Web 2.0 technologies and cloud computing are extending traditional enterprise network perimeters to the point that they are practically vanishing, says a report released this week by RSA, the security division of EMC Corp. The report further states that information security managers who understand the associated risks and learn how to manage them can help their companies adopt such technologies on their own terms.
The report also includes recommendations from 10 members of RSA's Security for Business Innovation Council, including chief information security officers from J.P. Morgan Chase, Motorola, eBay, Time Warner and RSA.
In this interview, RSA president Art Coviello talked about some of the report's key recommendations as well as other topics.
Why did RSA do this report? This report is about what we call the hyperextended enterprise, which is exactly what you think it would be. We are using the Internet as never before. There are more devices, there are far more Web applications and now with Web 2.0 and social networking, communication is instant and pretty constant.
Our dealings as businesspeople with customers, suppliers, partners, and even our own employees, has changed dramatically in just the last seven or eight years. The opportunity being created with technologies like virtualization and cloud computing is extending the perimeter out even more. It literally puts your IT infrastructure out of the company in many instances. So our research is on whether people have learned the lessons of the past, and if they are building security into the cloud computing environment. Unfortunately, we found out that they are not doing this as they should.
What are some the recommendations from the Security for Business Innovation Council in terms of what companies should be doing to enable cloud computing? The first recommendation is that if you are thinking of outsourcing applications and information and infrastructure then you ought to rein in the protection environment. See if there is a way to lessen the cost of security. Look at the kind of security measures you have, check them for cost effectiveness and see if there are redundancies.
[Another] recommendation is to proactively embrace new technologies on your own. The job of the security guy is not to be "Doctor No." It's not to say "you can't do stuff," but rather how you can embrace these technologies and how you can do it securely. You can never do security perfectly, but if you do it in the context of risk, you can minimize your exposure.
It also makes sense if you no longer have control of the physical infrastructure to shift from protecting the container to protecting the data. One would assume that the cloud provider is protecting the container and the physical infrastructure. Your job then is to shift from protecting the container to protecting the data and information itself. Once you go to a cloud environment, it really is about how you maximize the use of your applications and your information and how you ensure that the people who need it get access to it.
[Another recommendation] is really about protecting data with security techniques that allow you to monitor the flow of data in real time. Things like data-leak prevention technologies that are far more dynamic and are based more on content and behavior and looking for anomalies based on who is getting access, or who is using the data and how it is being used.