Three years ago during your RSA Conference keynote, you said the security industry would disappear in three to five years. Now you're talking about embedding security into the cloud and devices we use. Is that the realization of the original vision you had?
: I get teased about this a lot because I literally said there would be no need for a security industry in three years. I actually looked to Wall Street analyst Sarah Friar of Goldman Sachs for vindication. In a research report she put out last fall, she said the security industry is getting increasingly barbelled. There are a few high-end players, nothing in the middle, and a bunch of small palyers. In my speech, I said there would always be room for innovative startups. When any innovative security market emerges, you're seeing big companies swoop in and pick up the leading players. It's happened with data loss prevention (DLP) and some level with SIM and GRC. I do think that what I said about security being embedded into the virtual layer is just a manifestation of what I said three years ago. Security had to be embedded into the infrastructure. This is the biggest wave to date. As virutalization moves through to full cloud capability, you'll see security more embedded and pushed into the virtual infrastructure. Is that the only way it will work in the cloud? Any alternatives we haven't thought of?
You'll end up with the same problems you have in the physical environment. Now is the time for a security do-over. If we embed security as opposed to bolting it on to a big broad perimeter, you've in essense, embedded technology into the virtual layer, so that every time you create a virtual machine, you'll have the opportunity to automate all the controls into a new virtual machine based on the policy that should be prescribed for what that virtual machine does. If you do that, you're miles ahead of where you are in a physical infrastructure. That's why I'm so optimisc that we can use the technologies enabling the cloud to secure it. What's your vision for how policy and identity travels with data into the cloud?
One of the important elements as you start to externalize the cloud is that you have the ability to dictate to the service providers your federation requirements around policy and identity. I don't know how many times I've been asked, 'Who's responsible for security? The cloud provider or the subscriber?' I usually answer, 'yes, both.' If you have a capability to do federation, the subscriber is not in a position to abdicate their reponsiblity to define policy and identity requirements. With federation, they can push those requirements to the cloud provider. What the provider has to do in return is not only enforce the policy and the identity requirements, but they have to demonstrate they've proved compliance and the capability to manage multitenancy. They need to supply back the means with which to give them verifiable metrics they have been following what has been dictated to them.
Where are your customers with virtualization? Are they primarily doing just test environments and development?
We see orgnizations in various stages. People just get literally wrapped up in the cloud. They can't seem to understand it; maybe cloud is a bad metaphor. Cloud is nothing more than virtualization taken to the n-th degree, taken to its farthest point. You start with the virtualization of test and development systems, not critical apps. That's where the vast majority of people are. They're not virtualizing production systems and critical apps. Some are, but the majority is at the first stage. Some develop internal clouds for certain elemets of their infrastructure. Ultimately, you have to control access to data in the cloud and know who is accessing it, what they're doing with it and where they're taking it. You seem to talk about GRC as a way of doing this: Why GRC as opposed to SIM?
They're not mutually exclusive. They're reinforcing. We talked about building a hardware root of trust at the chip level with Intel. That means the customer or cloud provider can be confident you're not going to have BIOS attacks and others that relate to the platform. You can have confidence putting the virutal layer on top of that. The virtual layer controls and those you embed in the virutal layer can be reported out to platforms that collect log data and analyze the information. That's not the end; you need a dashboard to look at this that reflects your governance model, your risk mitigation policies and your regulatory compliace. It's really SIM complementing the GRC platform that makes this a complete platform. Why are we seeing a lot interest in cyberwarfare and cyberterrorism. It's not a new problem?
I really think there was a sea change last year—I certainly noticed it well before the [Google Aurora cyber attack]—and that's the fact that the speed with which malware morphs and the intensity and volume of distribution of malware reached pandemic proportions last year. I always get asked the question: 'What's new with the threat environment?' There doesn't need to be a lot new if malware, which is effective, morphs more quickly and there's a higher volume to it. We're at a point where even small and medium-sized businesses are getting hit because it's just so prolific across the Internet. This stuff is so automated, even small businesses are being affected. That's what tells me it's at pandemic levels. The Google thing is just a manifestation of what's been happening.
What's your opinion on Howard Schmidt's appointment as cybersecurity coordinator, and in particular that he's part technologist/politician? Is that the right type of person for that position?
I actually think it is. I would put an accent on the technologist part. He's been at Microsoft. He's been at eBay. You wouldn't want me there because I'm not much of a politician, and you have to have an element of politician in there. What qualifies Howard more than anything else is his deep technical knowledge and his ability to articulate this concept of balance—not minimizing the threat and not overhyping it—and having solid recommendations about the things that are necessary to get implemented and fixed to point where we feel good about it. That said, is the job too big for one person?
It is. His job title is cybersecurity coordinator. People have the tendency to attach czar with that. He doesn't have the budget or line authority. What he does have is the ear of the president, the ear of the National Security Council and that carries a lot of weight, and he'll carry a lot of weight. What I've been pretty pleased about is I think the Department of Homeland Security has been beefed up substantially. I've always had the greatest respect for the capability of NSA and I think it's incredibly important for them to collaborate with the DHS; obviously they can't have a domestic agenda, but they can certainly teach and add value to DHS. To do that, you have to have a receiving team at DHS that's substantive and big enough to take that training and knowledge and convert it to action. So I like what this administration is doing. We need even more of a sense of urgency.