Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘RSA’

The CIA and the Encrypted Enterprise

Friday, October 29th, 2010

The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.

Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.

The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:

  1. An encryption architecture. Before organizations encrypt all their data, they have to understand where the data needs to be decrypted. For example, remote office data could be encrypted when it is sent to the corporate data center, but it needs to be decrypted before it can be processed for large batch jobs like daily sales and inventory updates. There is a balancing act between data security and business processes here demanding a distributed, intelligent encryption architecture that maps encryption/decryption with business and IT workflow.
  2. Key management. Most encryption products come with their own integrated key management system. Many of these aren’t very sophisticated and an enterprise with hundreds of key management systems can’t scale. What’s needed is a distributed secure key management service across the network. Think of something that looks and behaves like DNS with security built in from the start. The Key Management Interoperability Protocol (KMIP) effort may get us there in the future as it is supported by a who’s who of technology vendors including EMC/RSA, HP, IBM, and Symantec, but it is just getting started.
  3. Technical experience. How should I encrypt my sensitive Oracle database? I could use Oracle tools to encrypt database columns. I could encrypt an entire file system using Windows EFS or tools from vendors like PGP. I could buy an encrypting disk array from IBM, or I could combine EMC PowerPath software with Emulex encrypting Host-based Adapters (HBAs). Which is best? It depends on performance needs, hardware resources, and financial concerns like asset amortization. Since there is no “one-size-fits-all” solution here, the entire enterprise market is learning on the fly.

A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.

October is National Cybersecurity Awareness Month (Who Knew!)

Monday, October 4th, 2010

If you watched any football games yesterday, you are well aware of the fact that October is National Breast Cancer Awareness Month. Kudos to the NFL for bringing national attention to this deadly disease and donating money to find a cure.

You are probably unaware, however, that October is also National Cybersecurity Awareness Month.

Over the course of the last year, we’ve witnessed visible cyber attacks on Google in January. We’ve seen the activation of the U.S. Cyber Command at Ft. Meade. At my last count, there were ten different bills in Congress related to cybersecurity, including, “The Protecting Cyberspace as a National Asset Act,” a comprehensive piece of legislation coming out of the Senate’s Homeland Security and Government Affairs Committee. Former “cyber czar” Richard Clarke published a new book titled, “Cyberwar.” Finally, we’ve recently witnessed the Stuxnet worm, a cyber weapon attacking the Iranian nuclear infrastructure.

I am providing this brief history to highlight a problem–if you aren’t a Washington cybersecurity insider, you would never know it is National Cybersecurity Awareness Month. Ironic? Yes, but also sad.

Now, I know it is early in the month and there is lots of further activity planned. I am also aware of the fantastic work driven by the National Cyber Security Alliance, an industry group spearheading the National Cybersecurity Awareness Month (www.staysafeonline.org). President Obama will step up and talk about cybersecurity and the indefatigable Howard Schmidt will be as vocal and visible as possible throughout October.

These folks deserve a lot of credit, but somehow the IT and security industries continue to offer lip service support for National Cybersecurity Awareness Month through their Federal offices alone. I did a quick website scan of leading IT and security companies this morning: only RSA Security mentioned National Cybersecurity Awareness Month on its website (Note: The acting NCSA President works at EMC/RSA).

My point here is that National Cybersecurity Awareness Month isn’t making enough people aware of cybersecurity vulnerabilities, education, or government initiatives. Why? It doesn’t appear to me like the industry really cares. Oh sure, there is a bit of token money to appease their clients in Washington, but where is the national spotlight? Beats me.

I was on this soap box last year and will continue to be until I’m proven wrong. I probably have 20 meetings scheduled with security industry insiders in October and I’ll ask each and every one of them if they know what month it is. My guess is that they will say National Breast Cancer Awareness Month.

IBM: An Encryption Key Management Leader

Thursday, September 9th, 2010

While many folks were sunning themselves at the beach this past summer, IBM introduced some pretty important security technology: the Tivoli Key Lifecycle Manager (TKLS). Basically, the TKLS products are designed to create, manage, secure, and store encryption keys as a service.

What’s so special about this? First, key management is one of those IT security disciplines that will go from relatively esoteric to an enterprise requirement in the next year or so. Why? More and more data is being encrypted each day, so key management is becoming increasingly important. Stolen encryption keys could compromise the confidentiality of sensitive data while lost encryption keys could transform critical data into meaningless ones and zeros. Pretty soon, all large enterprises will have something resembling TKLS.

As far as IBM TKLS goes, it looks good to me because:

  1. It is one of the first products built with the KMIP standard. The Oasis Key Management Interoperability Protocol(s) is at the heart of TKLS. IBM has already tested TKLS interoperability with key management products from HP, RSA, and SafeNet. This gives distributed organizations the ability to create a federated key management architecture without mandating one vendor technology or another.
  2. IBM took an architectural approach. Yes, TKLS is mainly linked to storage encryption today, but the product is built with other encryption in mind (laptops, file systems, databases, applications, etc.). By offering TKLS support on System z, IBM will gain a beach head at large organizations that will then build a TKLS architecture from the data center to the distributed network.
  3. TKLS is a comprehensive solution. Many key management systems are built for symmetric key management alone. Alternatively, TKLS is designed for management of symmetric and asymmetric keys as well as digital certificates. Again, enterprises will appreciate this more complete solution.

