BlogPrivacy Professionals Should Share the Wealth Legislating Social Privacy When Privileged Access is no longer a Privilege |
RSS Feed
RSS Feed
RSA Keynote Address by PGP CEO Phil DunkelbergerMarch 23, 2010Phil Dunkelberger RSA Keynote - Abridged “Those that cannot remember the past are doomed to repeat it.”
-George Santayana
The history of the information technology sector is one of constant transformation and reinvention. Whether it’s hardware platforms migrating from mainframes to mini-computers, to personal computers to smart phones or proprietary application interfaces being recreated for web browsers, the IT sector has distinguished itself by its rate of innovation and the ability to transition from one computing model to another with ever increasing speed.
The other thing at which the IT industry has proven itself adept is layering on information security solutions in the wake of the widespread adoption of each successive computing architecture. What the security approaches of each of these eras had in common is that they were designed and deployed well after the architecture (and its inherent vulnerabilities) had been deployed. We’ve literally spent generations attempting to lock the barn door days after the cows escaped. Unless we want to repeat this particular piece of our industry’s history, we will need to take a fundamentally different approach as we migrate data and applications into the cloud.
The difference with this transition is that we have the opportunity and obligation to build security in from the start. With the average cost of a data breach now at $204 per record or about $6.75 million per incident, this is an issue worthy of very special focus from IT and security professionals globally.
As many of you know we lost my old friend, and former Chairman of the Board at PGP Corporation, Max Hopper, earlier this year. Max was responsible for many of the most innovative consumer facing IT systems ever developed including American Airline’s AAdvantage mileage program and Bank of America’s Versateler network. Max taught me a long time ago that the secret to successful information security was to make absolutely certain you got two things right:
· Access and Authentication
· Protection of data in motion and at rest
I asked Max on more than one occasion what else was on the list and his reply was always…”That’s pretty much it”.
Fortunately, most of the technologies required to achieve what Max taught us was important already exists. The challenge is that we now need to adapt the existing authentication and encryption technologies to the cloud environment. There are, however, a few new aspects about cloud computing we’ll need to consider as we do this:
First, enterprises will need to operate and interact with more than one cloud environment. There will be hosted application clouds, infrastructure clouds, web hosting clouds, custom application, etc. Each of these cloud environments will present potentially new vulnerabilities that hackers will attempt to exploit in pursuit of the data each holds and we’ll need a well thought out threat based protection model to address them well.
Second, the regulatory environment will make deployment of comprehensive cloud based data protection systems not just a business imperative, but also a legal one. Even if your business isn’t covered by the existing requirements of HIPAA, SB-1386, Sarbanes-Oxley, or the EU Privacy Directive, you certainly will have new compliance requirements emerge from the data protection legislation pending in the U.S. Congress.
Third, as the TJ Maxx breach in 2007 and the Aurora attack earlier this year demonstrated, hacking into public and private sector networks is no longer the sole providence of bored graduate students and script kiddies. It’s now dominated by well-organized and well funded organized crime syndicates and nation states. The line between cybercrime and cyberwar has begun to blur and only a very well designed and coordinated collaboration between the public and private sector will enable us to address the growing threats both now pose.
Finally, the proliferation of cloud based applications and services combined with the global deployment of what we now call smart phones, will dramatically expand the requirement to get the Access & Authentication about which Max was so emphatic “right”. With people, devices, applications and entire cloud infrastructures will all interact constantly in an increasingly hostile environment. Consequently, we’ll need to have a global trust system in place that allows each of these entities to authenticate their identity and veracity to one another in support of each interaction and transaction.
We are early in our journey to the cloud and we have some time to develop the security systems needed to fully leverage the promise of cloud based computing. But, this is one of those situations where time will move very, very quickly. If we don’t focus on building this new computing infrastructure securely from the start, it will very soon become too late to ever secure it correctly and we will, indeed, be doomed to repeat history.
Posted by Dr. Larry Ponemon at 12:03 pmAdd Comment (0 comments) |
