EMC sheds light on RSA integration plans

As the dust begins to settle on EMC Corp.'s $2.1 billion acquisition of RSA Security Inc., there are still plenty of questions as to how the company will integrate the security giant. SearchStorage.com talked with EMC's vice president of information security Dennis Hoffman on the challenges ahead with this deal and how EMC sees security and storage coming together.

What's the integration strategy?

Dennis Hoffman: We want to make RSA an integrated division of the company, somewhere between a VMware [Inc.] and a Legato. We want to leverage RSA technology broadly through almost everything we do. The brand of RSA is so strong, and the product set is in an affiliated market, generally sold to a different buyer, [so] there is some need for independence. What's technically happening is we're creating a security division … RSA is the foundation of that division, as well as some EMC resources, and then we will be augmenting that over time with partnerships and more acquisitions.

@24451 More acquisitions! How about integrating this one first? RSA makes SecureID cards while EMC makes storage hardware and software. Where's the integration going to actually take place?

Hoffman: We've been asked: 'We don't see what fobs have to do with disk drives?' But that's simply the wrong way to look at the problem. And given everything EMC has done over the last four or five years, if you still see EMC as a disk drive company, we're really not getting a whole lot of credit for the significant change the company's undergone. RSA is perhaps best known for the SecureID token, but that's just because it's ubiquitous, everybody has one, [however] it's not the entire company. The real question is what does identity and access management have to do with ILM [information lifecycle management]?

If we raise the issue above storage security to information security, if you agree that information is data in the hands of a person, then it stands to reason that to secure information, you must secure data, and you must secure the person, and that takes three things: the ability to establish and manage an identity; technically, it takes the ability to encrypt and manage the encryption keys associated with data; and it takes the ability to secure the information infrastructure between the two. So very colloquially, it means you have to secure the people, the gear and the data.

What was so attractive to us about RSA is that they have a set of integrated technologies across that spectrum. [They have products that address] the establishment of identity or authentication …they have encryption, and they've been working for some time now on building a technology platform or service-orientated architecture that unites those elements of their company, a platform upon which other products can leverage those services … It's the real lynchpin in the whole thing … RSA has been working on [it] for the last couple of years, and it's something that they have referred to publicly as the Identity Management System or IMS. From the perspective of evolving the security of our storage offerings or our applications, [such as] content management, virtualization and network management, what's most interesting is this Web services platform. It's not a product, but an enabling technology inside the company.

What does this Web services platform do?

Hoffman: It makes it very easy for applications and devices to avail themselves of security services, such as authentication, authorization, auditing and logging, [and] encryption and key management. It facilitates our ability to build security into everything we make.

What if customers have non-EMC storage or content management software from another vendor, will RSA's security products support third-party products going forward?

Hoffman: RSA is a standard bearer and standard setting. The encryption standards are RSA, they routinely donate patents to industry standards groups and they are a very open company. We've learned [that] we're not going to sell anything into the security space if it's not wide open. While security may be a bit new to the storage industry, it's not new to the bulk of our customers. They have security environments, and they are going to expect us to be a very good citizen in that environment.

You mentioned that you will be talking to a different buyer. Who is that person?

Hoffman: The chief information officer and security teams play [not only] a budgetary purchasing role, [but] they also have veto power over buying anything that does not comply with their internal security standards. The security teams will begin to affect a lot more of the purchase behavior of all devices, applications and technology that enters the enterprise. We're seeing that in government, through common criteria standards; we're seeing it in the financial services industry. It's beginning to roll out horizontally, too, as things like Visa and MasterCard push the PCI Payment Card Industry standards.

In other words, it helps EMC win account control?

Hoffman: It definitely broadens and elevates our relationships with customers because we're able to solve more of the problem, and RSA is generally viewed as having some 70% to 80% market share of two-factor authentication. That's roughly double our stated share of the high-end storage market, or rather the external storage market, so it stands to reason that they are in places we are not.

Hence, the well-publicized and talked about bidding war for this company and the hefty price tag?

Hoffman: It's a very unique company in the security industry. One of the most ironic things about the information security market is that almost none of the products in it secure information. The single largest selling product in the security market is antivirus software, and that's being heavily commoditized with the introduction of [Microsoft] Vista, but it's still the No. 1 selling product. It keeps your laptop from catching a cold. But if all of these laptops that have been lost or stolen from the Veteran's administration, Fidelity, Unisys lost one recently, it's happening over and over again. They all have antivirus software, but it does nothing whatsoever to protect the data itself. As we looked at that, we realized … there was a giant hole in the market, everything was perimeter-centric and nothing was actually information-centric. And when we laid the companies out along that spectrum, every company was in the perimeter-centric camp, except for one of any size or scale, and it was RSA. They've always been focused on the managing of identity and digital assets. While everybody was on the firewall, intrusion protection, antivirus bandwagon, RSA stuck to their knitting and created a very strong position for themselves in this other side of the security industry, the information-centric side.

