You think you have enough security worries to keep yourself up at night already? These two speakers at a VMworld tech session have even more issues for IT managers to fret over.
Steve Herrod describes himself as a virtualization guy. Paula Long is a storage person. So why, one might ask, were they presenting a VMworld session called Snowden, Target, and Mt Gox Changed the World: Rethinking Data Privacy, Security and Protection?
“Simple,” said Herrod, who is managing director at venture capital firm General Catalyst Partners, and former VMware CTO and SVP R&D. “Everyone has to be some kind of a security person. You can’t do anything in infrastructure or anything around it unless you have that in mind. In fact, it’s when people don’t talk about security or think about it that you tend to get in trouble.”
And that “trouble” doesn’t just live in technical realms. Senior executives are now being held accountable too. Herrod pointed out that, after the Target breach, for the first time a CEO was dismissed over an IT problem. “It’s indicative about how high security has become, as even a board level issue.”
“Security is going to permeate every piece of the infrastructure,” said Long, who is cofounder and CEO of DataGravity, a data-aware storage company that emerged from stealth mode last week. “You’re going to need defenses everywhere.” She said that data security has to start at input, and to be in place at every layer to avoid trouble.
“Even a few years ago, early discussions were around why infrastructure is the layer to insert various types of intelligence for security or availability,” said Herrod. “The thinking was, if you put it at the infrastructure level, it’s always on and always available.”
But, Long pointed out, storage people are always concerned about data protection. They not only have to protect the data itself from loss or corruption, they need to know if data has been accessed, by whom, and whether they were the right people. And if someone leaves the company, especially under unhappy circumstances, you need to know at the storage layer. All that means building data security into the array itself.
The underlying reasons for the increased emphasis on data security are many, noted Herrod. Among the influences are the growing volume of ecommerce, and virtualization and the cloud coming onto the scene. These increased the speed of business until traditional methods of security just can’t keep up, making security more difficult.
The third area is an extension of the first two. With mobility and the cloud, data is no longer safely behind the walls of a company’s datacenter. “There’s no longer a nice little perimeter where all the good stuff is inside and all the bad stuff is outside,” Herrod said.
Security on the Bottom Line
“I’m a cynic. I believe security is hot because it’s hitting the bottom line,” Long said. “There are fines, there’s loss of reputation, there’s customer trust, and there’s employee trust. So anytime we do something that actually hits the bottom line within a corporation, people start to pay attention.” Security breaches have happened in the past, but they were handled quietly, and penalties weren’t high, Long went on. Now with higher fines, tighter regulations, and increased publicity of breaches, the breaches can get very expensive.
But are security people getting more budget to secure the data? The audience’s laughter answered that question. “Security guys should, and since we’re all security guys we should be getting more budget to protect the data,” said Long. “It’s very, very costly to have a data breach happen.”
The problem is, data is in many different forms today, and many are tough to control. While companies have been doing a pretty good job of locking down their databases and core infrastructure, Long said, unstructured data keeps showing up in unexpected places. People don’t realize that unstructured data in query results from those well-secured databases is in [Microsoft Word] doc files, XML files, PDFs, and other unsecured locations, as input to other apps. “Those are equally important to trace, because they’re much more humanly readable and they’re equally important to protect,” she said.
Virtualization can be another hazard to the security officer’s sanity. Long sees virtualized containers that started out pristine, but after a few years grew to millions of files, uncontrolled, with data scattered around in inappropriate places – and no-one has a clue how it happened. “It’s kind of like, you were only going to eat half of that Häagen Dazs, you weren’t actually going to finish it, but it just got bigger without you actually noticing,” Long said. “What happens is, there’s data out in places within that VM that people can get to. We found credit card numbers where they shouldn’t be, social security numbers where they shouldn’t be.”
“You should delete everything you don’t need,” she went on. “Because you’re paying for the storage, you’re paying to back it up. And you should be tiering the data, so you have the right level of protection.” That includes understanding the permissions assigned to users and data.
