SC Magazine interview: Mushegh Hakinian, security architect at IntraLinks
CISSP security architect Mushegh Hakhinian leads the application security practice at secure information exchange service IntraLinks. Financial security has been his driving idea for the past 16 years, he tells Paul Fisher.
How did you get into this business?
I grew up in Armenia, studying an engineering degree while working. Through that, I got my first opportunity at a bank. It was forming its security practice and I was the first guy to join. After a while there, I moved to the US and into one of the first online banking projects, in the late 1990s.
One day, the bank auditors came wanting to see the code – my first brush with security/web security. That was with ACI Worldwide. I stayed there ten years, ending as principal security architect.
About two years ago, I joined IntraLinks. It is a unique place because, unlike other companies where security is an add-on, for us it's what we sell pretty much, because of the nature of the business we're in.
So right from the start it was the financial sector... What was the financial security scene like then?
Some banks were investing significant amounts of money at that time. The financial industry has always been one of the drivers of software security, because of regulation and compliance.
Were banks being attacked then?
As soon as you connect anything to a network, you're pretty much a target. With banks at the time, their main problem was fraud and it was mostly cheque fraud. But when the web came along, some of the leading banks became big targets.
How good do you think the banks are at protecting themselves today, given the level of attacks?
It comes down to resources. So, those attacked most have set up the best defences on the financial side.
One bank I know still employs the same people I knew ten years ago. All they do is review third-party code and they are paid to be very, very good at that. I would trust them more than other people who just say they are risk-compliant. It's like table stakes, always the lowest threshold. Certain people invest more money in that than others.
There was some interesting research recently, looking at the correlation between the password strength and the value of the information. It found there is absolutely no correlation. For example, government sites had the best passwords, because they don't really lose money if a [legitimate] user tries to log in.
You're saying sites that are least vulnerable have better protection than those that need it more?
It may be true, but I'm not really saying that. What I'm saying is, if you're a bank, you don't make money unless your customers can log in, so you cannot put up too many obstacles for the legitimate users. Government doesn't really care if people cannot log in – it's not a financial hit. If you're somebody like Google, then it's traffic-generating revenue, so you want everybody to log in.
Do you work directly with your clients? Do you work with their technical teams?
Yes, definitely. When our customers want to do a security assessment of our systems, we say, ‘come on in, try it'. We give them a special environment and they can hire third parties, they can bring their own consultants, perform ethical hacking – all that. Usually when they produce a report of their assessment, that's when I come in and I discuss with them all of the questions that come up.
There is also due diligence, when some of our customers have to be compliant with certain regulatory conditions and they send us all these questionnaires.
Sometimes, the stricter of our customers request an interview with me and they just ask all these kinds of questions. Some questions are specific to the process and specific to what feature they are after and how we protect the data.
How will the shift to cloud computing affect data security? What are the challenges? Can the cloud be avoided?
It makes no sense to fight it. Security managers need to learn to live with it, because it brings so much benefit in their economies, it scales, it can be rapidly deployed, it's on-demand.
When people start talking about how it is difficult to start doing cloud, I ask, ‘do you have spam filters?' If they say yes, I tell them that it is likely to be outsourced. All of those good spam filters are outsourced, so you already have the cloud as part of your enterprise.
But when it comes down to the business applications, such as ours, it becomes even more of a question of trust, because the first and main thing that prevents the full expansion of cloud is the security concerns. These are mostly around enterprise policies, which people have spent years crafting. With cloud, you need to be able to extend the customer's security policies over to the cloud. When the data leaves their enterprise, customers feel that they are losing control, so you need to give them more control of how you configure the access and all that stuff.
Do your clients trust the cloud?
It's more that they trust us. They trust us with very, very sensitive information. They trust us with their mergers and acquisition deals. It is not only the information we store that is of a great value, just the knowledge that somebody is considering selling a company is of a great value. If somebody knows, 30 minutes before everybody else, that say, Yahoo is up for sale, they can make tons of money out of that. And that's real money, it's not stealing money. It's not like attacking a bank site and stealing $100,000. It can be a very, very damaging thing if that information leaks out. If somebody stole my password, I'd change it, that's it, I remedy the situation. If somebody stole Coca Cola's recipe, there is no remedy.
