Balancing Risk and Opportunity Amid Accelerating Consumerization of IT
Balancing Risk and Opportunity Amid AcceleratingConsumerization of ITTranscript of a BrieﬁngsDirect podcast from HPs Discover 2011 that focuses on new securitychallenges to IT security and the new philosophy needed to address them.Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor:HPDana Gardner: Hello, and welcome to a special BrieﬁngsDirect podcast series coming to you from the HP Discover 2011 conference in Las Vegas. Were here on the Discover show ﬂoor this week, the week of June 6, to explore some major enterprise IT solution trends and innovations making news across HP’s ecosystem of customers, partners, and developers. Im Dana Gardner, Principal Analyst at Interarbor Solutions, and Ill be your host throughout this series of HP-sponsored Discover live discussions. [Disclosure: HP is a sponsor of BrieﬁngsDirect podcasts.]Were here now to talk about security, and the interesting intersection of security with theconsumerization of IT, whereby enterprise IT directors and managers are being asked to dothings that people are accustomed to with their home media and/or messaging and other fungaming and entertainment activities.It’s an interesting time. We’ve got more threats. We hear about breaches in large organizationslike Sony and Google, but at the same time, IT organizations are being asked to make themselvesmore like Google or Amazon.So, let’s talk about that. Were here with Rafal Los. He is the Enterprise Security Evangelist forHP Software. Welcome to BrieﬁngsDirect.Rafal Los: Thank you for having me.Gardner: Rafal, what comes in your mind when we say "consumerization of IT?"Los: I think of the onslaught of consumer devices, from your tablets to your mobile handsets,that start to ﬂood our corporate environments with their ever-popular music, photo-sharing, data-gobbling, and wireless-gobbling capabilities that just catch many enterprises completelyunaware.Gardner: Is this a good thing? The consumers seem to like it. The user thinks it’s goodproductivity. I want to do things at the speed that I can do at home or in the ofﬁce, but this comeswith some risk, doesn’t it?
Los: Absolutely. Risk is everywhere. But, you asked if it’s a good thing. It’s a good thing, depending on which platform youre standing on. From the consumer perspective, absolutely, it’s a great thing. I can take my mobile device with me and have one phone for example, on which I get my corporate email, my personal email on, and not have four phones in my pocket. I can have a laptop from my favorite manufacturer, whatever I want to use, bring into my corporate environment, take it home with me at night, and modify it however I want. That’s cool for the consumer, but that creates some very serious complexities for the enterprise security folks. Often, you get devices that arent meant to beconsumed in an enterprise. Theyre just not built for an enterprise. Theres no enterprise control.Theres no notion of security on somebody’s consumer devices.Now, many of the manufacturers are catching up, because enterprises are crying out that thesedevices are showing up. People are coming after these big vendors and saying, "Hey, you guysare producing devices that everybody is using. Now they are coming up into my company, andit’s chaos" But, it’s deﬁnitely a risk, yes.Gardner: What would a traditional security approach need to do to adjust to this? What do ITpeople need to think about differently about security, given this IT consumerization trend?Need to evolveLos: We need to evolve. Over the last decade and a half or so, we’ve looked at informationsecurity as securing a castle. Weve got the moat, the drawbridge, the outer walls, the center or keep, and we’ve got our various stages of weaponry, an armory and such. Those notions have been blown to pieces over the last couple of years as, arguably, the castle walls have virtually evaporated, and anybody can bring in anything, and it’s been difﬁcult. Companies are now ﬁnding themselves struggling with how to deal with that. Were having to evolve from simply the ostrich approach where we are saying, "Oh, it’s not going to happen. Were simply not going to allow it," and it happensanyway and you get breached. We have to evolve to grow with it and ﬁgure out how we canaccommodate certain things and then keep control.In the end, were realizing that it’s not about what you let in or what you don’t. It’s how youcontrol the intellectual property in the data that’s on your network inside your organization.Gardner: So, do IT professionals in enterprises need to start thinking about the organizationsdifferently? Maybe theyre more like a service provider or a web applications provider than atypical bricks and mortar environment.
