Art Coviello Keynote Transcript RSA Conference Europe 2009 October 19, 2009 With Chris Young, Senior Vice President, RSA Good morning and welcome back to RSA Conference Europe. The conference informs, educates, and at its best gives us an opportunity to pause, reflect and think differently. It's designed for you. As a mentor of mine once said, if you don’t know where you’re going, any road will take you there. But to know where you should go, it’s helpful to know where you’ve been. So I'd like to start by giving you some perspective on the road we've been traveling and how we got to where we are today. Then I'll invite Chris Young, Senior Vice President of RSA, to outline some principles to guide you along that road. Just think about the last eight years since the dot com crash. We have been overwhelmed with change to a point where we can’t even feel the effects until long after the change has come and gone. It reminds me of that urban myth or maybe it's a scientific fact that claims if you put a frog in a pot of boiling water, it will jump right out. That part is obvious. However, if you put the frog in tepid water and steadily turn up the heat – the frog will stay put as the temperature rises to a boil. So hold that gruesome thought for a moment while I ask you a series of questions. How many of you owned a Blackberry or an iPhone in 2001? How about now? Raise your hand if you had a Web front ended ERP system? And now? And what about memory sticks? Did any of you imagine that you’d be carrying four gigabytes of storage on your keychain? Or that bandwidth and web applications would grow so dramatically? We are doing so much more on the Internet personally and in business than could have been conceived at the time of the dot com crash. These trends openness, speed, and a constant stream of new web apps have caused an explosion of information growth changing the IT landscape dramatically. But what’s happened from a security perspective? We didn't even see criminal attacks until March 2004 when phishing and pharming emerged. None of the infrastructure created prior to then which enabled the trends I have been talking about anticipated these attacks. So, not unlike the frog, we’ve been sitting in the pot while degrees of openness and information growth have combined with evolving threats to stoke the fire and raise the temperature to uncomfortable levels. So how are you feeling now? It's only going to get hotter, as new trends are headed our way– megatrends in society, politics and the economy that are driven by technology will turn up the heat for information security. First, we are already operating in a world where there are more digital identities than there are people and where identities can belong to systems and devices as well as people. By 2015*, over 15 billion devices will be communicating over the network. (*Source: John Gantz, The Embedded Internet: Methodology and Findings, IDC, January 2009) Closely related to the proliferation of end point devices is a trend toward fragmented workforces increasingly dependent on mobile devices and collaborative tools. By 2011, 75% of the workforce will be mobile and those mobile workers will be mixing personal and business activities leveraging the power of social networking tools like Facebook, MySpace and LinkedIn. Next, information is exploding and the percent of information that requires security or privacy is accelerating faster than the growth of information itself. More information has been created in this decade than since the beginning of time. 90% of information is digital at the time of creation or within three months after. And the most important trend is: computing infrastructures are consolidating and physical control over IT assets is loosening every day. Virtualization and cloud computing are eyed longingly not only for their ability to power IT infrastructures that are agile, resilient and highly scalable but for their unparalleled cost efficiency. And the growth of adoption is significant. IDC predicts that spending on IT cloud services will grow almost threefold by 2012 -reaching 35 billion Euros and capturing 25% of IT spending. According to Goldman Sachs, Fortune 1000 companies will have virtualized 34% of their servers within a year – double the current level of 15%. Let's give these sweeping changes a little more context. Looking back over the past hundred years we can spot another critical trend, a human one. While technology and information have evolved and grown dramatically over the past 100 years, people have evolved at a much slower pace – and our ability to keep up with the complexity foisted upon us is limited. Unfortunately, in contrast to computing power, human capacity is not subject to the principles of Moore’s law, doubling every couple of years. So today, high value is found in taming the complexity so that people can take full advantage of these dramatic developments and advancements in technology. This is the challenge facing IT organizations around the world. The challenge for the security industry is to not only enable the ubiquitous adoption of these promising technologies but also to take advantage of them to protect information in what has become a boundary-less IT environment. This is a complex challenge indeed. It’s the charter I’ve given my organization at RSA and it’s why I’ve asked our Senior Vice President Chris Young to come on stage this morning and share with you what we’ve been learning so you can put it to use. Chris Young: Thanks Art and good morning. Well Art laid it out, our IT infrastructures are changing dramatically and we need to be prepared to respond to the information security risks and opportunities these changes introduce. But it’s a daunting task to figure out how to secure the next generation information infrastructure when our organizations are still struggling to secure today’s infrastructures. In fact, security leaders really have only three options. One option is to buck the trends, or at least try to slow their impact. We’ve seen how this has gone in the past. IT departments have tried to resist corporate support of Blackberries, ban use of the iPhone and instant messaging, or even fill USB ports with epoxy to prevent their use. More often than not resistance to these trends is not only futile but counter-productive. Trying to prevent the use of attractive new technology for business, especially when it can be found in