How do you get this integration done given all the acquisitions EMC has made and while the company is morphing into a different business than just storage? There's a lot of distraction there.

Hoffman: It's a mixture of three things: pushing and creating pull, and having clear ownership. The push is the fact that we have a product policy inside the company that dictates a baseline, uniform security across everything we make. It is a requirement that our products comply with that. In order to comply, they need to do things like authentication, auditing, authorization, encryption, key management, and so your product must comply or it won't be releasable. There are engineers that want it as it's a way for them to get their products to market. The pull part is around IMS, the Identity Management System. The carrot is we make it easy for engineers to adopt the technology by providing it to them packaged in a very nice manor. The last part is ownership. As we structure the security division, there will be a very senior executive position reporting to Art Coviello, the CEO of RSA, who will be president of the division and responsible for the synergy and integration. Ideally, if this strategy works, we will have a uniform policy across EMC, you will authenticate into all EMC products the same way, you will manage encryption keys no matter where they are in the stack in one way, with one open product, as opposed to a number of key management silos.

For storage users unfamiliar with key management issues, what's the biggest problem with this technology?

Hoffman: Its complexity and comprehensiveness. Key management is complicated because there are a number of things one does with an encryption key. When you encrypt a piece of data, you end up storing the bulk of the value in the key, and you have the same issues managing the key as you have managing the data. It's a hall of mirrors problem. Key management involves a number of disciplines. Key rotation, so if you leave something stored for 30 years with the same key, over 30 years, somebody could crack it. So periodically, you'd like to rotate the keys. But that's complicated. It's like rotating tapes in a tape device in order to make certain the tapes still work and tension is where it needs to be, and they are still readable. But the tapes are stored in vault somewhere, and there are encryption keys for each one. So how do I actually rotate the keys? Key sharing [is another issue]. Two trusted third parties want to exchange data over the Internet -- how do I get that third party a key securely without giving everybody a key? [Another issue] is key escrow. I want to store some data for 30 years, and I want to be absolutely certain I haven't deleted the data 30 years ago when it comes time to open it again. It's a time capsule problem. All of the people have changed, the technology has changed, and somebody wants to read that 30-year old tape, and I've got to go find a key. How do you escrow those for long periods of time and trust that they're recoverable and not compromised?

The comprehensive part is that people want encryption built in and not bolted onto their infrastructure, and they want it built in all over the place. Different use cases demand different locations for encryption. If you're only interested in protecting tape media that's going away on a truck to be backed up in a vault, you can encrypt right before the tape device. That protects you against nothing other than loss of the tape. Anybody accessing the tape through the system will be automatically given the key. So in some instances, people want to encrypt in the application so that the entire stack is protected from intrusion. Others will tell you they need to encrypt their laptop, their Blackberry, a database field, the storage device and everything in between.

Key management is complex, and you can end up with many silos of it that are incompatible. What the market is resisting is broad distribution or broad adoption of encryption technology because of their fears of both the complexity of key management from a technology perspective, and in the absence of a comprehensive offering, they give themselves an enormous management burden by creating many silos of key management. Encryption is analogous to the disk drive. It's wicked high-tech, but it's basically commoditized. The value is all in the ability to manage the keys of the encrypted stuff in a way that allows your business to keep functioning securely.

It sounds like you have two major challenges here: to get the industry to move toward this approach to security and to integrate RSA security into all EMC products?

Hoffman: We must simultaneously remain completely open and convince the industry to adopt the key management strategy that RSA had launched into the market, while deeply embedding RSA encryption into everything we do and … in a way that the industry doesn't look at us as being proprietary.

How do you do that?

Hoffman: By continuing to drive standards efforts -- the stuff RSA is doing today. But we will undoubtedly fight a perception problem that we are somehow cornering the market on encryption or something.

So people will think EMC is trying to lock in customers?

Hoffman: It's back to the question you asked earlier: 'This is going to be open to other applications and storage vendors right?' That question comes up from every customer. RSA is notoriously open. The security industry conference is named after them. That was another reason this was so important for us. We wanted to make a statement about our commitment to the way the security game needs to be played, which is literally wide open -- may the best technology win. But there's no lock-ins.