Chuck's Blog

My Deep Dive Into Security

Fair enough, I had only a working knowledge of IT security prior to the RSA acquisition.  I understood the basic concepts, kind of knew how they worked together, but couldn’t really keep up my end of a conversation with a customer.

Then we acquired RSA. 

Off I went, headlong into the deep end, not only to learn about everything RSA did, but the rest of the industry as well.  Lots of good, rich technology to go understand.  Big problems, big ideas.

I read, listened, talked to knowledgeable people.  After several months, I felt I really was starting to understand what was going on here.

Then I spent a few months trying to piece all the ideas together into some sort of an uber-strategy.  You know -- the perfect, be-all, do-everything approach to the problem that we all lust for. 

Turned out to be a very frustrating exercise. 

Like most uber-strategies on complex topics, this one seemed to be made of unobtanium.  The security problem was like the expanding universe; once you set a boundary on the problem, some clever guy moves the boundary.

So I found myself gravitating towards the practical side of the discussion.  Swimming in the shallow end, if you will.

What are the easy, cost-effective things people can do to improve the security of their environment?  Things that make a significant impact, but don’t take months and millions to implement.

So let me share with you what’s starting to be popular.  And, not surprisingly, I’ll be drawing my examples from the EMC portfolio.

Two Factor Authentication Ain’t Just For Remote Access

Most of us have been exposed to some form of two-factor authentication: the little fobs, or some sort of similar scheme.  They’re very popular for improving security for remote access. 

Basically, they make you prove who you are with something a bit stronger than your username and your dog’s name.

So here’s what I discovered: once inside the network perimeter, people don’t use these technologies.  Somehow, being inside a corporate facility means you don’t really have to prove who you are.

A username and password combination can get you pretty far in most environments.  Access to most any database.  Access to IT infrastructure.  Even access into the basic security protection mechanisms.

As I dig into details regarding the very public security breaches perpetrated by insiders, I’m amazed at how often they’ve used a borrowed userid / password combination to do their work.  Simply using two-factor authentication for *any* sensitive access looks like it would have nipped a fair number of these events in the bud.

My feeling is that you need to prove who you are at *any* access point into the IT infrastructure.  Just because you’re accessing from inside a building shouldn’t matter.

And I think the IT guys might be the worst of all.  My impression is that a whole bunch of the IT infrastructure is free to be accessed, modified, etc. by anyone who’s got a valid username / password combination.

Going a bit further, there are great protection mechanisms in databases, applications, etc. to keep bad people out.  But it all starts with proving who you are, e.g. strong authentication of some sort.

Want a good way to make the rest of your security environment work better?  Start with making *everyone* prove who they are, all of the time.

It hasn’t happened yet, but I’m waiting for the court case where the IT guy has to explain why he used two-factor authentication for the external network, but didn’t feel it was justified for the internal network.

Unintentional Data Leakage

I think it happens tens of thousands of times a day. 

Someone has access to secure data, extracts some data, and saves it to a file.  Maybe it’s a report, or a spreadsheet, or a memo, or a powerpoint.  It doesn’t matter.

What does matter is that any sort of protection mechanism you had around the information has now been utterly and completely defeated.  The information is out there, sitting in the wild, usually on a public file share, or – worse – a laptop.

Now, I’m not talking about bad guys here, just normal people doing what they do every day to get their job done.  The bad guy problem is a different animal.

Nor am I proposing that every sensitive piece of be encrypted and wrapped in DRM (digital rights management) and managed comprehensively end-to-end – although the trend is definitely moving in that direction.

What I’m proposing is that you ought to have tools that tell you when some has put a file out there that has stuff in it that shouldn’t be there. 

As an example, EMC’s Infoscape has found a strong following in customers who need to continually police their file environment for sensitive information. 