most homes is a surefire way for the security professional to become irrelevant. Organizations that choose to buck or slow the trends will be left behind by their competitors and their security teams will likely be circumvented or steamrolled by their peers within the organization. A second option is to simply ignore the risks. A recent study by IDG revealed that 80% of security professionals surveyed agreed that they saw increased risks with adoption of the next gen technologies we’re discussing yet 66% admitted that their organizations were already adopting the technologies without addressing the IT security risks in advance. Ignoring risk in an environment where threats are evolving faster and more unpredictably where the pace of malware development is increasing at staggering levels, and in which the incidence of bigger and bolder data breaches is on the rise is a recipe for disaster. The third and only viable option is to embrace the trends and the new opportunities they present. We could take the approach of Bechtel Corporation, a 110 year old global construction and engineering company that got its start building railroads and the Hoover Dam. When their CIO saw his business changing, projects scattered all over the world, a growing cadre of employees, contractors, temporary workers and partners accessing a myriad of IT systems he asked himself these questions: “What if I could start from scratch?” “How would I build my IT infrastructure today?” With that he embarked on a project that, according to a CIO magazine article, “…incorporated high-bandwidth networking practices from companies such as YouTube, the standardized server approach of Google, extreme virtualization techniques from Amazon, and the multi-tenant application support strategy of Salesforce.com - among others.“ The result is an infrastructure to applications overhaul of Bechtel's technology environment that provides secure, ubiquitous, simplified and rapidly deployable access to corporate and customer information for any user around the globe who needs it. The CIO calls this approach the "consumerization of the computing environment, an internal cloud-computing infrastructure serving up in-house applications on demand.” Wow! Talk about embracing the trends! As it relates to the security team's role in this transformation the CIO acknowledged that 80% of the challenge was getting them to think differently. Each and every one of us in this room today and the people we work with must embrace this challenge. So let’s spend the rest of our time together exploring how to do just that. Because there are those who will be best positioned to ride the wave of innovation reaping the associated rewards of increased revenues, reduced costs and faster, more flexible infrastructures. But how? We can develop a systemic security strategy now that enables us to build a more secure information infrastructure today and in the future. Then, with an eye to that future, we can ensure that the new information infrastructure is designed around a strategic system, rather than trying to create a strategic system out of a collection of technologies that already exists. What do I mean by a system? Today we have a hodge-podge of technologies that evolved with no overarching design or master plan. No strategy. What we need are products that work together effectively to solve a common problem. Our system is built on seven fundamental principles and I want to share those principles with you. And as I do, I will also demonstrate how these principles are guiding RSA’s strategy and decisions every day. In other words it’s not just talk, we’re living these principles. And you can too. The first principle: Security needs to be embedded into the IT infrastructure. Not just integrated with the infrastructure through common interfaces but embedded as a core capability. I believe this is absolutely fundamental and it is the primary driver of many of our major partnerships at RSA. We have begun to deliver on this principle through partnerships with Cisco, Microsoft, our parent company EMC and VMware to mention just a few. Why should you care? One example, embedding data loss prevention capability into core network devices enables organizations to spot sensitive data in motion and effectively block its transmission, encrypt it or manage it in real time. This is why Cisco is embedding our data loss prevention into their devices beginning with Cisco Iron Port. Now let me give an example from the virtualized world. When it comes to virtual machine and cloud computing infrastructures, we have the opportunity to design security in now since these infrastructures are new and evolving. Unlike physical machines a virtual machine can provide visibility into everything from disk I/O, to packets, to instruction and memory access. This gives us a unique security reporting and policy insertion point that doesn't need to rely on agents, because it's part of the infrastructure. We can also embed core security capabilities like access control, authentication and data loss prevention directly into the virtual machine layer extending security controls to applications and users that are leveraging virtual machines. Very powerful. At RSA we are excited to be working with our sister company VMware and others in the industry to realize this vision for you. The second principle relates to the first. Because IT infrastructures are so complex, no single vendor or technology can solve every problem on its own. Our industry needs ecosystems of solutions where you have products and services working together from multiple organizations to solve common problems. It’s why RSA has invested heavily in the eFraudNetwork, one of the most powerful ecosystems in the industry created together with thousands of financial institutions and technology partners across the globe. At the heart of the eFraudNetwork is the ability to spot fraud as it migrates between and among institutions on a global basis. That information can then be shared in real time with intelligent risk engines as part of the web security solution in place at thousands of Financial Institutions, government agencies and corporations. Let me take you on a fraudster’s journey and show you how this works. The story starts with an ecommerce transaction to a UK based bank account, let's call this Bank A. However, the computer and IP address accessing this account is located in Norway. Just