2007 Trends in Security
Author: J. Andrew Brinkhorst
March 2007
by J. Andrew Brinkhorst, Director, Security Solutions Group, Systems Design Group, Inc.
Last Tuesday at the RSA Security Conference in San Francisco, the leaders of three significant technology companies – Microsoft, Symantec, and RSA (recently purchased by EMC) were the keynote speakers and presented their take on the current state of information security and their vision for what information security must become. Not surprisingly, there were some common themes. Also not surprisingly, there were some differences in the approach. There were even a few thinly-veiled barbs thrown.
Leading off the morning, Microsoft Chairman Bill Gates, along with his successor for the RSA conference keynote speeches, Chief Research and Strategy Officer Craig Mundy, laid out a plan that addressed what they feel are the three key areas of focus: networks, protection, and identity. Their view of the current state is fairly standard across the industry: the world is becoming connected. And the controls we have today, which grew up in a centralized, administered enterprise environment, are just not going to scale and be manageable to do what is needed. Our existing security controls focus on “blocking”. How do we turn this around, and focus on simply allowing what is permitted, and denying everything else?
In the network area, Microsoft is betting on the use of the IPsec and IPv6 standards to enable us to define network connections beyond our current capabilities, and to describe our security needs by policy – who is allowed access, to what and where is access granted, and is the device being granted access “healthy” (that is, it is free from malicious software and meets any other sort of security requirements we determine, such as being patched with current updates).
For information protection, they believe rights management is the answer. One of the stickier security problems today is that it’s pretty straightforward to protect your information while it’s in your control, but what about after you’ve allowed someone to access it? How do you make sure that the file you’ve allowed access to isn’t copied, and redistributed without your knowledge? This is the problem that rights management is trying to solve.
The third issue, identity, has been a fundamental security principle for thousands of years. In fact, there are biblical quotations (do a quick search on the use of the word “shibboleth”) that talk about various ways for people to prove who they are, or to what group they belong. In today’s environment, it will become increasingly important to identify not only individuals, but devices and networks as well. And the old way of doing it, with passwords, just won’t make it (actually, this has been said for a number of years – very rightly – but passwords seem to stick around anyway). According to Gates, Microsoft is betting heavily on the migration form passwords to smartcards (using digital certificates) to manage identities.
Of course, the attendees were assured, both directly and indirectly, that these capabilities all are or will be available in Microsoft’s products.
Second up was Art Coviello, who made a bold declaration: In three years, the security industry as it is today will cease to exist. And, he said, that's a good thing. Coviello, who is president of EMC Corp.'s RSA Security division, said the vast array of standalone security tools on the market today will go the way of the dinosaur. His view is that information security will continue to be integrated into larger systems and applications, in fact, that it must be in order for it to be successful. Information security right now, he stated, is a misnomer. "We've built stronger walls around the data, but that data is fluid and won't stay behind the wall in the first place," he said. "We need to secure the king instead of the castle. Information is king, and like a king, it likes to move around."
This is, of course, somewhat of an expected approach from the head of a company that is a leader in encryption technology, and that was just purchased by data-storage giant EMC. One position that wasn’t clearly formed with the company’s product in mind, though, is something that Coviello has stated for years. “Security needs to be inextricably linked to business strategy”. No silos, no isolation. Security is there to help accelerate business capabilities. For, after all, our companies aren’t in business to be secure – we’re in business to deliver goods, or services, to our customers and to make a profit. Security has to be an enabler.
Coviello’s position is that we need dynamic security, infocentric security. This approach must be based on three things: the understanding that security can't be perfected and it's best to devote the most time toward protecting the biggest assets; the need to adapt to changing circumstances in the use of the information and development of technology; and defense in depth. By doing these things, we’ll have a holistic security solution that truly addresses the information and not the perimeter around it.
The last speaker, Symantec Corp. Chairman John Thompson, believes the battleground for security has moved beyond securing devices and critical infrastructure and instead should focus on protecting the data being shared through online transactions. "Today the network perimeter can't be locked down," Thompson said. "It's no longer defined by the physical assets in the data center or the desktops in the office. The reality is -- people are today's new perimeter." Thompson’s view of the information security officers’ role is that they need to become more focused on risk management and business risk, and the impact to the bottom line. And that a comprehensive view of the environment is required.
Thompson stated that today’s business models are built around the “connected” world, and that it wasn’t wise to assume that a more secure platform would solve the problems we face. In a remark that drew applause from the several-thousand person audience, he said, "You wouldn't want the company that is keeping your books to audit your books. That same logic should apply. You wouldn't want that company that created your company's operating platform to be the one that is securing it from a broad range of threats," he said, alluding to Microsoft's security strategy. "It's a huge conflict of interest," Thompson added. "By working together we can untangle this conflict of interest. Through cooperation and collaboration and healthy competition I have no doubt that we can create the confidence our connected world needs."
Overall, the first day of keynote speakers was heartening, even if the message is somewhat similar to what we’ve heard before. It is encouraging that it looks like these companies get it, and are working to make a difference. I encourage you to do the same in your organization by building a holistic information security program, focusing on the security of the information, not just it’s perimeter, and most of all by treating information security as what it should be – another part of your business risk management. For help with your IT security, visit www.sdgky.com or contact me at 859-263-7344.
