporting or Suffocating?

    Does a single vendor governing who and what has access to the network encourage innovation or does it stifle it? While the concept of whitelisting is generally good, it requires a significant level of execution to be effective without hindering innovation. The sheer scale of the IoT means that it’s likely billions of devices will ultimately be connected. Each type needs to be certified, demonstrating compliance to a standard that gives them permission to onboard. Not impossible, but this is not the domain of a single vendor. In addition, as the market continues to trend towards more flexible networks and elasticity enabling greater innovation, the one-vendor-owns-the-network approach is rigid and exclusionary. The ecosystem for devices becomes extremely limited.

  • Say Bye-Bye to Your Legacy Equipment:

    While newer devices may be able to incorporate new standards and technology, there are still many, many legacy devices in operation that don’t have that level of intelligence. Many of these devices are regulated and would require significant back porting to support the operating systems they run. Requiring a forklift to remove non-compliant legacy devices is a huge moneymaker for some vendor—something we’ve seen them do in the past. But, for the company that needs to change their entire legacy operation, it may mean closing the doors due to a prohibitively expensive demand to update. Alternatively, they will be forced to manually manage the whitelists for legacy devices—an extremely cumbersome process.

An Alternative Approach

Avaya has already taken ground-breaking steps in securing IoT—steps that are much less costly and cumbersome, and support the innovation that IoT stands for by its very nature. Let me elaborate:

  • Automatic Onboarding, Configuration and Management:

    While the competition suggests that its approach will include not only “IoT onboarding and management capabilities, it will go beyond security to include automation of other tasks like network configuration that administrators would otherwise have to do.” Hello there. Let me introduce myself. This is fundamental to Avaya SDN Fx™. More than 800 Avaya customers are already enjoying the unique simplicity delivered through automation to the edge found in Avaya Networking. However, it’s still networking. Fundamentally, IoT needs to be separate from the network. While interaction between the solutions may offer benefits, any IoT solution needs to be capable of providing unique value regardless of the network underneath.

  • Keep What You Have, Use What You Want:

    IoT is gazillions of unique endpoints like medical imaging equipment, video devices, specialty printers, and more. Thus, you must protect 100% of your devices for a secure network. To manage this, and to secure legacy devices and a broad ecosystem of devices, Avaya built the Open Network Adapter—a small adapter about the size of a deck of cards enabled with an Open vSwitch. The Open Network Adapter allows these special devices to automatically connect to the network with a granular security profile based on their individual communication characteristics. Once fitted with the adapter, a session can be automatically set up, torn down and re-established—even if moved to a new location. This ensures that devices always have the proper security and can be tracked for both logistics and analytics purposes.

  • Securing the Future and Making Whitelisting Practical:

    Avaya’s SDN Fx IoT solution takes a different approach by providing proxy capabilities for devices to protect existing investments. This lets budgets be focused on innovations that are important to the business strategy. The SDN Fx IoT solution is based on the concept of intelligent profiling to dynamically understand the expected conversation patterns of whitelisted devices. This is important, as devices can be spoofed or hacked. Many IoT devices are in public domains where people may have physical access. They are often implemented by non-IT personnel and may not be secured to the level an enterprise expects. Gaining permission for whitelisting the device is a low threshold most will be willing to accept. From there, IT is free to characterize the traffic patterns of the devices and dynamically narrow the security profiles to a very refined set of flows within the whitelist.

  • Hyper-Segmentation for Hyper-Secure Networks:

    For those looking to evolve their defenses beyond an overlay solution and fully integrate their end-to-end security, Avaya’s SDN Fx provides a perfect complement to the IoT solution with automated connection into hyper-segments directly from the Open Network Adapter. Recently, we announced the hyper-segmentation capabilities of Avaya Networking. This end-to-end segmentation creates isolated traffic lanes within the network that limit where a hacker can go. They can’t get to the core and wreak havoc with sensitive data and operations. With hyper-segmentation, you get on the on-ramp to a dedicated toll road, where you are the only car on the road. Your isolated road leads directly to your destination, with no off-ramps. No one can see you, and you can’t see anyone else. But more importantly you can’t get off at any other destination than your own.