Los: That’s an interesting concept. There are a number of possible ways of thinking about that.The one that you brought up is interesting. I like the idea of an organization that focuses less onthe invasive technology, or what’s coming in, and more on what it is that were protecting.From an enterprise security perspective, weve been ﬂying blind for many years as to where ourdata is, where our critical information is, and hoping that people just don’t have the capacity toplug into our critical infrastructure, because we don’t have the capacity to secure it.Now, that notion has simply evaporated. We can safely assume that we now have to actually goin and look at what the threat is. Where is our property? Where is our data? Where are the thingsthat we care about? Things like enterprise threat intelligence and data storage and identifyingcritical assets become absolutely paramount. That’s why you see many of the vendors, includingourselves, going in that direction and thinking about that in the intelligent enterprise.Gardner: This is interesting. To use your analogy about the castle, if I had a high wall, I didn’tneed to worry about where all my stuff was. I perhaps didn’t even have an inventory or a list.Now, when the wall is gone, I need to look at speciﬁc assets and apply speciﬁc types of securitywith varying levels, even at a dynamic policy basis, to those assets. Maybe the ﬁrst step is toactually know what you’ve got in your organization. Is that important?Los: Absolutely. There’s often been this notion that if we simply build a impenetrable hard outershell, the inner chewy center is irrelevant. And, that worked for many years. These devices grewlegs and started walking around these companies, before we started acknowledging it. Now,we’ve gotten past that denial phase and were in the acknowledgment phase. We’ve got devicesand we’ve got capacity for things to walk in and out of our organization that are going to bebeyond my control. Now what?Dont be reactionaryWell, the logical thing to do is not to be reactionary about it and try to push back and say thatcan’t be allowed, but it should be to basically attempt to classify and quantify where the data is?What do we care about as an organization? What do we need to protect? Many times, we havethese archaic security policies and we have disparate systems throughout an organization.Weve shelled out millions of dollars in our corporate hard-earned capital and we don’t reallyknow what were protecting. We’ve got servers. The mandate is to have every server have anti-virus and an intrusion prevention system (IPS) and all this stuff, but where is the data? What areyou protecting? If you can’t answer that question, then identifying your data asset inventory isstep one. That’s not a traditional security function, but it is now, or at least it has to be.Gardner: I suppose that when we also think about cloud computing, many organizations mightnot now be doing public cloud or hybrid cloud, but I don’t think it’s a stretch to say that theyprobably will be some day. Theyre deﬁnitely going to be doing more with mobile. Theyre goingto be doing more with cloud. So wouldn’t it make sense to get involved with these new
paradigms of security sooner rather than later? I think the question is really about being proactiverather than reactive.Los: The whole idea of cloud, and Ive been saying this for a while, is that its not really thatdramatic of a shift for security. What I said earlier about acknowledging the fact that ourpreconceived notions of defending the castle wall has to be blown apart extrapolates beautifullyinto the cloud concept, because not only is it that data is not properly identiﬁed within our "castlewall," but now were handing it off to some place else.What are you handing off to some place else? What does that some place else look like? Whatare the policies? What are the procedures? What’s their incident response? Who else are yousharing with? Are you co-tenanting with somebody? Can you afford downtime? Can you affordan intrusion? What does an intrusion mean?This all goes back to identifying where your data lives, identifying and creating intelligentstrategies for protecting it, but it boils down to what my assets are. What makes our businessrun? What drives us? And, how are we going to protect this going forward?Gardner: Now thinking about data for security, I suppose were now also thinking about data forthe lifecycle for a lot of reasons about storage efﬁciency and cutting cost. Were also thinkingabout being able to do business intelligence (BI) and analytics more as a regular course of actionrather than as a patch or add-on to some existing application or dataset.Is there a synergy or at least a parallel track of some sort between what you should be doing withsecurity, and what you are going to probably want to be doing with data lifecycle and in analyticsas well?Los: Its part and parcel of the same thing. If you don’t know what information your businessrelies on, you can’t secure it and you can’t ﬁgure out how to use it to your competitiveadvantage.I can’t tell you how many organizations I know that have mountains and mountains andmountains of storage all across the organization and they protect it well. Unfortunately, theyseem to ignore the fact that every desktop, every mobile device, iPhone, BlackBerry, WebOStablet has a piece of their company that walks around with it. Its not until one of these devicesdisappears that we all panic and ask what was on that. It’s like when we lost tape. Losing tapeswas the big thing, as was encrypting tapes. Now, we encrypt mobile devices. To what degree arewe going to go and how much are we going to get into how we can protect this stuff?Enabling the causeBI is not that much different. It’s just looking at the accumulated set of data and trying tosqueeze every bit of information out of it, trying to ﬁgure out trends, trying to ﬁnd out what canyou do, how do you make your business smarter, get to your customers faster, and deliver better.
