A new vision of security for the device tsunami

We are at a critical point in the security industry. The number of internet-connected devices is increasing exponentially and faster than anyone can manage or secure them. These devices – from GPS systems in cars to medical monitoring bracelets to smartphones – give us unprecedented abilities to communicate, increase the velocity and reach of our businesses, and are changing our lives in ways we cannot even predict. This “internet of things” also opens more doors for remote attacks and can do serious damage on corporate networks, and we can see it in the barrage of security breaches disclosures we read in the press.

Traditional enterprise software-based computer security measures are rapidly becoming ineffective against the proliferation of attacks coming from the internet, which is now at the core of our ability to conduct business and our daily lives.

In my RSA keynote, we will discuss why and how security must follow the cloud-oriented architecture model that corporations are now adopting to improve their business effectiveness, as security is now a problem of scale and speed. This is a result of the internet morphing under our very eyes into a massive network comprised of hyper-connected networks, and thus increasing exponentially the attack surface and the scale at which organizations must protect their networks.

People are mystified by the cloud and uncertain where their data actually resides. That's why security professionals have not yet fully embraced the cloud as there is a lot of confusion about what the cloud or cloud computing really is. Yet cyber criminals leverage cloud technologies to increase the reach of their attacks.

After all, cloud computing is an architecture and we have the natural tendency to confuse it with delivery models, such as SaaS or IaaS or PaaS, that leverages cloud technologies to deliver computing power at an unprecedented scale. In less than 50 years, we have seen the mainframe architecture era, the client-server architecture era, and now we are entering the era of cloud-oriented architecture.

So let's look at this architecture. We now have almost infinite computing and storage capabilities in backend servers that can sit in either corporate data centers or within a service provider. These systems collect and feed data and services to infinite number of devices that people and businesses can use anywhere on the planet. Security must follow this model. It cannot be bolted on anymore as we have done, for the most part, during the client-server computing era.

Rather, we must now devise large backends that can collect, analyze and correlate in quasi-real time all the information pertinent to the security and compliance of all the devices that connect to our networks. We must introduce the notion of continuous security where we continuously analyze the traffic coming in and out of our networks and sub-networks, as well as having agents whenever possible on these devices that connect to our networks from anywhere. Such agents must be lightweight and invisible, like security sentinels watching for malicious or suspicious activity in the background. We can call them cloud security agents. Their task is to analyze incoming traffic and suspicious activity on these devices, and report them back to the cloud backend for analysis and taking action, just as our immune system protects our body from diseases.

Unlike the traditional enterprise software agents, cloud agents, once installed, are remotely managed from the cloud and do not require user intervention. We must also devise broad scanning capabilities to be used in conjunction with devices and applications where agents cannot be installed – similar to scanning capabilities dolphins have developed over time: very sophisticated sonar that first sends a low frequency beam to discover schools of fish and then sends a high frequency beam to discriminate the type of fish. Such scanning capabilities also need to be continuously or frequently performed to identify rogue IT assets and maintain an accurate inventory.

In order for this new scenario to work, manufacturers of devices must share their APIs with security vendors so such cloud security agents can be developed and installed. While the current mobile platforms and devices are closed, in response to mounting security challenges, we believe that the natural force of evolution will push vendors of such devices to open up their platforms further in order to provide a broader range of applications. This must happen so we can bring scalable security to this new mobile world and block the kinds of attacks that are used every day to steal peoples' bank account information, corporate secrets and email – as underscored by recent intrusions at The New York Times, Wall Street Journal and even sensitive energy and critical infrastructure operations in the U.S. and elsewhere.

The security challenge is becoming more acute as computing activities continue the shift to mobile and remote devices that access an increasing amount of sensitive and vital information about our lives. It's bad enough that malware can jump to a corporate network via an employee's smartphone, but what if malicious code were injected into a personal heart monitoring device and changed its settings? The consequences are scary, needless to say.

What we are discussing here is just around the corner, so we need to prepare the security solutions now and get mobile platform makers – including Google, Apple and Microsoft – on board to come up with these standards for the future of security.

In the meantime, IT administrators could be doing much more with existing software and hardware to batten down the hatches. Many organizations are at risk and becoming victims because they aren't taking basic precautions to secure their networks. The most recent Verizon Business computer security report shows that 97 percent of data breaches could have been avoided if IT administrators had just taken some simple security measures. The SANS Institute has developed some guidelines that can solve this problem, and SANS Director John Pescatore will discuss them during our keynote together later at the RSA Conference.

We may already feel like we are awash in mobile phones, laptops, connected appliances, smart grid sensors and myriad other devices, but the real tsunami has yet to hit. Industry projections put the number of internet-connected devices at 24 billion to 50 billion by 2020. Five years ago, when the first iPhone came out, IT administrators refused to let people use them on the corporate network. But that was, in retrospect, futile and a BYOD ecosystem was born. Single platform solutions for mobile security will need to go the way of traditional enterprise IT solutions that proved costly and failed to scale. We need to take advantage of what cloud architecture has to offer, put effective security in place on devices, and get the different mobile platforms to coalesce around a smart strategy. It's a huge challenge, but I am confident we will rise to this challenge.

Philippe Courtot

Demonstrating a unique mix of technical vision, marketing and business acumen, Philippe Courtot has repeatedly built innovative companies into industry leaders. As CEO of Qualys, Philippe has worked with thousands of companies to improve their IT security and compliance postures. Philippe received the SC Magazine Editor’s Award in 2004 for bringing on demand technology to the network security industry and for co-founding the CSO Interchange to provide a forum for sharing information in the security industry. He was also named the 2011 CEO of the Year by SC Magazine Awards Europe. Before joining Qualys, Philippe was the Chairman and CEO of Signio, an electronic payment start-up that he repositioned to become a significant e-commerce player. In February 2000, VeriSign acquired Signio for more than a billion dollars. Today, VeriSign’s payment division, based on the Signio technology, handles 30% of electronic transaction in the U.S., processing $100-million in daily sales. Prior to Signio, Philippe was President and CEO of Verity, where he re-engineered the company to become the leader in enterprise knowledge retrieval solutions. Under Philippe’s direction, the company completed its initial public offering in November 1995. Philippe also turned an unknown company of 12 people, cc:Mail, into the dominant e-mail platform provider, achieving a 40% market share while competing directly against IBM and Microsoft. Acknowledging the market leading position of cc:Mail and the significance of e-mail in corporate environments, Lotus acquired the company in 1991. In 1986, as CEO of Thomson CGR Medical, a medical imaging company, Philippe received the Benjamin Franklin award for his role in the creation of a nationwide advertising campaign promoting the life-saving benefits of mammography. Philippe served on the Board of Trustees for The Internet Society, an international non-profit organization that fosters global cooperation and coordination on the development of the Internet. French and Basque born, he holds a master’s degree in physics from the University of Paris, came to the US in 1981 and has lived in Silicon Valley since 1987.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.