Part of Infoscape’s value is the ability to discover file servers IT may not know about.  No one analysis approach solves all problems, so Infoscape brings a whole toolbox of different approaches to recognizing potential problems.  And it’s not always obvious what you might want to do with a potential problem, so there’s a lot of back-end flexibility on how you handle situations.

Interesting footnote: many people are interested in using Infoscape with Celerra’s APIs that can detect file system changes.  We use it for anti-virus today: when someone writes a file, Celerra can quarantine the file until it’s been looked at externally.  Useful for this application as well, no?

Again, the external optics of a security breach where the IT guy has to explain how all this sensitive data is lying around in file systems (where anyone could get to it) probably hasn’t made the headlines yet, but I can see it coming.

You Are Analyzing Your Logs, Aren’t You?

Time for another dirty little secret. 

Most products with security features generate detailed logs of who/what/when and so on.

So, I’ve gotten into the habit of asking whether anyone saves those logs.  Sometimes they’re saved for a while, and sometimes not.

Then I ask whether they’re using any sort of analysis tools – cross-domain would be great, but even simple analysis of the individual logs would be useful as well.  Very, very rarely is this the case.

The trick here real-time, cross-domain analysis.  Bad guys have to go through multiple security checkpoints to do any real damage, and each should generate some sort of log event.

Without some piece of technology to catch, analyze and correlate all of those logs in real-time, the individual checkpoints aren’t as useful as they could be.

Hence EMC’s enVision solution (formerly Network Intelligence).  It’s a simple proposition.  Let us capture, analyze and correlate all of your existing log-gatherers in real time.  Make what you have more effective. 

Back to the external optics, we’re finding that a fair number of “bad guy” events left a clear set of footprints in various logs after the fact.  The information was there, it just wasn’t acted upon.  Not a good set of external optics for IT after-the fact.

A Few Related Topics

So, that’s my basic quick-hit recipe for security.

Make people prove who they are.
Take what you’re logging today and make it more effective.
And police your file systems for time bombs waiting to happen.

That being said, there are a few more areas that seem to be popular where I don’t think there’s a preferred approach.

One is what I call the “consultant problem”.  Whether it’s a developer who’s working on a new application, or someone reviewing your books, or whatever – we’re seeing more and more non-employees who need access to sensitive data to get the job done.

There’s been a few stories about software developers who downloaded an entire database to their laptop, took it home, and had the laptop stolen.  Or the consulting firm who’s lost their laptop.

There’s a huge debate on how to tackle this sort of problem.  My radical thought is that all of the proposed solutions are stopgap only.  And I’ve looked at most of them.

The only real solution will be when IT provides a secure environment for a consultant to do their work.  And all signs point to a thin-client approach, where no information actually leaves the premises. 

Couldn’t think about it five years ago, but we live in an era of fat pipes, VMware, Citrix and so on. 

Simply assigning responsibility to the consultant may lessen the blame on you, but it’s still a problem.  Or trying to fortify a laptop with bulletproof encryption and DRM leads to another set of problems.

It’s your information.  You’ll be responsible for protecting it.  Even when consultants need access to it.

Where Will It All End?

Sorry to say, but I can’t see the problem really being solved until all data is tagged in some format, sensitive data is encrypted and wrapped in DRM, application access is not granted unless strong authentication and logging are in place, policy is enforced centrally, leakage is enforced at the device and application level, and so on.

The good news is that all of the core technologies exist to do this today.  And there are certain -- ahem – sensitive parts of the IT landscape where they’re being used today.

What doesn’t exist is mature, integrated solutions that are easy to deploy, easy to manage and don’t inconvenience users.  But they’re coming.  Slowly.

So, in the meantime, I’m a pragmatic security non-expert.  Show me where I can improve the situation for short money, short effort and remediate a serious class of risk.   And make sure I can build on what I do today when the better stuff comes.

One thing is clear – security issues have transcended IT, and become Board of Directors issues.  It’s one of the few IT issues that ordinary people can identify with. 

And it’s not especially a good way to get into the headlines.