That’s what security is as well. Security needs to be furthering and enabling that cause, and ifwere not, then were doing it wrong.Gardner: Now, I guess this is bit of a leap. It might even be considered hype. But, based onwhat you’ve just said, if you do security better and you have more comprehensive integratedsecurity methodology, perhaps you could also save money, because you will be reducingredundancy. You might be transforming and converging your enterprise, network, and datastructure. Do you ever go out on a limb and say that if you do security better, youll save money?Los: I don’t think it’s hype at all. Coming from the application security world, I can cite theactual cases where security done right has saved the company money. I can cite you one from anapplication security perspective. A company that acquires other companies all of a sudden takesapplication security seriously. Theyre acquiring another organization.They look at some code they are acquiring and say, "This is now going to cost us X millions ofdollars to remediate to our standards." Now, you can use that as a bargaining chip. You can eitherdecrease the acquisition price, or you can do something else with that. What they started doing isleveraging that type of value, that kind of security intelligence they get, to further their businesscosts, to make smarter acquisitions. We talk about application development and lifecycle.There is nothing better than a well-oiled machine on the quality front. Quality has three pillars:does it perform, does it function, and is it secure? Nobody wants to get on that hamster wheel ofpain, where you get all the way through requirements, development, QA testing, and the securityguys look at it Friday, before it goes live on Saturday, and say, "By the way, this has criticalsecurity issues. You can’t let this go live or you will be the next . . ." --whatever company youwant to ﬁll in there in your particular business sector. You can’t let this go live. What do you do?Youre at an absolutely impossible decision point.So, then you spend time and effort, whether it’s penalties, whether it’s service level agreements(SLAs), or whether it’s cost of rework. What does that mean to you? That’s real money. Youcould recoup it by doing it right on the front end, but the front end costs money. So, it costsmoney to save money.Gardner: Okay, by doing security better, you can cut your risks, so you don’t look bad to yourcustomers or, heaven forbid, lose performance altogether. You can perhaps rationalize your datalifecycle. You can perhaps track your assets better and you can save money at the same time. So,why would anybody not be doing better security immediately? Where should they start in termsof products and services to do that?Los: Why would they not be doing it? Simply because maybe they don’t know or they haventquite havent gotten that level of education yet, or theyre simply unaware. A lot of folks haventstarted yet because they think there are tremendously high barriers to entry. I’d like to refute thatby saying, from a perspective of an organization, we have both products and services.We attack the application security problem and enterprise security problem holistically because,as we talked about earlier, it’s about identifying what your problems are, coming up with a sane
solution that ﬁts your organization to solve those problems, and it’s not just about pluggingproducts in.We have our Security Services that comes in with an assessment. My organization is theApplication Security Group, and we have a security program that we helped build. It’s built uponunderstanding our customer and doing an assessment. We ﬁnd out what ﬁts, how we engage yourdevelopers, how we engage your QA organization, how we engage your release cycle, how wehelp to do governance and education better, how we help automate and enable the entire lifecycleto be more secure.Not invasiveIt’s not about bolting on security processes, because nobody wants to be invasive. Nobody wantsto be that guy or that stands there in front of a board and says "You have to do this, but it’s goingto stink. It’s going to make your life hell."We want to be the group that says, "We’ve made you more secure and we’ve made minimalimpact on you." That’s the kind of things we do through our Fortiﬁed Application SecurityCenter group, static and dynamic, in the cloud or on your desktop. It all comes together nicely,and the barrier to entry is virtually