The president of RSA is known for his controversial views on the industry. He may ruffle feathers, but is worth listening to, says Paul Fisher.
What's bugging you right now – what are your concerns?
The number of botnets propelling malware around the internet universe is just amazing. A lot of small and medium-sized businesses can't keep up with the threats.
Vendors such as ourselves come out with more and more controls – but SMBs don't know which control to respond to. They're not getting a correlated view of risk, so they look to offload to MSSPs.
Even the larger companies, as they virtualise more of their applications and move to internal and external cloud environments, are insisting that security has to be built in and embedded as never before.
All industries are now worried about theft of intellectual property. The first quarter of 2010 saw 2,500 US companies announcing that they had had some type of breach or theft of IP.
So there's heavy-duty concern out there. And the biggest part is that the anti-virus vendors can't stop the attacks from getting inside. So the focus must be from inside out – what you do to remediate faster when the viruses and malware do get inside.
You said in your keynote at RSA Conference 2008 that the focus on malware was misplaced.
Right. And yet that message doesn't seem to have got through. We still have an industry that's telling you: ‘Your enemy is malware and you need to do this, you need to update your signatures, blah, blah.' Why can't we get the message through – that malware is here to stay? You might as well just deal with it, there are better things you can do.
You're not going to see anyone give up their anti-virus software. Whether it's protecting 70 per cent, 60 per cent, 50 per cent – actually it's more like 30 per cent – people are going to keep doing it.
They're going to keep running their vulnerability scans, even though by the time they run them, fresh vulnerabilities have popped up.
The problem is that the alternatives are pretty complex. A customer in Belgium told me that data loss prevention (DLP) was just too hard to implement.
I said that if he tried to implement across the desktop, the network and across the data centre all at once, it would be like trying to swallow an elephant in one bite. The way you eat an elephant is one bite at a time. So focus on your network or focus on your desktop, wherever you think is most vulnerable; and then target your DLP application to a set of your most critical information. Get experience with it and then expand it outwards. The alternative, which is to do nothing and keep chasing after malware, is also problematic.
The other thing is that some forms of security have not yet got to a place where they are easy enough to use. Perfect example: our risk-based authentication. We use it to protect online banking customers, but only in the past year have we started to apply that risk engine to enterprises. And now we're starting to see companies that use it for portal applications, to identify not only employees but customers and contractors who might be getting access.
In what way will DLP become more intelligent?
Machine-learning. Next-generation DLP is going to protect information based on the way information behaves. And machines will learn to spot when information is going to a place it ought not to go, not just by policy and knowledge that's embedded in the DLP engine, but based on the machines' learning how that traffic is supposed to flow and to whom it's supposed to go.
These types of behaviour-based technology are going to be a critical factor in securing malware-riddled environments in the future.
Is real-time analysis here yet – or is it just marketing hype?
It is a good thing to be able to respond to zero-day attacks and I do think we'll get better and better, but that's a quantum change from what is happening today. What you're talking about is a whole next generation of protection. If it's signature-based, it's just not going to work. Again, you need more behaviour-based technologies and machine-learning technologies. That's where the next generation of anti-malware is going to come from.
The Chinese are known to be responsible for cyber attacks against infrastructure in the US and the UK, but not much is actually said about it. Why is that?
I think there are serious issues with a government's ability to defend itself from cyber attack. There are monumentally troubling security issues around the critical infrastructure of the US. I'm not talking about attacks, I'm talking about the lack of good security controls and protection.
In a lot of the cases, it is not even a question of the security controls; it's the obsolescence of the IT infrastructure. The vulnerabilities in old versions of Windows are just incredible. Peter Orszag, director of the US Office of Management and Budget, said that up until 1987 productivity of employees in the federal government was matching that in the commercial sector. Since then, productivity advances in the commercial sector have risen dramatically faster than those in government and part of the reason is that the US government hasn't spent enough on its IT infrastructure.
The government ought not to try to fix its infrastructure; it needs to go to a cloud environment. And either multiple agencies have to get together and have one internal government cloud or they need to outsource it to someone that can provide that kind of cloud infrastructure for them, because they just haven't been able to keep up.
Why can't we get accurate figures about the level of cyber crime? After all, the value of the illicit drug trade is well documented.
It's a hard thing to put your finger on, because most companies don't want to admit that they've had some type of financial loss. The risk to their reputation is not good; whereas most companies are not affiliated with the drug trade.
I don't know how they develop those statistics [for cyber crime]. I'm always suspicious. There's one that said only one in 500 cyber criminals gets caught. How do they know about the other 499?
