Security must evolve to be 'all about the data'

Dell 1-5-10 Series security discussion considers the future threat landscape

There is a fierce debate about whether GMOs -- genetically modified organisms -- with built-in resistance to pests, fungus, drought and other agricultural threats, are a good thing when it comes to our food supply.

But there was little debate on Thursday morning in Boston at a panel discussion among Dell security experts, partners, analysts and customers that the digital equivalent of GMO protection embedded in data will be more than just a good thing - it will be mandatory to sustain any credible level of security into the future.

The event, the first in what is titled the Dell 1-5-10 Series security discussions, was focused on what the title suggests: What will the threat landscape look like in one, five and ten years, and what should enterprises at all levels be doing to counter those threats?

And while it is notoriously difficult to predict just about anything in IT, the panelists agreed with Don Ferguson, Dell senior fellow, vice-president and CTO of the Dell Software Group, that a security model for applications that, "has not changed in decades doesn't sustain us."

That model, which, "relies on the program to identify the person and what is the operation," is now obsolete, he said. "Data are everywhere, on the device, in the cloud, moving around. You can't find all the places that are moving it around, so data need to be self-protecting. And existing apps are not coded that way."

Changing that model, said Patrick Sweeney, executive director at Dell SonicWALL, would, "solve the BYOD problem."

Instead of focusing on a device or a user, it would be, "only about the data -- not about the device, not about the network. You need to protect it, own it, revoke it."

To do that in the next five years, he said, would require three things: "First, encrypt it with enterprise key management. That's fundamental to any BYOD strategy.

"Second, it has to reside in a virtual container that I control, like an embassy that is subject to my rules and my laws. Somebody else can't repurpose it, send it out on an email or do anything with it.

Finally, he said, it would have to possess egress policies that control who can access it. "If I want to revoke the key, I can hit a red button and it doesn't matter if the bytes are still there, you can't read them," he said, contending that if the National Security Agency had had that kind of control over its data, it could have prevented whistleblower Edward Snowden from stealing and passing on classified information to journalists.

Ultimately, he said, access to information will resemble "watching TV."

Tim Brown, Dell fellow and executive director of security at Dell Software Group said that is also going to require the data itself, "to understand what its policy should be, how sensitive should it be and what should be the rules to access it. If we get to that point, then we can have information flowing more freely."

That kind of advance in security, as significant as it would be, will not be a silver bullet, however, panelists agreed. One reason is that the attack surface is exploding with the Internet of Things (IoT).

Jon Ramsey, Dell fellow and CTO of Dell SecureWorks, said the, "merger of the cyber and physical domains -- smartphones, smart cars, smart grid -- is very, very concerning. It gives capabilities to threat actors in the physical domain that they didn't have before, especially in critical infrastructure.

"It's interconnecting things that weren't designed to be interconnected, which means we've just changed the risk equation substantially," he said.

Then there is the "human factor." David P. Wrenn, vice president at Advanced Office Systems, wondered aloud how technology is going to, "prevent an idiot like me from clicking on a malicious link. That's one of the biggest challenges our industry sees."

Indeed, there was general agreement that the human factor trumps security at all levels, from the CEO who is more focused on staying competitive with the functionality, features and price of a product, to consumers who so far remain much more enamored with features than security.

"A CEO is thinking that you have to have profits before you can lose them," Sweeney said. So, for security to be effective, "it is going to be more like an airbag than a seatbelt."

"It is a business problem rather than a technology problem," Ramsey added. "It's a very competitive market, and it is very expensive to produce secure software".

Yet another human factor, Ferguson said, is that security too often remains an afterthought in software development. "If civil engineers built buildings the way programmers build applications, the first woodpecker would destroy civilization," he said. "The Internet of Things scares me."

Not everyone saw the future in quite such bleak terms, however. Brett Hansen, executive director, Client Solutions Software, said he thinks security will, "move from IT to the boardroom. It will become fundamental business discussion, to balance productivity and security and the cost of both."

And Brown said he believes companies will address the human weakness factor. "I see a big trend toward human-based security," he said. "Not about systems and the environment as what people do. See more psychology come into play."

Join the CSO newsletter!

Error: Please check your email address.

Tags Dellapplicationsdata securitysecurityInternet of Thingssoftwaredata protectionthreat landscape

More about AdvancedDellDell SonicWALLNational Security AgencySecureWorksSonicWall

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place