We are at a critical point in the security industry. The number of internet-connected devices is increasing exponentially and faster than anyone can manage or secure them. These devices – from GPS systems in cars to medical monitoring bracelets to smartphones – give us unprecedented abilities to communicate, increase the velocity and reach of our businesses, and are changing our lives in ways we cannot even predict. This “internet of things” also opens more doors for remote attacks and can do serious damage on corporate networks, and we can see it in the barrage of security breaches disclosures we read in the press.
Traditional enterprise software-based computer security measures are rapidly becoming ineffective against the proliferation of attacks coming from the internet, which is now at the core of our ability to conduct business and our daily lives.
In my RSA keynote, we will discuss why and how security must follow the cloud-oriented architecture model that corporations are now adopting to improve their business effectiveness, as security is now a problem of scale and speed. This is a result of the internet morphing under our very eyes into a massive network comprised of hyper-connected networks, and thus increasing exponentially the attack surface and the scale at which organizations must protect their networks.
People are mystified by the cloud and uncertain where their data actually resides. That's why security professionals have not yet fully embraced the cloud as there is a lot of confusion about what the cloud or cloud computing really is. Yet cyber criminals leverage cloud technologies to increase the reach of their attacks.
After all, cloud computing is an architecture and we have the natural tendency to confuse it with delivery models, such as SaaS or IaaS or PaaS, that leverages cloud technologies to deliver computing power at an unprecedented scale. In less than 50 years, we have seen the mainframe architecture era, the client-server architecture era, and now we are entering the era of cloud-oriented architecture.
So let's look at this architecture. We now have almost infinite computing and storage capabilities in backend servers that can sit in either corporate data centers or within a service provider. These systems collect and feed data and services to infinite number of devices that people and businesses can use anywhere on the planet. Security must follow this model. It cannot be bolted on anymore as we have done, for the most part, during the client-server computing era.
Rather, we must now devise large backends that can collect, analyze and correlate in quasi-real time all the information pertinent to the security and compliance of all the devices that connect to our networks. We must introduce the notion of continuous security where we continuously analyze the traffic coming in and out of our networks and sub-networks, as well as having agents whenever possible on these devices that connect to our networks from anywhere. Such agents must be lightweight and invisible, like security sentinels watching for malicious or suspicious activity in the background. We can call them cloud security agents. Their task is to analyze incoming traffic and suspicious activity on these devices, and report them back to the cloud backend for analysis and taking action, just as our immune system protects our body from diseases.
Unlike the traditional enterprise software agents, cloud agents, once installed, are remotely managed from the cloud and do not require user intervention. We must also devise broad scanning capabilities to be used in conjunction with devices and applications where agents cannot be installed – similar to scanning capabilities dolphins have developed over time: very sophisticated sonar that first sends a low frequency beam to discover schools of fish and then sends a high frequency beam to discriminate the type of fish. Such scanning capabilities also need to be continuously or frequently performed to identify rogue IT assets and maintain an accurate inventory.
In order for this new scenario to work, manufacturers of devices must share their APIs with security vendors so such cloud security agents can be developed and installed. While the current mobile platforms and devices are closed, in response to mounting security challenges, we believe that the natural force of evolution will push vendors of such devices to open up their platforms further in order to provide a broader range of applications. This must happen so we can bring scalable security to this new mobile world and block the kinds of attacks that are used every day to steal peoples' bank account information, corporate secrets and email – as underscored by recent intrusions at The New York Times, Wall Street Journal and even sensitive energy and critical infrastructure operations in the U.S. and elsewhere.
The security challenge is becoming more acute as computing activities continue the shift to mobile and remote devices that access an increasing amount of sensitive and vital information about our lives. It's bad enough that malware can jump to a corporate network via an employee's smartphone, but what if malicious code were injected into a personal heart monitoring device and changed its settings? The consequences are scary, needless to say.
What we are discussing here is just around the corner, so we need to prepare the security solutions now and get mobile platform makers – including Google, Apple and Microsoft – on board to come up with these standards for the future of security.
In the meantime, IT administrators could be doing much more with existing software and hardware to batten down the hatches. Many organizations are at risk and becoming victims because they aren't taking basic precautions to secure their networks. The most recent Verizon Business computer security report shows that 97 percent of data breaches could have been avoided if IT administrators had just taken some simple security measures. The SANS Institute has developed some guidelines that can solve this problem, and SANS Director John Pescatore will discuss them during our keynote together later at the RSA Conference.
We may already feel like we are awash in mobile phones, laptops, connected appliances, smart grid sensors and myriad other devices, but the real tsunami has yet to hit. Industry projections put the number of internet-connected devices at 24 billion to 50 billion by 2020. Five years ago, when the first iPhone came out, IT administrators refused to let people use them on the corporate network. But that was, in retrospect, futile and a BYOD ecosystem was born. Single platform solutions for mobile security will need to go the way of traditional enterprise IT solutions that proved costly and failed to scale. We need to take advantage of what cloud architecture has to offer, put effective security in place on devices, and get the different mobile platforms to coalesce around a smart strategy. It's a huge challenge, but I am confident we will rise to this challenge.