eliminated, because if were doing it for you, you don’t haveto have that extensive internal knowledge and it doesn’t cost an arm and a leg like a lot peopleseem to think.I urge people that havent thought about it yet, that are wondering if they are going to be the nextbig breach, to give it a shot, list out your critical applications, and call somebody. Give us a call,and we’ll help you through it.Gardner: HP has made this very strategic for itself with acquisitions. We now have theArcSight, the fortiﬁed TippingPoint. I have been hearing quite a bit about TippingPoint here atthe show, particularly vis-à-vis the storage products. Is there a brand? Is there an approach thatHP takes to security that we can look to on a product basis, or is it a methodology, or all of theabove?Los: I think it’s all of the above. Our story is the enterprise security story. How do we enable thatInstant-On Enterprise that has to turn on a dime, go from one direction strategically today? Youhave to adapt to market changes. How does IT adapt, continue, and enable that business withoutgetting in the way and without draining it of capital.If you look around the showroom ﬂoor here and look at our portfolio of services and products,security becomes a simple steel thread that’s woven through the fabric of the rest of theorganization. Its enabling IT to help the CIO, the technology organization, enable the businesswhile keeping it secure and keeping it at a level of manageable risk, because it’s not aboutmaking it secure. Let me be clear. There is no secure. There is only manageable risk andidentiﬁed risk.
If you are going for the "I want to be secure thing," youre lost, because you will never reach it.In the end that’s what our organizational goal is. As Enterprise Security we talk a lot about risk.We talk a lot about decreasing risk, identifying it, helping you visualize it and pinpoint where itis, and do something about it, intelligently.Gardner: Now, we also have research and development, and HP has been making signiﬁcantinvestments, I wonder if you have any insight into not necessarily HP Labs, but technology ingeneral. Is there new technology that’s now coming out or being developed that can also bepointed at the security problem, get into this risk reduction from a technical perspective?Los: Ill cite one quick example from the software security realm. Were looking at how weenable better testing. Traditionally, customers have had the capability of either doing what weconsider static analysis, which is looking at source code and binaries, and looking at the code, ora run analysis, a dynamic analysis of the application through our dynamic testing platform.One-plus-one turns out to actually equal three when you put those two together. Through theseacquisition’s and these investments HP has made in these various assets, were turning outproducts like a real-time hyperanalysis product, which is essentially what security professionalshave been looking for years.Collaborative effortIt’s looking at when an application is being analyzed, taking the attack or the multiple attacks,the multiple veriﬁable positive exploits, and marrying it to a line of source code. It’s no longer asecurity guide doing a scan, generating a 5000-page PDF, lobbing it over the wall at some poordeveloper who then has to ﬁgure it out and ﬁx it before some magical timeline expired. It’s nowa collaborative effort. It’s people getting together.One thing that we ﬁnd broken currently with software development and security is thatdevelopment is not engaged. Were doing that. Were doing it in real-time, and were doing it rightnow. The customers that are getting on board with us are beneﬁting tremendously, because of theintelligence that it provides.Gardner: So, built for quality, built for security, pretty much synonymous?Los: Built for function, built for performance, built for security, it’s all part of a qualityapproach. Its always been here, but were able to tell the story even more effectively now,because we have a much deeper reach into the security world If you look at it, were helping tooperationalize it by what you do when an application is found that has vulnerabilities.The reality is that youre not always going to ﬁx it every time. Sometimes, things just getaccepted, but you don’t want them to be forgotten. Through our quality approach, there is aregistry of these defects that lives on through these applications, as they continue to down the
