Planning Enterprise Security at the Design Stage

Friday, March 11, 2011

Rahul Neel Mani

F520f65cba281c31e29c857faa651872

Carlos Solari Vice President Cyber Technology and Services, CSC in an exclusive conversation with Rahul Neel Mani speaks on how organizations should deal with their security framework at the design stage.

Q: You’ve spent a lot of time with the US army and a few years at the White House. You have seen almost all aspects of information security. What is it today and what would it be tomorrow?

A: Out of the many things that are affecting the industry one that catches the attention instantly is the convergence. Everything has gone the P way.

It is not over yet. For the first time in the US, there are two very important types of commercials which I talk about. One is, TV as a computer and an IP computer. It is important to understand because if someone is going to sell you a TV (that is a computer), the network on that ground should be able to deal with it. The second one is moving to the IP-based 100 m/sec capacity for mobility.

Mobility without constraints and 4g are enabling the smart devices extremely powerful. The last point is Cloud. In the past we had to depend on physical isolation of the data center. But we see the developments of today the layer which was used to gain access to the network is slowly withering away.

These things are leading to a complete transformation of how IT is deployed and used. But unfortunately the security considerations have not kept pace with these developments. It still remains an afterthought for a vast majority of organizations. ‘We’ll think about that later’ is still the syndrome.

The biggest question that arises here is how we design the security architecture in a corporate. The practitioners have to understand security at the protocol level and then design security architecture intended for ‘service’ and not just a ‘box’. From the past where we had separate infrastructures to the present where we have mobility with 4g, and the cloud, you’ll see a complete transformation of the infrastructure, the modalities of how we do information security.

So, the main concerns are whether we have designed the security according to the modalities or we have forced ourselves to design it. At CSC (Computer Sciences Corporation), we talk about security and the role that it plays in the enterprises of today. CSC also works as a managed service providers to many large, prestigious organizations across the world. We’re looking forward to work with good partners and OEMs to make security a key component of the overall IT architecture and also
deploy security in the cloud.

Q: For a moment, let’s not talk about the technological aspects at all. The community at large, the professionals tend to ignore small things that later on become big problems. I would like you to comment upon those small things that should be carefully implemented so that they don’t become large problems at a later stage.

A: If more security managers start testing and validating before they deploy anything, the industry, consisting of the developers and product makers, is going to start paying attention. That is going to do something bigger than other things. So far there has been little or no change in the industry’s behaviour. I strongly believe that the change in industry’s behaviour by being a good gatekeeper will be a great first step.

Q: The practitioners have been making efforts to address point problems with point solutions. But they fail to reach to the fundamental - the root cause of the problem. so, what are those fundamental problems and are there any possible solutions towards those problems?

A: It is a fact that enterprises can’t be the invader because they don’t have enough resources. They can’t afford to operate information security as they don’t have enough people who know about the technology.

When I was the CIO at the White house, we actually took the services of Bruce Schneier who is the most coveted name in information security industry today and also runs Counterpane internet Security, which does end-to-end security management for organizations. We actually decided to outsource our security services to a commercial service organization to look at it on a 24*7 basis. Any incident that took place on our network was informed to us instantaneously.

That little model served us well on many occasions. As we look into the future, we can think of many things that can be done by a managed security service provider (MSSP) to integrate all those technologies and deliver a service to help detect the problems. I believe that a lot of things that MSSPs have done traditionally in the past can be utilised to integrate everything together and provide as a service at different levels like bronze, silver gold, platinum.

For example, if someone asks for platinum level service that would mean security on a 24*7 basis. I think that’s one of the solutions we at CSC are also going to provide extensively. Going forward, the important thing for us is creating a good mark for ourselves.

Q: This is more about logical security. Can it be also extended to the convergence which is happening in logical and physical security?

A: I think we’ll have to look at converging logical and physical security functions. The days for separate physical and logical security functions are over. I strongly believe that we have to hook the wagon to that horse because it is the horse that has to do the running for us. This market has got lot of potential but there are a lot of complexities too. It is still evolving.

Q: I read your comments in one of your last interactions with the media and came across a term “intrinsic security”. So, tell us about the ideal security model for an enterprise - both in logical and physical terms.

A: Yes, I did use this term but at the same time I caution it can be misunderstood and not correctly used. “Intrinsically Secure” - we try to convey this term as a process where you think about security at the point of design.

So, in an enterprise you need to identify your assets, risks and then develop network architecture accordingly. In the past we have been doing the opposite to it. For example, in many cases a system administrator has almost the same level of access controls as the end users.

So, we would require more of those who have greater access to much stricter configuration controls, limitations on what they can do, monitoring on what they can do etc. That will bring in the right kind of security design and framework. We will have to look at different kinds of things that would go into the intrinsic design of the security so that the firewalls, intrusion detection systems are more effective.

Everyone is aware that cyber attacks seem to be growing faster than the sophistication of cyber security, which is still in a nascent stage. What could possibly be the new forms of cyber attacks? How should we be thinking of safeguarding ourselves?

It is a fact that today the attacks and malware is more generalized – like attack operating systems, commercial applications etc. The notion that you can design ‘zero-day’ threats for things that run, we’ll see more of that. It takes a lot of sophistication so we’ll know that a threshold has been breached. That threshold is a ‘wake-up’ call. And now that it’s proven that it can be done, it should make the countries mindful of that it can be done and it will be done.

The other one is the core question of ‘privacy with social networking’. What have we given up? It’s an interesting topic. Because some argue that we never really had it in the past. In the future it’s all about reputation which is represented by your job and by the money you have in your account. Figuring out a way how we deal with reputation and protecting privacy is going to be a transformation that we have to make it happen.

Q: It can end up in a long debate as privacy is a very controversial issue. What are the main challenges deemed with human aspects of the data and network security?

A: I have always emphasized on the fact that awareness is a very important tool. But let’s depend less on awareness and more on intelligent systems. So, we need to get better at figuring out how we approve a security without thinking about educating our end users. The attackers have to figure out how to trick people so I would say that our money is better spent on developing smarter systems than on educating people on how to see the attacks.

Cross-posted from CTO Forum

Possibly Related Articles:
12353
Enterprise Security
Enterprise Security malware MSSP Managed Services Mobility
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.