In general, neither key management nor TKLS will get much visibility or industry recognition — key management is just a bit too geeky for most IT folks. Nevertheless, next-generation cloud computing will depend upon ubiquitous trust and data security. IBM gets this more than most. Think of TKLS as its part of its security plumbing for a smarter planet.

Friday, September 3rd, 2010

Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .

A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.

There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.

I will post my feedback on the official website, but a few of my suggestions are as follows:

  1. Build on top of existing standards. The feds should rally those working on things like Project Higgins, Shibboleth, Liberty, Web Services, Microsoft Geneva, OpenID, etc. Getting all these folks marching in the same direction early will be critical.
  2. Get the enterprise IAM vendors on board. No one has more to gain — or lose — than identity leaders like CA, IBM, Microsoft, Novell, and Oracle. Their participation will help rally the private sector.
  3. Encourage the development of PKI services. PKI is an enabling technology for an identity ecosystem but most organizations eschew PKI as too complex. The solution may be PKI as a cloud service that provides PKI trust without the on-site complexity. This is why Symantec bought the assets of Verisign. The Feds should push Symantec and others to embed certificates in more places, applications, and devices.

There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.

The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.

RSA Security Extends Compliance to Virtualization

Tuesday, August 31st, 2010

In between the cloud rhetoric and virtualization hyperbole at this year’s VMworld, I’m starting to see a few significant announcements.

RSA Security made one of these by introducing virtualization intelligence in its Archer compliance suite.

What’s the big deal? IT operations needs standard server configurations to meet compliance mandates and auditors need visibility into both physical and virtual servers. Neither group wants to jump through hoops to get what they need. This is a pretty big deal. When ESG asked security professionals what security-specific developments need to take place in order to enable more widespread server virtualization usage, 27% responded that their organizations needed, “compliance management tools that recognize virtual server events.” This was the third most popular of all possible responses.

RSA is on to something here. When I move workloads to the cloud you can be damn sure that my auditors want to know what’s going on. I’d like to see more vendors follow RSA’s lead and I’d really like to see security and cloud computing vendors start to discuss data standards for compliance, event management, and log file formats as well as secure transport protocols. Alas, I’m getting ahead of myself.

The RSA announcement won’t get much pick up, as it lacks the buzz of some cloudy/virtualization vision thing. Nevertheless, it is exactly what customers are looking for.

Why Intel Bought McAfee, Hint: It’s All About Massive Changes In the Security Market

Thursday, August 19th, 2010

Before the bell rang on Wall Street, Intel shocked the army of Latte sipping financial wonks by announcing its intentions to buy security leader McAfee. The deal is valued at $7.7 billion or $48 per share, about a 60% premium on the stock price.

A few financial analysts who cover Intel say that this is about Intel’s mobile device aspirations. Maybe, but McAfee just got into the mobile device security market and my guess is that this business accounts for $5 million in revenue or less.

Sorry Wall Street but that ain’t it at all. I believe that Intel sees the same thing I see. The security market is wildly fragmented with vendors producing tactical point products for its customers. These point products can no longer address the environment of sophisticated and massive threats. In the very near future, enterprise and service provider security technologies must deliver unprecedented levels of scalability, manageability and integration.

Guess what? In today’s market there isn’t a single vendor who can deliver a security product suite anywhere near what’s needed in the market. Get it Wall Street? There is massive emotional demand but no supply. Here’s the kicker — without significant improvements in security, this whole Internet party hosted by companies like , eBay, , , etc. could get really, really ugly soon.

To be fair, McAfee can’t deliver the level of scale, manageability and integration that the market demands but it’s as close as any other vendor. Combine this with Intel hardware, money, and brainpower and you’ve gotten something.

I believe Intel sees a market opportunity, not a product opportunity. Yes, there is plenty of room to integrate McAfee with mobile phones, microprocessors, and NSPs but this is a footnote to the story.

A few other observations:

  1. With its deep pockets, Intel should free McAfee to continue to bolster its portfolio. McAfee should grab ArcSight soon to fill its security management gap with an enterprise leader.
  2. The next logical candidates to double down on security are IBM and /RSA. The next logical target, Check Point — maybe others like Fortinet, Sourcefire, RedSeal, Nitro Security, LogRhythm, etc.
  3. While Symantec’s position just got stronger, Wall Street is waiting to see how the company will digest, integrate, and build upon recent acquisitions PGP and Verisign.
  4. If there is a better CEO success story than Dave DeWalt’s, I’m not aware of it. DeWalt came in a few years ago when McAfee was knee deep in a stock options scandal. He took over, changed the culture, acquired well, pointed the company at the enterprise and voila, sells the whole enchilada to Intel. Not sure if Dave will stick around but I’ll bet HP’s interest in him is sky high.
  5. The combination of Intel and McAfee is a “dream team” for the Feds’ cybersecurity efforts. The two together have security software and can throw massive amounts of hardware at monitoring, filtering, and recording all of the traffic on Federal networks. McAfee already gets hundreds of millions from the Feds. I can see this revenue going beyond $1 billion over the next few years.
Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site