IT execs must shift security approaches
- 29 February, 2012 23:15
SAN FRANCISCO -- IT security executives must secure what they cannot directly control to properly protect enterprise data in the coming years, said industry executives at the RSA Conference 2012 here this week.
The confluence of cloud computing, mobile technologies and IT consumerization is driving massive changes in how enterprise data is accessed, used and shared.
Rather than fight the changing data management landscape, enterprises should look to accommodate it in a secure and practical way, the executives said.
"We need to rethink how we secure the enterprise," said Enrique Salem, president and CEO of Symantec, in a keynote speech. "We need to stop saying 'No' and partner with our user community" to enable the secure use of new technologies and social media tools, Salem said.
Longheld notions about enterprise security need to be jettisoned, Salem said. "This new world is one where we don't control the device," he said.
Enterprise data is increasingly being accessed and shared via mediums that IT has little direct control over -- personal mobile devices and social media networks used by workers and from servers hosted by cloud providers.
"With the expanded use of private and public clouds we don't know where our data resides or when a specific workload is being run," Salem said.
Traditional security models that focus on perimeter and network controls won't work in the new IT environment, he said. Companies must start implementing controls that can securely authenticate, authorize and audit user access, via untraditional means.
Instead of having only firewalls to prevent malicious code from entering a network, companies should start adding controls that can keep critical information within it, Salem said.
For the first time since the dawn of IT technology, savvy consumers and employees are adopting technologies faster than enterprises can absorb them," said Art Coviello, president of EMC's RSA division.
The ramifications of the trend are significant, he said.
"IT organizations must learn to manage what they cannot directly control and security organizations must learn to protect what they cannot control," Coviello said.
Over the past 10 years, he noted, data volumes, data access speeds, the use of mobile technologies and social media tools and risk levels have all increased by several orders of magnitude. "If Facebook were a country it would be the third largest on the planet right now," he said.
Protecting enterprise data in the new environment is a lot different than current security models allow, he added.
Scott Charney, corporate vice president of Microsoft's Trustworthy Computing initiative, said good security increasingly should be about the ability to manage and analyze massive volumes of data. "It is really important to understand that we are moving to the Internet of things," he said.
As users begin to access enterprise data from mobile devices and other channels, security manager will have to find a way to deal with a torrent of information related to devices, cloud infrastructure, geolocation data and sensors, Charney said.
"The problem is we have too much security data and don't know what to make of it," he said.
Patricia Titus, chief information security officer at Symantec, said that while a lot needs to change, some things about enterprise security remain the same.
"Governance hasn't changed a lot," Titus said. "I still have to do the same basic cybersecurity hygiene," like patching, and installing anti-virus tools. "Those things are basic," and security managers shouldn't ignore such measures.
My job is the same," she added. "But now we have an added layer of complexity," she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Topic Center.