http://www.cio.com/article/494718/RSA_Chief_the_Job_of_Security_Guys_is_Not_to_Be_Doctor_No_
RSA Chief: the Job of Security Guys is Not to Be 'Doctor No'
IT security managers should enable cloud computing by learning how to manage risk, says RSA chief Art Coviello.
By Jaikumar Vijayan
這篇文章提醒資安人員要控管風險,不是趨避風險。
Wed, June 10, 2009 — Computerworld — Web 2.0 technologies and cloud computing are extending traditional enterprise network perimeters to the point that they are practically vanishing, says a report released this week by RSA, the security division of EMC Corp. The report further states that information security managers who understand the associated risks and learn how to manage them can help their companies adopt such technologies on their own terms.
RSA寫了一篇報告
The report also includes recommendations from 10 members of RSA's Security for Business Innovation Council, including chief information security officers from J.P. Morgan Chase, Motorola, eBay, Time Warner and RSA.
這篇報告包含JP摩根、摩托羅拉、eBay、時代華納及RSA等資安人員的意見
In this interview, RSA president Art Coviello talked about some of the report's key recommendations as well as other topics.
Why did RSA do this report? This report is about what we call the hyperextended enterprise, which is exactly what you think it would be. We are using the Internet as never before. There are more devices, there are far more Web applications and now with Web 2.0 and social networking, communication is instant and pretty constant.
Our dealings as businesspeople with customers, suppliers, partners, and even our own employees, has changed dramatically in just the last seven or eight years. The opportunity being created with technologies like virtualization and cloud computing is extending the perimeter out even more. It literally puts your IT infrastructure out of the company in many instances. So our research is on whether people have learned the lessons of the past, and if they are building security into the cloud computing environment. Unfortunately, we found out that they are not doing this as they should.
現在我們使用網路比以前更頻繁,Web 2.0,社交網站等等,現在的防禦範圍要比以前大很多。但是,似乎IT人員沒有在過去的經驗中學到如何應對雲端運算及虛擬化。
What are some the recommendations from the Security for Business Innovation Council in terms of what companies should be doing to enable cloud computing? The first recommendation is that if you are thinking of outsourcing applications and information and infrastructure then you ought to rein in the protection environment. See if there is a way to lessen the cost of security. Look at the kind of security measures you have, check them for cost effectiveness and see if there are redundancies.
第一個建議是對現有的工具檢視是否有效,是否能夠減少安全的代價。
[Another] recommendation is to proactively embrace new technologies on your own. The job of the security guy is not to be "Doctor No." It's not to say "you can't do stuff," but rather how you can embrace these technologies and how you can do it securely. You can never do security perfectly, but if you do it in the context of risk, you can minimize your exposure.
第二個建議是對新的科技要積極的參與。安全人員不該像老是告訴病人這個不能做那個不能做的醫生。安全是無止境的,永遠不會完美的。你只能減少暴露在外的風險。
PAGE 2
It also makes sense if you no longer have control of the physical infrastructure to shift from protecting the container to protecting the data. One would assume that the cloud provider is protecting the container and the physical infrastructure. Your job then is to shift from protecting the container to protecting the data and information itself. Once you go to a cloud environment, it really is about how you maximize the use of your applications and your information and how you ensure that the people who need it get access to it.
雲端之後,你不再像以前一樣可看到實體,所以你的責任也就轉變成保護data。實體及架構的部份由雲端的提供者來保護,而你就專心來保護資料本身。你一旦轉進雲端的使用,重要的是你如何最大化你的應用及資訊以及保證需要使用的人可以得到他們所要的。
[Another recommendation] is really about protecting data with security techniques that allow you to monitor the flow of data in real time. Things like data-leak prevention technologies that are far more dynamic and are based more on content and behavior and looking for anomalies based on who is getting access, or who is using the data and how it is being used.
