RSA's Art Coviello: Embed security in virtual infrastructure
|Now is the time for a security do-over. If we embed security as
opposed to bolting it on to a big broad perimeter, you've in essense, embedded technology into the
presidentRSA, the security division of EMC Corp.
Three years ago during your RSA Conference keynote, you
said the security industry would disappear in three to five years. Now you're talking about
embedding security into the cloud and devices we use. Is that the realization of the original
vision you had?
: I get teased about this a lot because I literally said there would be no need for a security
industry in three years. I actually looked to Wall Street analyst Sarah Friar of Goldman Sachs for
vindication. In a research report she put out last fall, she said the security industry is getting
increasingly barbelled. There are a few high-end players, nothing in the middle, and a bunch of
small palyers. In my speech, I said there would always be room for innovative startups. When any innovative
security market emerges, you're seeing big companies swoop in and pick up the leading players.
It's happened with data loss prevention (DLP) and some level with SIM and GRC. I do think that what
I said about security being embedded into the virtual layer is just a manifestation of what I said
three years ago. Security had to be embedded into the infrastructure. This is the biggest wave to
date. As virutalization moves through to full cloud capability, you'll see security more embedded
and pushed into the virtual infrastructure. Is that the only way it will work in the cloud? Any
alternatives we haven't thought of?
You'll end up with the same problems you have in the physical environment. Now is the time for a
security do-over. If we embed security as opposed to bolting it on to a big broad perimeter, you've
in essense, embedded technology into the virtual layer, so that every time you create a virtual
machine, you'll have the opportunity to automate all the controls into a new virtual machine based
on the policy that should be prescribed for what that virtual machine does. If you do that, you're
miles ahead of where you are in a physical infrastructure. That's why I'm so optimisc that we can
use the technologies enabling the cloud to secure it. What's your vision for how policy and
identity travels with data into the cloud?
One of the important elements as you start to externalize the cloud is that you have the ability to
dictate to the service providers your federation requirements around policy and identity. I don't
know how many times I've been asked, 'Who's responsible for security? The cloud provider or the
subscriber?' I usually answer, 'yes, both.' If you have a capability to do federation, the
subscriber is not in a position to abdicate their reponsiblity to define policy and identity
requirements. With federation, they can push those requirements to the cloud provider. What the
provider has to do in return is not only enforce the policy and the identity requirements, but they
have to demonstrate they've proved compliance and the capability to manage multitenancy. They need
to supply back the means with which to give them verifiable metrics they have been following what
has been dictated to them.
Where are your customers with virtualization? Are they
primarily doing just test environments and development?
We see orgnizations in various stages. People just get literally wrapped up in the cloud. They
can't seem to understand it; maybe cloud is a bad metaphor. Cloud is nothing more than
virtualization taken to the n-th degree, taken to its farthest point. You start with the
virtualization of test and development systems, not critical apps. That's where the vast majority
of people are. They're not virtualizing production systems and critical apps. Some are, but the
majority is at the first stage. Some develop internal clouds for certain elemets of their
infrastructure. Ultimately, you have to control access to data in the cloud and know who is
accessing it, what they're doing with it and where they're taking it. You seem to talk about GRC as
a way of doing this: Why GRC as opposed to SIM?
They're not mutually exclusive. They're reinforcing. We talked about building a hardware
root of trust at the chip level with Intel. That means the customer or cloud provider can be
confident you're not going to have BIOS attacks and others that relate to the platform. You can
have confidence putting the virutal layer on top of that. The virtual layer controls and those you
embed in the virutal layer can be reported out to platforms that collect log data and analyze the
information. That's not the end; you need a dashboard to look at this that reflects your governance
model, your risk mitigation policies and your regulatory compliace. It's really SIM complementing
the GRC platform that makes this a complete platform. Why are we seeing a lot interest in
cyberwarfare and cyberterrorism. It's not a new problem?
I really think there was a sea change last year—I certainly noticed it well before the [Google
Aurora cyber attack]—and that's the fact that the speed with which malware morphs and the
intensity and volume of distribution of malware reached pandemic proportions last year. I always
get asked the question: 'What's new with the threat environment?' There doesn't need to be a lot
new if malware, which is effective, morphs more quickly and there's a higher volume to it. We're at
a point where even small and medium-sized businesses are getting hit because it's just so prolific
across the Internet. This stuff is so automated, even small businesses are being affected. That's
what tells me it's at pandemic levels. The Google thing is just a manifestation of what's been
What's your opinion on Howard
Schmidt's appointment as cybersecurity coordinator, and in particular that he's part
technologist/politician? Is that the right type of person for that position?
I actually think it is. I would put an accent on the technologist part. He's been at Microsoft.
He's been at eBay. You wouldn't want me there because I'm not much of a politician, and you have to
have an element of politician in there. What qualifies Howard more than anything else is his deep
technical knowledge and his ability to articulate this concept of balance—not minimizing the threat
and not overhyping it—and having solid recommendations about the things that are necessary to get
implemented and fixed to point where we feel good about it. That said, is the job too big for one
It is. His job title is cybersecurity coordinator. People have the tendency to attach czar with
that. He doesn't have the budget or line authority. What he does have is the ear of the president,
the ear of the National Security Council and that carries a lot of weight, and he'll carry a lot of
weight. What I've been pretty pleased about is I think the Department of Homeland Security has been
beefed up substantially. I've always had the greatest respect for the capability of NSA and I think
it's incredibly important for them to collaborate with the DHS; obviously they can't have a
domestic agenda, but they can certainly teach and add value to DHS. To do that, you have to have a
receiving team at DHS that's substantive and big enough to take that training and knowledge and
convert it to action. So I like what this administration is doing. We need even more of a sense of