Innovation in Security is a theme that we at EMC and RSA strongly believe in— it was central to my keynote speech at the NCA Security and Technology Conference in Seattle on the 29th of October. Yet, as the day progressed, I could not help but think of how extensively we need to innovate in our security deployments, to enable vibrant new information exchange capabilities, and to sustain the rapid changes in our information-centric lifestyles.
And are we being hit with Change!
Carlos Dominguez, the SVP at Cisco, spoke to the profound impact of Web 2.0 and TelePresence [TP] technologies on our business and social lifestyles. Here, a face-to-face live video exchange enables you to feel like you are veritably before a person who may be thousands of miles away. TP today is the next generation of video conferencing, delivered with a truly natural look and feel, and will soon arrive at increasingly affordable price points. In fact, the reach of TP brought through our local Kinko’s to the masses is indeed profound—think of delivering digital communications sessions with anyone globally, and as easily as the delivery of physical FedEx packages!
Yet, as corporations worldwide vie to adopt this business-enabling service, I couldn’t help but wonder how we shall offer security to this environment. And this was an application where at least there was some hope of creating private virtual networks— thus, of imposing some security.
But there’s a new world emerging out there...
Today, there’s an emergent cloud computing and services rollout in our industry, where TP (when it is offered on the Cloud) might be just one of thousands of cloud services being offered. As I attended the two-day Cisco CTO research symposium on this topic last week, even Vint Cerf, the Internet guru, acknowledged that one of the big limitations facing us in the Cloud is going to be that of trust and security. We grappled with the issue of whether the Internet protocol is adequate enough for Cloud applications or whether we may eventually need brand new forward looking protocols perhaps even beyond SOAP and REST. IP is based only on device identity and does not define either location or user identity that might help with security functionalities, particularly with mobility and Cloud computing on the rise.
Secondly, it is going to be hard to maintain consistent policies, or even know which ones are relevant to the information types at hand as we seek pools of computing, networking and storage resources optimized for commodity information processing or storage purposes. Many of these security objectives are contrary to those permitting robust security.
Yet, services are beginning to spring up, and many uses of these abound where security is not of paramount concern. Amazon’s EC2 and SalesForce.com offer services with some security, and at present, these seem to be acceptable to the initial users.
And EMC is seeding the new infrastructure
Additionally, tomorrow’s requirements are seeded for today with new infrastructure solutions. EMC announced its own Cloud Optimized Storage [COS] solution called Atmos on Nov 10, 2008. This platform is capable of asserting the policies associated with data with respect to where and how its copies are stored [e.g. ongoing World Cup soccer video clips will be distributed globally for storage at many Cloud data centers for quick access, whilst archived World Cup feeds might be relegated to fewer copies at some centralized Cloud locations].
Here, information is transmitted securely from point to point, and the granular capability for delivering to data access peaks and troughs can be intelligently managed, thus adding to the attractiveness of the cost-effective web service capability. EMC’s Atmos COS is adopting EMC’s Security Development Lifecycle to further build an inherently secure solution, and will incorporate RSA’s authentication and encryption technology.
Cloud services need what is classically information-centric security.
The scope to adopt similar schema to add security policies that can be consistently sustained will need to be built into Cloud infrastructures. We already have available identity and information authorization technologies that can be adapted for Cloud applications— RSA has a technology portfolio well suited for this, as embedded and attached solutions, as well as SaaS. What the industry doesn’t have is a schema for federation and persistent application of these security policies and methodologies. Some degree of industry coalition will be necessary here.
Security innovation is our future
In the short run, Cloud might well be a slight incarnation of private Cloud networks for some of the more sensitive corporate applications, with a mix of wider more public networks where security is not of paramount importance. The scope for innovation in security is boundless and ventures will proliferate in offering creative solutions whilst the larger enterprises will work out federation models.
Such is an example of necessary innovation for Cloud. I think you get my point. With ubiquitous computing and communications becoming the mantra, we in the IT and security communities will need to enable new business initiatives securely.
Building trust in emerging ubiquitous and omni-functional IT environments is our new challenge.
[This article may also be read at my RSA Speaking of Security Satchit's blog]
Comments