另一個建議是使用行為及內容偵測的技術來管理資料如何被使用。
What impact has the recession had on information security budgets? Have they been as immune from cuts as some had expected them to be? Every budget has been impacted. There's no question about that. Relative to others though, security budgets have been impacted less. In our case we are gaining market share.
經濟衰退有沒有影響資安預算?當然,但是資安預算被影響的程度較少。
This year we had 10% year-over-year growth in Q1 and actually almost 11% from an order standpoint. Now that is down from last year, but it is still positive growth. I think a lot of high-technology companies would have been thrilled to report growth in Q1. If you were to look at our product lines, SecurID which is still a very significant portion of our business, is only flat to maybe slightly up and that would be expected because it is so employment dependent. We are not getting expansion inside existing accounts because people aren't adding lots of employees. Our security incident management business is growing at well over 30%, while our ID protection and verification suite is growing at about 40%, and our data leak prevention is growing at 80% or 90%.
今年我們第一季的YoY是10%,雖然比去年的YoY低,但是依然算強勁成長,跟許多高科技公司的季報比起來好多了。其中,跟員工人數正相關的SecureID產品只能算平平,這是我們的主要產品。而我們的安全事件管理產品則成長了30%以上;ID保護及確認產品更是成長了40%;防止資料洩漏的產品成長了80%到90%。
Two years ago you had said that standalone security vendors are headed for extinction because vendors such as Microsoft, EMC and Cisco Systemd were integrating security functions into their own products. Do you still believe that will happen? I was wrong on time but not on direction. There really are only two significantly large independent companies that are totally security focused today, and that's McAfee and CheckPoint and they are anomalies.
我兩年前曾經預言單一的安全產品廠商將會面臨滅絕,因為大型廠商像微軟、EMC、思科都會把安全性的功能加入到他們的產品中。我在時間上是錯的,但是方向沒錯。現在只剩安全產品廠商只剩McAfee and CheckPoint 而他們是異類。
PAGE 3
Symantec now owns Veritas so they are as much an infrastructure company as they are a security company. And let's pick a category like data leak prevention. The three big players in that space - IronPort, Tablus and Vontu were all snapped up.
There continue to be innovative startups and lots of point products, but increasingly, especially in cloud environments, the ability [of customers] to absorb countless numbers of independent point products tends to be less and less. We see customers wanting to minimize the amount of vendors they have because the technology really needs to be baked in. It needs to be transparent and seamless in the environment. I'm not saying there won't be security products. But I am saying the infrastructure companies are going to need their own security products and technologies and will form partnerships as we are doing with the likes of Microsoft and Cisco.
What do you think about President Obama's plans to appoint a White House cybersecurity coordinator? I think it makes tremendous sense. I think the idea of having somebody coordinate policy and to lobby strongly on Capitol Hill for the requisite funding and changes to law is a good one and I think it is very necessary.
像賽門鐵克現在就還有Veritas,所以已經不是單一產品的廠商了。另一個資料外洩防護的領域,前三大廠商都被買走了。在雲端領域裡,現在客戶希望配合廠商越少越好,產品與產品間戶不相干的程度越少越好。整合度高以及透明化是必須的。廠商之間必須要同心協力。歐巴馬也在白宮設了一個 資安太上皇,這是很有道理的。由他來統籌政策以及必要的資金。
The [National Security Agency] has a lot to offer, but people are suspicious of them because they don't have a domestic charter. Homeland Security needs to play a very heavy role and I'm sure they will. But somebody in the White House coordinating the effort and also working with civilian agencies that have a lot of personally identifiable information like the IRS and the Social Security Administration just makes tremendous sense.
© 2007 Computerworld Inc.
國家安全局很能幫的上忙,但是他們對國內並沒有特許狀可以執行。國土安全部扮演很重要的角色,但是有人直接在白宮裡協調,直接跟國稅局、社會安全局一起合作就更有道理了。
沒有留言:
張貼留言