Avaya has already done much of the work needed for securing IoT that the other networking vendor is proposing, although we’ve left out those aspects that are not in the best interests of customers and innovation. While they are trying to make this about the network, the network has yet to stop many of the recently publicized breaches.

Any IoT device has the potential to be compromised whether remotely or physically, so end-to-end security is absolutely necessary, but absolutely should not be an old school, proprietary approach. Instead, it starts with micro-segmenting between applications and extends that level of separation and obfuscation out to the device and cloud edges. Anything less is like a football player taking the field with full pads but no helmet. Most hits will be absorbed, but the ones that aren’t can be the most damaging.

What does a Smart City look like? We’re defining it with a new partner

The city of the future is a Smart City, emboldened by technology that folds in government, industry, and consumers. For this to happen, it needs a strong foundation—an infrastructure that can withstand heavy traffic, particularly during times of crisis.

At Avaya, we’re partnering with 22 Capital Partners to prototype the Smart City platform in the Gramercy District in the Washington, D.C. area. 22 Capital Partners approached us as they were looking for a partner with distinctive technical knowledge. Specifically, they wanted automation capabilities for the infrastructure to make it easier to deploy and manage. We’ve already been working on Smart City projects with our customers, such as the City of Taylor, Michigan, which has laid the groundwork for a Smart City Platform.

Now, with 22 Capital Partners, we’re taking it a step further.

The right foundation means a stronger city

Our building blocks for the Smart City are similar: we want to pull together public safety, smart healthcare, smart education, smart retail, and smart banking and make it accessible to citizens. The key to our partnership is that we are so closely aligned to build this next-generation infrastructure foundation to evolve and deliver best-in-class services. It’s a lot like the literal foundation for the city of Dubai: Dubai is built on sand. Without the proper foundation, it would not still be standing. But with the proper foundation, they’ve built a world-class city with skyscrapers—and the world’s tallest skyscraper to boot.

It’s the same with the Smart City of the Gramercy District, taking a creative approach to building a foundation with infrastructure. This will allow for a more secure infrastructure, mitigating cybersecurity threats and gaining agility while lowering capital and operating expenses. Communications and networking infrastructure need to be automated to simplify deployment, particularly as the Smart City expands to include all the consumer devices that will connect wearables and IoT applications, including smart appliances.

To build the Smart City foundation that 22 Capital Partners and Avaya have envisioned, we’ve rolled in Avaya’s Software-Defined Network (SDN-Fx) technology, Contact Center, Unified Communications, Customer Engagement and Avaya Breeze™ software solutions. 22 Capital Partners’ Smart City Platform, 22 CityLink, uses our foundation to keep pace with the demand for mobile, social, and cloud-based services within the Smart City, from citizens, the government, and industry alike.

The future of the Smart City means convenience—and safety

As we continue to move forward with the Smart City platform, the goal is to provide a consistently good experience for users with a holistic approach to turnkey virtual networks and applications. At Avaya, we have the ability to deliver across various verticals and provide the opportunity to implement smart buildings, allowing consumers to experience it live, not just as a demo or prototype. That’s what the Gramercy District is doing: going live to allow all who are working, living, shopping, and playing within the Smart City to experience its power firsthand.

And it’s not just for play. The Smart City of the future can have life-saving implications. For example, in a crisis situation such as an auto accident, it can integrate a 911 call with other components, like electronic road signs to warn of hazards and SMS alerts to citizens. It can gain control over city cameras to feed data to the emergency response team—or even allow the caller to cede control over their phone camera to provide a video feed. The outcome of this is a safer city: when you dial the emergency number, the smart device provides the exact location to first responders. Meanwhile, the dispatch center can push video on how to perform CPR, for example. It brings systems together for the safety of citizens and uses the power of analytics to suggest alternate routes to travelers who have installed the application, using an API from a mapping application.

Ultimately, it will provide a completely different digital experience than what consumers are getting today. Whether it’s for play, work, living, or an emergency situation, the Smart City of the future will attend to citizens’ needs while ensuring their information is secure and providing uptime that means they can use the applications regardless of what is happening around them.

For that, we’re excited to see what 22 Capital Partners will build on the foundation of Avaya networks.