On the virtual front, Herrod added, for the first time it’s easy to suspend large numbers of machines. That means they don’t get scanned by security and DLP software, they don’t get updated, and when they are spun up again, the data could be at risk.
An Identity Crisis
Part of the problem in securing data, Long said, is that people have multiple IDs. It’s hard to figure out how to map access to data in various locations, to various personas, and to get it right. Users have their Active Directory ID, their mobile ID, a cloud ID, perhaps a Microsoft ID, or one for Dropbox; it’s easy to have 10 or more. Tools trying to track users through the network and grant appropriate rights can’t always keep up with the changing IDs.
“And lots of people want to own your identity,” she said. “There’s some really good places where you can get a single login, places like Ping Identity or 1Password. I also just realized that if you post your mother’s maiden name on Facebook, and maybe the name of your first dog, people already have your password anyway.”
“This is an area that’s ripe for a lot of improvement on all kinds of fronts,” Herrod said. “The commentary is always around convenience versus security, and I think there’s some work to be done.” Today, he said, if you ask the general IT administrator if she knows who has access to what, the answer is likely “No.” Both Herrod and Long agree that something like OpenID that acts as Active Directory for the cloud is coming, with Herrod noting that lots of interesting startups are working on the problem.
Attacks are evolving along with the technology. Long said that denial of service (DOS) attacks are now happening at the data layer. She cited a personal experience where she clicked on a link from a trusted source that launched a decrypt virus. It encrypted all of her data and demanded a $500 ransom (in Bitcoins) to decrypt it. “People are getting clever, and technology has to get more clever,” she said. “The biggest cost is the reputation cost.”
“We’re seeing CFOs and CIOs want information to be secure,” Long said. If someone asked if they’re compliant with SOX or ISO, most people just say, “I hope so” but they can’t do that anymore; there are fines for not knowing. “They have to start building compliance into security, and building it into their whole strategy.”
“The most important thing in any 12-step program is admitting you have a problem,” she noted. “It’s taken us a long, long time to admit. What we’re seeing is that security is now at the forefront; any CIO or IT administrator has to have security as one of their yearly objectives. CIOs have to plot out what they’re going to do to protect the assets of the company.”
Herrod said that he’s seeing some interesting trends in attacking the data security challenge. A lot of startups are thinking about tracking the application lifecycle for their apps, realizing that security problems happen when the application is tested in a different way than it’s deployed. Some take advantage of the speed of today’s computers to simulate bad things that could happen when a packet comes in, others are working on the data itself, building smart storage systems, or thinking about how API access could be governed. “That’s where a lot of the work is going on, especially in the mobile world,” he said. “How can you just protect what is actually going out in the data.”
But a lot of IT infrastructure should have security built in at no extra charge, Long said. She thinks that the network and storage should be protecting themselves. She also believes that the network security stance should be more restrictive, with the default being to block incoming traffic if you’re not sure what it is. “We should all take a little inconvenience,” she said. “Security should be from the perimeter down to the endpoint and back to the perimeter.”
Added Herrod, “A lot of CIOs want a simple answer to the question ‘Am I infected?’ That’s actually surprisingly hard. We’re going to do as much as we can to prevent an infection, but I think just as much effort should go into assuming something bad is going to happen, and figuring out how to isolate it.”
Analyzing the Results
Long also believes that big data and analytics will make their way even more deeply into security. “It’s not just patterns and simulations; it’s how can you in real time look for anomalies and then be more aggressive about shutting things down,” she said. But since that will generate more false positives, she added, we also have to find ways to quickly turn things back on.
Long also believes privacy legislation will be more strictly enforced. IT will need to know that the infrastructure is secure. It won’t be a matter of just filling out a form any more. “The problem (with compliance) is, everyone is not trying to be malicious, they just don’t know,” she said. “You have to be aware, because not knowing doesn’t get you out of any of these laws.”