Art Coviello made a bold declaration during his RSA Conference 2007
keynote address Tuesday: In three years, the security industry as
it is today will cease to exist. And, he said, that's a good thing.
Coviello, president of EMC Corp.'s RSA Security division, said
the vast array of standalone security devices on the market today
will go the way of the dinosaur.
He said security will be increasingly integrated into the larger IT
infrastructure produced by tech giants like Microsoft, IBM and
Cisco Systems Inc. That integration is necessary because companies
can no longer protect critical information with the patchwork of
security software and hardware now in use.
"We're victims of too much of a good thing -- too much
information," Coviello said. "Ninety-six percent of the world's
data is created digitally today. With that torrent, is there any
doubt about the immense challenge before us? You can't secure what
you can't manage."
He said it's hard to manage information security when many
antivirus programs are constantly two months behind the latest
threats, and the typical IDS appliance is only catching 70% of
intrusions. Such security products will be a waste of money going
forward, headed, unless they're built into infrastructure.
"We've built stronger walls around the data, but that data is
fluid and won't stay behind the wall in the first place," he said.
"We need to secure the king instead of the castle. Information is
king and it likes to move around."
 | | | | | We need to secure the king
instead of the castle. Information is king and it likes to move
around.
Art Coviello
RSA Security |
| | | | | |
| |
|
He said acquisitions made by big IT infrastructure companies in
recent months -- including
EMC's $2.1 billion acquisition of RSA last
July and
IBM's $1.3 billion purchase of Internet Security
Systems Inc. (ISS) last August -- shows that the industry's
largest vendors understand what's at stake.
EMC took another step toward integrating security into its
storage and data management portfolio Tuesday when RSA announced a
definitive agreement to acquire Hyderabad, India-based Valyd
Software Private Ltd. for an undisclosed sum. RSA also announced it
has established strategic partnerships with CipherOptics Inc.,
Decru Inc., NeoScale Systems Inc. and Epicor|CRS, a division of
Epicor Software Corp.
The acquisition of Valyd is expected to close late in the first
quarter of 2007. "Upon completion, it will immediately provide
RSA's customers with solutions for effective enterprise-wide data
protection for a variety of database management systems and
protection of sensitive data maintained in files against internal
and external attacks," the company said in a statement.
The combination of RSA Database Security Manager and RSA File
Security Manager with encryption solutions from the company's
strategic partners will enable stronger integration between
endpoint security products and RSA Key Manager's capabilities, the
company added.
RSA Key Manager technology will be integrated into Epicor|CRS's
retail point-of-sale product to help protect sensitive information,
such as credit card magnetic stripe data and consumer
point-of-entry data to meet PCI and other data security
requirements, RSA said in its statement.
Coviello said information-centric security must be based on
three things: the understanding that security can't be perfected
and it's best to devote the most time toward protecting the biggest
assets; the need to adapt to changing circumstances in the
development of technology; and defense in depth. Companies, he
said, have been too slow in implementing the latter.
"We need to remember that understanding and assessing risk is
always first, and we need to share intelligence so we can stop the
criminals together," he added. The further integration of security
into IT infrastructure will help companies address that challenge
as well, he said.
EMC Chairman and CEO Joe Tucci appeared onstage with Coviello
and explained his decision to go on a security company buying
spree.
"This is driven by our customers," Tucci said. "They want us to
secure digital information and they want us to help them with
identity management and access control."
The company has more acquisitions planned for the future, he
said.
While Coviello's vision of an integrated IT security world may
sound good to some people, others expressed skepticism.
Michael Leonhardt, systems architect for San Francisco-based
Building Materials Holding Corp., runs a mostly Windows-based
environment. He noted that while Microsoft has done a lot to
improve security, he doesn't think he'll ever be ready to ditch his
third-party security tools and trust Microsoft alone with his
defenses -- no matter how much security they integrate into their
products.
"I don't see the one-solution environment materializing," he
said. "Attackers are so sophisticated and I just don't see us
dropping our defenses and moving in that direction."
He said the more likely scenario is that companies will become
better skilled at integrating security with the rest of IT on their
own.
"At my company we combined security architecture and
infrastructure into a central group that sits in the middle of our
IT department," he said. "We took security and integrated it into
everyone's job. Everyone's performance is judged on how well they
do security."