a minute later that exact same account is accessed again…from Norway, right? No, the Bahamas. This is either someone who can be in two places at once – or more likely, it's a fraudster using a BOT network – so the risk engine raises a flag and the second transaction is blocked. The account is now watched closely and when a third attempt is made from Venezuela it is also blocked. Knowing that this account is clearly under attack, all three IP addresses used by the fraudster are entered into the central repository of the eFraudNetwork which sits in the cloud. Now the fraudster gets suspicious. Something odd is going on, maybe the bank identified his attack – “no worries”, he thinks, “I'll just attack a different bank!” Now he tries to attack a US based bank, Bank B. But the IP address he uses is are in the eFraudNetwork. Bingo! The risk engine raises a flag and the transaction is blocked. Poor fraudster, he’s frustrated and decides to call it a day. After a good night’s sleep and a morning cup of coffee he’s back to work -- remembering that yesterday the transaction from Norway worked he tries that one again on a third bank. This should work fine - it’s a new target, new account, and he knows the IP address worked yesterday. But what he doesn’t know is that the third bank is also a member of the eFraudNetwork. And since the IP address is in the eFraudNetwork, the risk engine raises a flag and the final fraud attempt on Bank C is also foiled. By the way, this example is real. RSA processed these transactions as part of our eCommerce Authentication service. The power of that ecosystem is the ability to stop fraud in real time wherever and whenever it strikes around the world. It’s also a great example of leveraging a cloud-based model for information sharing in ways that can provide even better security than can exist in siloed, non- connected IT environments. Let’s pause on that point for a moment, this cloud-based service can offer better security if leveraged in the right way. The third principle is that security has to be seamless and transparent to most of the users and systems that it’s designed to protect. Why? Because people just can’t keep up. How many of us have at some point had personal firewalls installed on our PCs. I'm sure we can all remember getting those continuous prompts to allow access through a certain port or for a certain file accessing the internet. Typically the user, in frustration, simply clicks “yes” not having any idea of the potential consequences. Security has to be seamless and transparent because the average user is not in a position to decipher whether security alerts are legitimate or a threat. Therefore, we need to protect people from themselves. In order to make security more seamless and transparent to the user, we must design it into our systems. First Data Corporation is the largest payment processing company in the world. Together with RSA they recently announced a new service designed to secure payment card data for merchants by completely eliminating the need for merchants to store credit card data within their IT systems. The service employs a layered approach to security through the use of tokenization, encryption and key management that replaces all credit card data at the merchant site with a “safe proxy” or token value that resides with First Data. But the true beauty of this solution is that it is built into the payment processing system - a hardware agnostic, scalable solution for the merchant - that is also completely transparent to the consumer. First Data's 5.4 million merchants worldwide can implement this service without the need for any costly application or point-of-sale hardware modifications. So the real beneficiaries are the millions of consumers whose credit card numbers are now protected via this comprehensive solution. To deliver on the promise of seamless and transparent security we need technologies that are both content aware and correlated. This is our fourth principle and it’s fundamental because as we well know, information is exploding. Not only is the amount of information that the average user has access to growing exponentially but the number of regulations and requirements that govern that information is growing all the time as well. To put controls in place that are going to help protect users and the sensitive data they access, those controls need to be correlated and content aware. On any given day the EMC Critical Incident Response Center (CIRC) is monitoring 1,300 devices generating 15 to 20 million security events per hour. Obviously this is more data than any team of security analysts could digest in real time. Intelligent security products must help the analysts effectively pinpoint the right alerts to focus on and those alerts must be more content and context aware. In the CIRC we’ve centralized Security Information Event Management such that it can correlate data from network devices, identity controls like Risk-based Authentication, Data Loss Prevention and Infrastructure Controls such as configuration management systems. With this kind of multi-faceted intelligence we’re able to distinguish what at first might appear to be a relatively benign event from one that could be more threatening. For example we can easily detect a user accessing a SharePoint site but by correlating that seemingly benign event with information that shows the user is not strongly authenticated, is accessing the systems remotely, and requesting highly sensitive, unencrypted data. Our security teams can be much more effective in handling this incident. These facts combined, give us an aggregated content and context aware view of risk. Our fifth principle is that the application of security must be balanced; we must take both an outside-in and inside-out approach. IT security evolved primarily around network and endpoint protection making it more device-centric than information-centric. This was a reasonable approach until the nature of the perimeter began to change faster than we could build new fences around it. Then the pendulum swung in the other direction where all we seemed to talk about in this industry was protecting the information itself – an inside-out approach to information security. In fact, for all the talk about focusing on the information itself, the overwhelming majority of security spending is still for network-centric security devices, end point protection and