Coviello: In 3 years, no more stand-alone security

Coviello, president of EMC Corp.'s RSA Security division, said the vast array of standalone security devices on the market today will go the way of the dinosaur.

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

"We're victims of too much of a good thing -- too much information," Coviello said. "Ninety-six percent of the world's data is created digitally today. With that torrent, is there any doubt about the immense challenge before us? You can't secure what you can't manage."

He said it's hard to manage information security when many antivirus programs are constantly two months behind the latest threats, and the typical IDS appliance is only catching 70% of intrusions. Such security products will be a waste of money going forward, headed, unless they're built into infrastructure.

"We've built stronger walls around the data, but that data is fluid and won't stay behind the wall in the first place," he said. "We need to secure the king instead of the castle. Information is king and it likes to move around."

We need to secure the king instead of the castle. Information is king and it likes to move around. Art Coviello RSA Security

EMC took another step toward integrating security into its storage and data management portfolio Tuesday when RSA announced a definitive agreement to acquire Hyderabad, India-based Valyd Software Private Ltd. for an undisclosed sum. RSA also announced it has established strategic partnerships with CipherOptics Inc., Decru Inc., NeoScale Systems Inc. and Epicor|CRS, a division of Epicor Software Corp.

The acquisition of Valyd is expected to close late in the first quarter of 2007. "Upon completion, it will immediately provide RSA's customers with solutions for effective enterprise-wide data protection for a variety of database management systems and protection of sensitive data maintained in files against internal and external attacks," the company said in a statement.

The combination of RSA Database Security Manager and RSA File Security Manager with encryption solutions from the company's strategic partners will enable stronger integration between endpoint security products and RSA Key Manager's capabilities, the company added.

RSA Key Manager technology will be integrated into Epicor|CRS's retail point-of-sale product to help protect sensitive information, such as credit card magnetic stripe data and consumer point-of-entry data to meet PCI and other data security requirements, RSA said in its statement.

Coviello said information-centric security must be based on three things: the understanding that security can't be perfected and it's best to devote the most time toward protecting the biggest assets; the need to adapt to changing circumstances in the development of technology; and defense in depth. Companies, he said, have been too slow in implementing the latter.

"We need to remember that understanding and assessing risk is always first, and we need to share intelligence so we can stop the criminals together," he added. The further integration of security into IT infrastructure will help companies address that challenge as well, he said.

EMC Chairman and CEO Joe Tucci appeared onstage with Coviello and explained his decision to go on a security company buying spree.

"This is driven by our customers," Tucci said. "They want us to secure digital information and they want us to help them with identity management and access control."

The company has more acquisitions planned for the future, he said.

While Coviello's vision of an integrated IT security world may sound good to some people, others expressed skepticism.

Michael Leonhardt, systems architect for San Francisco-based Building Materials Holding Corp., runs a mostly Windows-based environment. He noted that while Microsoft has done a lot to improve security, he doesn't think he'll ever be ready to ditch his third-party security tools and trust Microsoft alone with his defenses -- no matter how much security they integrate into their products.

"I don't see the one-solution environment materializing," he said. "Attackers are so sophisticated and I just don't see us dropping our defenses and moving in that direction."

He said the more likely scenario is that companies will become better skilled at integrating security with the rest of IT on their own.

"At my company we combined security architecture and infrastructure into a central group that sits in the middle of our IT department," he said. "We took security and integrated it into everyone's job. Everyone's performance is judged on how well they do security."