Seems to be a big week for industry events. Lots of EMC folk are either at VMware Europe or the RSA Europe security conference.
I always like listening to the keynotes that come out of the RSA industry security conferences. The "state of the state" themes always give me rich food for thought on this important topic. Make no mistake, I don't even attempt to be a security expert -- it's just an increasingly important part of the mix.
During the keynotes, there's always a good analogy or two offered up that makes this particular complex topic a bit more approachable. For example, a past RSA keynote focused on the "arms race" between good guys and bad guys, and made the case that we were likely going to be in for a long haul of measures and counter-measures between these two opposing forces.
Maybe we can't offer an easy solution to the problem, but at least we have a framework for thinking about it in a useful way. Stuxnet, anyone?
This RSA Conference is no exception in sharing a new useful analogy that -- while not providing any simplistic answers -- gives us a helpful framework for thinking about the problem.
The Air Traffic Control Analogy
If you travel a lot, this one doesn't need a lot of explanation, does it?
At a high level, ATC keeps the air traffic flowing while preventing bad things from happening to airplanes and their passengers. Expand the model a bit to include the on-ground aspects (e.g. security screening, etc.) and you've got a more complete analogy.
While not perfect, the combined does function adequately enough most of the time. It knows how to deal with, for example, congestion. Or bad weather. Or a new class of terrorist threat. Or political instability in parts of the world. Or unruly passengers. Or -- occasionally -- a new systemic problem in one aspect or another of air transportation technology.
Generally speaking -- and minor travel inconveniences aside -- the combined system largely protects us passengers from bad things happening at reasonable cost. And, most of the time, we end up getting where we're going without too much collateral damage :-)
And On To The New World of IT
The IT world is moving from physical to virtual to clouds of potentially multiple service providers. Your applications -- and your information -- will be eventually moving around if they're not already.
Sometimes that movement will be between entities sitting within your data center, and presumably under a high degree of control. Sometimes that movement will be between your in-house IT and compatible service providers that you select. And, over time, that movement will include movement to entities where you might have less certain amount of control.
I found the three-layer schema that RSA is using a helpful framework in envisioning what this new "air traffic control". From the press release:
1. A Controls Enforcement Layer which is the point of security detection enforcement across the infrastructure. In an ideal environment, many controls are embedded directly into IT infrastructure such as operating systems and networks, providing ubiquitous coverage without deploying and managing hundreds of point tools.
For me, this reinforces the view that security capabilities belong virtually everywhere, and ideally built in rather than bolted on. This moves away from the historical views of "security belongs in the network" or "security belongs in the application" or other domain-focused perspectives. The new answer is more along the lines of "yes, and yes, and yes ..."
This perspective also lends itself to a world where individual capabilities are exposed at a relatively low level, rather than being presented as homogenous and monolothic stacks -- no different, really, than how we think about other IT functionality.
2. A Controls Management Layer where organizations can provision and monitor security controls. Establishing this layer offers the opportunity to consolidate numerous security consoles.
For those of us that tend to think in terms of virtualized infrastructure, clouds and the like -- this is our familiar "orchestration layer" applied to the security domain. Much as templated approaches and integrated consoles (think EMC Ionix UIM) are changing our thinking of how to best to approach infrastructure management, the same thinking will likely apply in the security domain.
3. A Security Management Layer where policies are defined that govern the organization and information infrastructure based on compliance requirements, best practices and the nature of risk.
This is also the layer where events and alerts from controls across the infrastructure come together and are correlated to assess compliance and remediate as necessary. This visibility layer is about bringing together what were once isolated technologies, inputs and feeds, into a single platform or framework, the same as an air traffic control system.
Ah yes -- the need for a big picture view, hence the ATC analogy. Just saying "policy definition, enforcement and monitoring" seems too limiting. Modern air traffic control is about reacting to new situations in near real-time -- with plenty of after-the-fact analysis and improved recommendations.
Rising Threats + More Complexity = New Organizational Response?
At some point, the discussion around security technology and architecture "crosses the fence" into one around how best to organize internally around the new requirements. As things get more important, very often the existing organizational structure (and resources and associated mandate) isn't capable of meeting the new requirements.
The second RSA announcement is leading in this direction -- the recommendation that many organizations will quickly need an improved and enhanced organizational response, provisionally dubbed an "ASO", or Advanced Security Operations capability.
The thinking here is straightforward: there's only so much progress you can make by incrementally improving existing tactical security capabilities -- at some point, you've got to take a big step back and say "hey, what do we really need here?".
The parallel from my boring IT infrastructure world is the classic "new IT vs. old IT" debate. Organizations progressively virtualize (and cloud-ify) their environments until -- at some point -- they hit a wall and realize that the people and process have to change around the new way of doing things.
Indeed, this pending operational and organizational shift is one of the extremely hot topics in larger IT shops that are moving towards becoming an internal service provider.
The RSA folks are making an argument that the same sort of transition is likely to play out in security operations around the globe -- a transition from "security as usual" to a more advanced, comprehensive and integrative model.
An Opportunity For Specialized Service Providers?
Many of you know that I'm working closely to understand the new SP market and the associated opportunities for our partners. Some think that the shift to an external service provider is all about lowering costs, and -- make no mistake -- there's clear evidence that this can be the case.
But the other compelling case for external SPs is expertise -- they can do something better than you can easily do yourself. Whether this is a specific application domain (e.g. enterprise unified communication and collaboration) or a vertical domain (e.g. consumer behavioral analytics) -- the case is less about cost and more about capabilities.
I remain a firm believer that security -- especially in the context of this broader discussion -- will be a ripe target for specialized service providers to address. Not to be too pedestrian, but how many companies already contract with an outside company for physical security today (guards, cameras, patrol cars, etc.?). I think the saame logic will inevitably apply for many in the information security domain -- give it to an expert, for all the right reasons.
Indeed, many of the products and technologies mentioned in the RSA materials are already being delivered as-a-service by our growing cadre of service provider partners.
Things Don't Get Any Easier, Do They?
I've been in more than a few customer discussions where the security frustration hits, and I get asked "hey, why don't you bright technology vendors just come up with a really simple solution?".
Trust me, if there was one, the lucky vendor would make a killing :-)
In the meantime, we're left with new technologies -- and new organizational models -- that adapt to the new realities, and let us get on with life pretty much as it was before.
Sort of like how the air traffic control system works ...
Recent research would appear to support your point, Chuck. More than half (52 percent) of respondents to Eighth Annual Global Information Security Survey by CSO and CIO magazines said that managed security service providers are important or very important to accomplishing their security objectives.
http://www.theinfoboom.com/articles/it-leaders-put-more-trust-in-security-outsourcers/
Posted by: Paul Gillin | October 13, 2010 at 04:58 PM
HI Chuck,
How do you see this requirement differing from what is already offered in the market e.g. by my company NCCGroup in the UK (http://www.nccgroup.com/Services/365Assured.aspx) or other vendors like Qualys? http://www.qualys.com/
cheers,
Steve
Posted by: Stephen Thair | October 14, 2010 at 03:37 AM