Security 2.0: An Ecosystem of Defense

by Dana Tierney, Senior Assistant Editor

Some security experts did not come to the RSA Conference, said Art Coviello, President of RSA and Executive Vice President of EMC Corporation, in the opening keynote at the conference last week, but nonetheless do collaborate across the globe. "Their fraud ecosystem marked by innovation and agility and is highly opportunistic."

The cybercriminals that security professionals work to stop "are not bound by service level agreements beyond the honor among thieves that they share. And they are not bound by governance and compliance. But they are organized, purposeful and effective. They control, as we know, massive armies of zombie computers. They update them almost daily with the latest variants of malware so their attacks can evade antivirus signatures. They collaborate both offline to build their attacks and in realtime to launch them."

"Their supply chain is amazingly sophisticated," Coviello said. "Our adversaries operate as a true ecosystem that thrives through interdependence and constantly adapts to ensure its growth and survival."

In order to succeed against such organized opposition, he said, security vendors must take the lead, because "we are the only ones in a position to build a security ecosystem." Instead of acting independently to solve discrete information security problems as they have in the past, information technology must come together and collaborate to find "a process that ensures that we are far faster than these criminals."

Healthy ecosystems are "by necessity, not choice, interdependent." Fraud threatens the information ecosystem "like the introduction of a pollutant to a natural ecosystem."

A second and equally pressing force: the economic crisis. While technology contributed to our economic collapse by "enabling levels of speed and complexity that obfuscated risk," technological innovation also has the potential to fuel our economic recovery.

Third, virtualization, consumerization of IT, social networking and cloud computing are being adopted at far higher rates than anyone ever expected, at first because of the cost benefits but also for the agility and new possibilities they offer organizations.

These forces offer an opportunity as well as a challenge, he said. Swift adoption of these newer technologies brings us to a critical inflection point where we can rebuild infrastructure almost from the ground up and learn from past mistakes. The current infrastructure has "no overarching design or master plan &ndash no process." As new technologies emerged they were stacked one on another, in "a leaning tower of technologies on the brink of collapse."

"I just think we can do better," he declared, advocating a common development process "designed around that process rather than forcing a process around a collection of technologies."

Most security applications perform all of the necessary functions said Coviello, but delivering them in individual point products actually hampers the dynamic management of risk. Most cyber criminals will "poke at the infrastructure until they find a weakness. So what do the fraudsters do? They just work around the products."

Therefore his vision includes realtime knowledge of the risk environment and security elements that cooperate across the infrastructure boundary and vendor offerings to act as a complete system. Adaptive authentication evaluates the level of risk or trust that the user is who they say they are and, in this context, selects a control from a range of controls to strike the right balance between security and usability.

"No one wants to know that one particular point control is working and compliant. They want to know that their entire system is working," Coviello said. "By decoupling policy enforcement from the application and building it into the infrastructure, we breathe new life" into the system, making their application far more intelligent, seamlessly transparent, efficient and effective.

For example, sensitive but unencrypted information running on a server that hasn't been patched in over a month would be treated with greater care than information that did not have these attributes, and if an individual with a high risk score attempted to connect to it, the level of security would go up even more.

"In Web 2.0, we've seen the power of mashups," he declared. "Why not in the security world?"

The infrastructure's current problems "cannot be solved by a suite of products from a single vendor," he said, calling for "inventive collaboration" from the broader community in which the current offerings would interweave with one another.

While the call has become almost a cliche, he said, "we must collaborate on standards."

Coviello also advocated sharing technology, a move he said would accelerate the development of the ecosystem. He announced that RSA would make technology tools generally available over time. He cited the RSA Share program and the BSAFE tool kit, which allow "developers to collaborate online with some of the greatest minds in cryptography."

But at the architectural level, policy decision and enforcements should be embedded into the infrastructure itself. As an emerging technology, virtualization is an opportunity to do this "by embedding security into the virtual layer now," enabling "near-ubiquitous coverage in a frictionless manner."

In closing, he said he suspected that many in his audience felt that "it's about time!" We have the chance to not only change the game but to win the game, he said. "It is true that many of us are competitors," but he proposes "changing the basis of competition from feature wars to an ability to work in and augment a system."

Dana Tierney is the Sr. Assistant Editor at House of Fusion, where she causes authors to cry over their once-thought perfect articles. They recover, and their articles are better for it. But still, the sound of grown men weeping...

• Subscribe
• RSS

• Editorial
• Specials
• Community
• News
• Tech and Tags
• Views
• Reviews
• Techniques
• Security
• Best of ColdFusion Talk
• Knowledge Base
• Blog Watch

• Tipical Charlie