Anyway, it doesn't take a mass of statistics to understand there's a problem out there. I know for a fact that in financial services we at RSA can go in with our anti-fraud suite, our identity protection and verification capability, our anti-Trojan and anti-phishing, and we can demonstrably show a reduction in fraud once we implement these technologies. And it goes down pretty dramatically.
It is difficult to get clarity on the advantages or even the risks of cloud. What's your take on it?
Why don't I start with the disadvantages? Let's be careful how we define cloud, because too many people talk about taking an existing infrastructure, outsourcing it and calling that ‘cloud'. That's just outsourcing.
True cloud environments are virtualised environments. I look at cloud infrastructures and cloud computing as the most logical extension of virtualisation technology, taken to its extreme, to give you the ultimate in efficiency, flexibility and cost.
In those instances, because you have this flexibility in the cloud provider – or even if it's an internal cloud – the thing you lose because of that flexibility is knowing which cup the pea is under.
You don't know what physical infrastructure your information and application might be residing on, because they can move around so quickly. So the terrifying thing about cloud is the lack of visibility.
In multi-tenancy environments it can get even scarier. This is your information getting somehow co-mingled. Can somebody get access to it who ought not to get access to it? So there are lots of things about cloud infrastructures to terrify people.
Having said that, if you think about the perimeter-based technologies today, where security is bolted on and everybody gets a chance to get through the perimeter, what if, in virtual environments, we built in and embedded the controls and the policy related to the application every time a virtual machine is created? Instead of you having to chase after a bunch of virtual machines that have been created, you actually have the confidence, every time a machine is created or an application is created in a virtual environment, that all the security policy and all the security controls related to that application go along with it?
The only way that can happen is if the security controls and the security management are embedded in the virtual layer. And that's exactly what we are doing.
So if I decide to create an external cloud for the maximum efficiency, I need to be able to federate my policy and my identity controls to that environment.
I need to have visibility into that cloud provider's infrastructure so that I can see that my policies are actually being carried out.
We showed a proof of concept, with Intel's new chipset, at the RSA US conference this March, that allows you to create a hardware root of trust right from the boot level with the virtual layer on top of that trusted hardware root.
As a result of us embedding our technology in there, you actually get visibility into the virtual machines that are being created, as well as assurance that your policy is being followed.
You are famous for predicting that pure play or standalone security vendors will disappear. Does this suggest then that this cloud will be controlled by yourselves and HP and IBM – perhaps even Microsoft? Some may fear this.
Small companies that create innovations will always have opportunities. But look at what's going on in the automotive industry today. We have twice the capacity for manufacturing cars as we have for demand. It is inevitable that there will be consolidation. It's the natural order of things.
As long as there are at least a couple of big players, there will continue to be competition. Some would say that they worry more about a Google or an Amazon becoming dominant in the cloud infrastructure space, as those companies have got a mentality where they do everything themselves.
One of the biggest problems today is that 60 per cent to 70 per cent of IT budgets are for maintenance of existing infrastructures. Companies simply can't innovate anymore.
We're not getting productivity improvements by applying information technology into all facets of our organisations, because we are saddled with having to manage these archaic infrastructures that have become increasingly complicated – to the point where, yet again, your organisation spends so much on maintenance you can't free yourselves to think about fulfilling your organisational mission.
I don't think it's a stretch to suggest that this would be the equivalent of every small or big organisation having their own electricity-producing power plants. How inefficient would that be?
Well, that's what we've created with information technology infrastructures. We need to emancipate businesses from having to worry about all of this infrastructure stuff and allow them to focus on applying information technology.
It is worth taking a good look at the electric power industry. We waste upwards of 50 per cent of all the electricity produced. Think about that for a second. The amount we can do with wind and solar and biofuels pales in comparison to what we might be able to do if we improved energy efficiency. And yet, in the internet age, we still have people going around reading meters!
Do you still get excited by information technology?
When I started seeing this cloud stuff come along, I thought that it's probably the end of the IT industry – but now I think, oh my God, we haven't even begun to scratch the surface of what we can do.
The financial services industry has adopted information technology to use in every aspect of its business. There is an irony that the speed and the volumes with which we can do financial transactions and the instruments we were able to create in financial services were enabled by that technology – which in turn caused the crushing burden of this most recent recession.
But you can't blame technology. The problem was that the management of risk, which could also be done using technology, just did not keep pace with the instruments that were created.
The financial services industry has led the way with using information technology. Now it's time for every other sector – healthcare, government, the utilities and manufacturing, all industries – to use IT to make us all more productive. And that is what keeps me excited.
Arthur W Coviello is executive vice president, EMC and president of RSA, its security division. He is responsible for both RSA's strategy and its day-to-day operations