Security must evolve to be ‘all about the data’
By Taylor Armerding, CSO | July 24th, 2014
There is a fierce debate about whether GMOs — genetically modified organisms — with built-in resistance to pests, fungus, drought and other agricultural threats, are a good thing when it comes to our food supply.
But there was little debate Thursday morning in Boston at a panel discussion among Dell security experts, partners, analysts and customers that the digital equivalent of GMO protection embedded in data will be more than just a good thing — it will be mandatory to sustain any credible level of security into the future.
The event, the first in what is titled the “Dell 1-5-10 Series” security discussions, was focused on what the title suggests: What will the threat landscape look like in one, five and ten years, and what should enterprises at all levels be doing to counter those threats?
And while it is notoriously difficult to predict just about anything in IT, the panelists agreed with Don Ferguson, Dell senior fellow, vice president and CTO of the Dell Software Group, that a security model for applications that, “has not changed in decades doesn’t sustain us.”
That model, which, “relies on the program to identify the person and what is the operation,” is now obsolete, he said. “Data are everywhere, on the device, in the cloud, moving around. You can’t find all the places that are moving it around, so data need to be self-protecting. And existing apps are not coded that way.”
Changing that model, said Patrick Sweeney, executive director at Dell SonicWALL, would, “solve the BYOD problem.”
Instead of focusing on a device or a user, it would be, “only about the data — not about the device, not about the network. You need to protect it, own it, revoke it.”
To do that in the next five years, he said, would require three things: “First, encrypt it with enterprise key management. That’s fundamental to any BYOD strategy.
“Second, it has to reside in a virtual container that I control, like an embassy that is subject to my rules and my laws. Somebody else can’t repurpose it, send it out on an email or do anything with it.
Finally, he said, it would have to possess egress policies that control who can access it. “If I want to revoke the key, I can hit a red button and it doesn’t matter if the bytes are still there, you can’t read them,” he said, contending that if the National Security Agency had had that kind of control over its data, it could have prevented whistleblower Edward Snowden from stealing and passing on classified information to journalists.
Ultimately, he said, access to information will resemble “watching TV.”
Tim Brown, Dell fellow and executive director of security at Dell Software Group said that is also going to require the data itself, “to understand what its policy should be, how sensitive should it be and what should be the rules to access it. If we get to that point, then we can have information flowing more freely.”
That kind of advance in security, as significant as it would be, will not be a silver bullet, however, panelists agreed. One reason is that the attack surface is exploding with the Internet of Things (IoT).
Jon Ramsey, Dell fellow and CTO of Dell SecureWorks, said the, “merger of the cyber and physical domains — smartphones, smart cars, smart grid — is very, very concerning. It gives capabilities to threat actors in the physical domain that they didn’t have before, especially in critical infrastructure.
“It’s interconnecting things that weren’t designed to be interconnected, which means we’ve just changed the risk equation substantially,” he said.
Then there is the “human factor.” David P. Wrenn, vice president at Advanced Office Systems, wondered aloud how technology is going to, “prevent an idiot like me from clicking on a malicious link. That’s one of the biggest challenges our industry sees.”
Indeed, there was general agreement that the human factor trumps security at all levels, from the CEO who is more focused on staying competitive with the functionality, features and price of a product, to consumers who so far remain much more enamored with features than security.
“A CEO is thinking that you have to have profits before you can lose them,” Sweeney said. So, for security to be effective, “it is going to be more like an airbag than a seatbelt.”
“It is a business problem rather than a technology problem,” Ramsey added. “It’s a very competitive market, and it is very expensive to produce secure software”.
Yet another human factor, Ferguson said, is that security too often remains an afterthought in software development. “If civil engineers built buildings the way programmers build applications, the first woodpecker would destroy civilization,” he said. “The Internet of Things scares me.”
Not everyone saw the future in quite such bleak terms, however. Brett Hansen, executive director, Client Solutions Software, said he thinks security will, “move from IT to the boardroom. It will become fundamental business discussion, to balance productivity and security and the cost of both.”
And Brown said he believes companies will address the human weakness factor. “I see a big trend toward human-based security,” he said. “Not about systems and the environment as what people do. See more psychology come into play.”