And are there active attacks that happen with people who are looking for this information?
In my opinion, there are very few targeted attacks in the world.
Okay, that's interesting.
Because it's very expensive to do – and, second, it's easier to get caught if you target a specific thing. Take Stuxnet. It was specifically designed to go and attack a certain kind of software produced by Siemens. That kind of thing happens very rarely, because it's time-consuming, resource-consuming.
The guys who wrote that had to know how this kind of software of Siemens works; they had to know about four or five different Windows vulnerabilities. They needed to know how to put it on a flash memory drive and make it auto run. And what do they get in return? Pretty much nothing.
That's kind of different to what some vendors would have us believe: that targeted attacks are happening all of the time.
I doubt it. But if somebody is targeting you, the first thing they will try is to get some insider information. That's why the last line of defence is your people. Attackers will try to call you, they will try to get some information out of you.
So it is actually old-fashioned deception that can get through?
Exactly. I believe if you want to protect electronic assets you need to model the physical world, because this is a science. It's not something that came with the technology; it's just that technology made it accessible to more people.
How relaxed about consolidation of the vendor community are you?
It's a good thing. What is happening is bringing together specialist security technologies and integrating them into mainstream applications. That's good, because software is supposed to protect itself. But data is everywhere. It is the most important part of any system, but we're still too focused on protecting access information, volume credentials and account numbers. The actual data that sits there is more valuable – and that's where we should be going.
What did you make of Intel acquiring McAfee?
It is just following the trend. It's a good thing, but it's not going to lead to something new. They've had this architecture for a long time. Actually, I think some time after the mid-90s, every computer had this secure chip in there, so maybe they'll have more usage out of it. Users are not really aware that they have this secure chip on every processor that keeps login information there.
You seem to be suggesting that preventing access is not the problem, that it doesn't matter if people are in your system, as long as they can't get at what's really important – the data.
I'm not saying it's not important to prevent access. What I'm saying is that once access is breached, it's very easy to detect it. It's very easy to recover from it.
But you want to pay attention to the data; it's about protecting information in use. Let's say somebody downloads a protected document from IntraLinks on their laptop and the laptop gets stolen. The thief opens up that laptop and sees a financial report PDF – but cannot open it without IntraLinks credentials.
So though they've stolen the laptop, they cannot read the information on it because it's encrypted and the key is stored somewhere in a data centre.
What other trends do you see occurring in the next, say, five years, not just in your sector but in all of IT security?
I think people will start outsourcing their IT security more and more and trust outside people to implement it correctly more and more, because it's very difficult to keep it in-house.
It takes very special knowledge. Sometimes, it doesn't make sense to train and keep that kind of expertise in-house, so it will be outsourced more and more. Security managers will increasingly trust the service providers to secure their data and their information systems.
People now are expecting access to the information they need anytime, anywhere. Maybe it's generational, too. Kids now, they need to have access to everything they have in one spot. When it comes to work, they are more likely to say, ‘I don't need to come to the office to read this file. It has to be available to me any time.'
The global workforce is the other driver. Across time zones, you don't know when this information will be needed. And, if you're an IT person, just to keep track of all of these access rules is a nightmare. It's very expensive and you're bound to make mistakes. If you can find a service provider that does it for you, people will go there. And that is exactly what is happening.
Do you see more and more CISO-type appointments, particularly in the UK?
Yes. But the burden of running security operations will be lifted from them and they will spend more time in due diligence and making sure that the services they use meet their security policies. And I hope they will force the vendors to provide the flexibility and transparency to extend their security policies to those applications they don't control directly.
Can they make the corporation more efficient as well, so they'll impact on the wider business?
Yes, definitely. When people try to move from in-house implementation to SaaS, what often happens is that they move 90 per cent, but keep ten per cent, because of some unique security consideration or regulatory compliance. If you can solve that ten per cent thing, then everything will move over, because it makes sense.
Very often, we have different customers who put different security requirements on us and they have to cater to all of them. So if you are a small bank and you have our service, you're using a service that has passed the scrutiny of Bank of America. That's quite a benefit.