anti-malware. The truth is, it’s not an either or proposition. Because users are accessing information through a variety of devices some inside the network and some outside the network - applications can be accessed inside the network, in the cloud, or from our handheld devices; and information travels throughout the IT infrastructure, both internal to the organization and outside them. So our security strategy has to ensure that the right people are accessing the right information through a secure series of transactions and over a trusted infrastructure. The perimeter hasn’t gone away. The perimeter just looks different. So we need to think about how we manage the context of the perimeter. If you’re running an application on a third party cloud that doesn’t mean your organizational perimeter went away, it just means you’ve created a new outpost. As you well know, many European countries, France for example, have laws that regulate the personally identifiable information of its citizen’s against being stored in data centers outside of the country. Since a core principle of cloud computing is that your information can be leveraged across many different machines in many different places how do you ensure compliance with this type of regulation? One effective approach is to make the cloud itself content aware. For example, here’s a recent proof of concept we implemented at EMC. Since EMC’s Atmos storage platform for cloud based environments allows administrators to determine where to store data in a cloud environment, we decided to embed our data loss prevention technology into Atmos to address exactly this issue. RSA Data Loss Prevention is able to scan for identity information and tell Atmos where to store that sensitive information, based on security policy. Embedded, seamless, transparent, content-aware and effective - in spite of the boundary-less nature of the cloud environment. The sixth principle is that security has to be dynamic and risk-based. Pretty much everything we’ve talked about so far is representative of dynamic security focused on risk. The fact of the matter is criminals and fraudsters are dynamic in their attacks. They are not bound by rules, version support of software, or regulations. They are free to pursue their nefarious interests and they are creative, smart and adaptive in that pursuit. We have to be just as creative, smart and adaptive in our response. We need the ability to dynamically correlate information from a number of sources and respond to real-time risks that are related to our infrastructures and information. For example we might want to know if a user is simultaneously accessing his or her bank account from their mobile device as well as from their home PC. If they are, it’s likely we have a situation of fraud. We want to know if the CFO of our company who is accessing sensitive financial information from outside the office is also badged in at their place of work; another red flag that we can and should be detecting today. And finally, our seventh and final principal is that security infrastructures need to be self-learning. For a long time security products had to be more updateable, more knowledge fed than the average IT infrastructure product. However today our ability to force feed the knowledge from humans into these security products can’t keep up with the dynamic nature of infrastructures, and the speed and sophistication of the threat environment. Our information security strategy must be dynamic and behavior based. More oriented toward the dynamic nature of today’s challenges rather than statically solving yesterday’s problems. The collaboration that RSA announced this week with Trend Micro is a good example of this. We are working with Trend Micro to take advantage of their real-time intelligence on spyware, viruses, spam and other data generated by their Threat Resource centers. This information is being leveraged by the RSA Anti-Fraud Command Center to further strengthen protection for our customers. I'm thinking about that CIO at Bechtel. How many times have you said to yourself "If I only knew then what I know now?” The changes happening in IT infrastructure today give us the chance to apply what we've learned. We now know that security must be embedded into the infrastructure. That we need ecosystems of solutions. That to be effective security must be seamless and transparent, relieving the burden from the user. That security technologies need to be content aware and correlated to be truly effective. We also know that our approach must be outside-in as well as inside-out in its application. And that security must be risk based and as dynamic as the criminal eco-system that threatens our IT environments - and finally we now know our security infrastructures need to be constantly learning and up-dating themselves in the face of a sophisticated threat environment. These seven principles are the critical elements of an effective information security strategy. A strategy that takes a systemic and holistic approach to managing risk and ensuring we reap the benefits of next generation technologies. There are clear benefits to adopting the approach I’m recommending. You can securely enable new technologies key to driving innovation within your organizations. The new computing models you adopt can dramatically reduce infrastructure and IT costs. There will be clear benefits in terms of faster and more flexible infrastructures. But at the top of this list of benefits is the fact that we will also see better, more effective, security. We’re already on the path. We’re already embracing the trends. We’re already seizing the opportunity to get it right. Before I bring Art back onstage, remember his story about the frog sitting in the pot of hot water? Well, it isn't true. It turns out that frogs are smart enough to leap to safety as the heat rises to dangerous levels and I’m fully confident that we are too. Thanks very much. Art Coviello: Thanks Chris. I hope we are smarter than frogs! So - a brief program note. We have three days with over 70 sessions in 10 class tracks. And, as always, a strong keynote program featuring leaders from our sponsors. The most powerful experience you can bring to the RSA Conference is one that you control yourself - which is to meet your peers - many of whom may be solving security problems that you have just begun to tackle. I wish you a productive and inspiring week.