lifecycle from sunrise to sunset. It’s part of the entire application lifecycle management (ALM)story.At some point, we have a full registry of all the quality defects, all the performance defects, allthe security defects that were found, remediated, who ﬁxed them, and what the ﬁxes were? Theresult of all of this information, as Ive been saying, is a much smarter organization that worksbetter and faster, and it’s cheaper to make better software.Gardner: We talked a little earlier about how good security practices augment your datalifecycle. It sounds like your ALM and the proper sunrise to sunset of an application’s life,security is part and parcel with that.In closing, let’s think about the vision, the idea of security. As you say, you never attain it. It’s ajourney. But, what should be the philosophy of IT now vis-à-vis security? What’s the newphilosophy?Los: The new philosophy needs to be the Sun Tzu quote that we always hear. “Know thyself.”Look inward. We, in security, all want to look for the new hotness. What’s the latest attackagainst whatever piece of software that we probably don’t even have in our organization?Important questionsLet’s get out of that mentality and stop chasing those ridiculous kinds of concepts. While thatmay be important on some level somewhere to an organization, big or small, the most importantquestions are: what do you have, where is your data, what are your business processes, and howare you going to protect them?If you don’t know what your company does, how it performs, how it works, and really whatdrives revenue, what are your organization’s goals, security needs to become part of the business.Security needs to understand the business. Security can’t be the little checkbox at the end ofevery process. It can’t. It has to be a part of every process. It has to be a part of every businessdecision.Its not a revolution. It’s an evolution It’s something we’ve been talking about forever. Does thatmean security teams will eventually go away? Possibly, but here’s where I am going with this.Ive talked to a couple of CISOs who are doing it absolutely brilliantly.They’ve split security into two functions, the operational role that does the day-to-day care andmaintenance of the security devices and the operational things that make security work. Thatsthe patching, the IPS management, malware analysis, and the incident response. That’s a smallteam, very tactical, very reactive on the spot.Then, there is a team that makes the policy and does the governance. That is the team thatactually understands the business, that has a philosophy that protects the organization. Theyre
not reactive. They have long-term vision. They have long-term strategies aligned withorganizational goals, and they are ﬂexible. Thats the philosophy that we need to get into. That’swhere it’s going and the intelligent enterprise, big or small, the intelligent company that is goingto be doing it right, looking ﬁve year, ten years out is going to adopt that philosophy.Gardner: Great. Weve been talking about the consumerization of IT and security. Weve beenjoined by Rafal Los. He is the Enterprise Security Evangelist for HP Software. Thanks so much.Los: Thank you.Gardner: And thanks to our audience for joining this special BrieﬁngsDirect podcast coming toyou from the HP Discover 2011 Conference in Las Vegas.Im Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this series of the userexperience and evangelist discussions. Thanks again for listening, and come back next time.Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor:HPTranscript of a BrieﬁngsDirect podcast from HPs Discover 2011 that focuses on new securitychallenges to IT security and the new philosophy needed to address them. Copyright InterarborSolutions, LLC, 2005-2011. All rights reserved.You may also be interested in: • HP delivers applications appliance solutions that leverage converged infrastructure for virtualization, data management • HP takes plunge on dual cloud bursting: public and-or private apps support comes of age • HP rolls out EcoPOD modular data center, provides high-density converged infrastructure with extreme energy efﬁciency • HP at Discover releases converged infrastructure products and services aimed at helping IT migrate rapidly to the future • HPs IT Performance Suite empowers IT leaders with uniﬁed view into total operations, costs • HP Delivers NMC 9.1 as New Demands on Network Management Require Secure, Integrated, and Automated Response