Archive for the ‘Virtualized Desktop Infrastructures’ Category
First I’ll talk a little bit more about some of the elements of a platform and why it’s better than the traditional approach. One of the reasons is because you provide a framework. And by framework what I mean is that you have well defined concepts and integration points. What are all the ways that I can protect it in both stream form and block form? And in file form or in motion. It gives you a very consistent ways of dealing with data. And what that means is that when new things come along, new Cloud services or new mobile services, you already have a place built into your architecture where you can add support for that. It’s not a whole new reengineering and rearchitecture because the framework has accounted for fundamentally what the structure of the problem is.
We’ve all seen lots of frameworks. Some of which have then been successful and some have not. But this is an important element to find the domain that we’re dealing with, the problem domain in a very extensible way. You need to be allow other people to plug into that framework at those different extension points and they should be both internal and also external for third parties to plugin. For example if I’m sharing data with a third party I need to be able to allow them to establish an identity with me, and so one of the things that I need to have built into this data platform is the ability for them to plugin identities or establish an identity that I can trust at that time and in a dynamic way.
Next, data lifecycle node equivalency. Well that sounds really technical or complicated. But what it means is that all of these different things that data can flow through, the data’s always flowing to a system or from a system. And so it’s flowing to a home PC or to an iPad or to the Cloud, and as it does that all of those need to be able to be treated in some way as equal peers. And we need to be able to establish that all have a certain degree of threat or vulnerability associated with them. They all have a certain risk posture associated with them. And so there’s an equivalency in the sense that they can all be represented in the same way as having some basic characteristics. They all have like I said, the vulnerability. They all then require a certain amount of protection based on whatever their vulnerability posture is. And so that way the system can treat them all unique, even though they’re diverse different platforms, you know the way you would protect something on one may not be equivalent to the way that you would protect it on another. A tablet versus an internal server for example in the data center. You may not choose to protect the data the same way, but you need to be able to look at all of those things as nodes and simplify your management so you can set up high level policies and then let the system intelligently protect the data and enforce the data protection policies. And that’s the next item.
Once you can look at all the different nodes then what you can do is you can have the system say okay, my administrator’s set up preferences wants to prefer hardware encryption where possible locally on a box. If the hardware encryption’s not present then I want to prefer an OS base, then I want to prefer a software base. And always when data leaves the box I want to have it be encrypted. And if I can’t protect certain paths I want to block them.
Now a big part of this then is okay now I’ve encrypted my data everywhere, great. At Credant we like to believe that the natural state of the data frankly is to be encrypted wherever it goes. That way the data owner stays in control. Now what you have to do is you have to have an integrated authentication managed centrally. You have to be able to unlock the keys and make sure that there are key rings moving around and group key management. Thus, you have to have authentication and key management integrated centrally into the solution from the start. And if you’re in an environment that needs strong authentication like smart cards, fingerprints, proximity cards, then that needs to be a part of the solution and fit into that framework that we talked about.
Finally you need to have collaboration and sharing policies and I can go on and on and on about all that. The benefits of such an approach obviously the more the platform can automate the less work for IT and the less impact on the end-user. There’s a lot of benefits in terms of improved security, lower cost. Such a framework is extensible for the future. But most importantly it gives us now a way where we don’t have to say okay, on my Macs I’m doing this, on my servers I’m doing that. On my handheld I’m doing something else. If it’s all tied together through this kind of unified solution then that really makes a lot of sense.
As I turn the corner to wrap up here real quickly, just give you a short overview of what we’ve done. Credant is 100 percent focused on solving this problem. And one of the ways that we’re doing that is by extending the work station, the handheld encryption and data protection that we have with mobile device management and cloud. And also with working with partners to establish a third party plugins into the solution so that customers who deploy a solution like ours, they can be sure that that decision is a future proved decision because we’re going to be there providing new plugins and new extensions with other partners in the future. We’re now supporting all of those things except for the Cloud and that’s coming here in a couple of months. But all in an integrated way from one platform, from one console so that it makes it easy to manage. Key management obviously very important in our system. No administrator touches key, and no administrator ever has to individually manage keys. The keys flow automatically and transparently. So that’s a great simplification that we’ve provided as part of the platform. Auditing and reporting. Obviously also huge and important aspects of the platform includes enterprise integration into your directories and your security and event management.
So then what is managed? What is managed is the nodes of this fabric, this data protection fabric include the work station – endpoints, the mobile device, servers. In the future we’re moving even towards storage, Cloud and enterprise application. And things recently we’ve added have been support for Windows server, virtual servers, VDI environments. We’ve got several banks deploying our solution and VDI settings to protect removal media because one of the biggest trends we see right now is the need for finance and healthcare in particular to protect data that flows through USB thumb drives. One of the things that we think is exciting is the potential for an SDK into the system and that’s a clear need in terms of supporting that extensibility goal of a platform.
In summary, traditional bolt-on approaches really don’t meet the current challenges much less the emerging challenges. So we really believe that enterprises need to be looking for security for the full data lifecycle. And thinking about how can I have one system that’s going to protect my server data, my Mac, my Windows, my endpoints and all the data that moves between them and into the Cloud. And finally, we think the best way to do that is through a platform approach. And we don’t see a lot of those platforms really in existence today, but we think that they’re coming and we tend to lead the way to provide a real platform. And people have talked about it. But in terms of automating, giving it the automation and extensibility and the framework, plugin capability, we think there’s a lot of room to innovate in the market to help you solve your really important and pressing problems right now.
So what does all this stuff mean? I’ve thrown a lot of numbers and stats at you. I think there are really three
significant trends that we see when we talk to organizations about what are they worried about from a security perspective. First, we’ve got of all this change what traditional IT has to encompass. We’ve got Bring Your Own Devices, consumerization, virtualization and we’ve got cloud services. We have all of these things occurring right now and sort of churning the infrastructure of IT. All of those things are increasing the complexity of management of these systems and that’s not a good thing. We know that makes things harder to track. Harder to keep safe. Harder to report on and prove compliance. At the same time, the physical implantation of IT is changing. The way that the information is used is also changing. There’s an incredible increase in the mobility of data and I think that’s going to only keep accelerating. Information is moving faster and in greater quantities to more places than it has ever done in the past. And it will continue to accelerate and as a result, tracking that information, understanding who has it, where it is, and so on. Who has access to that? Should they have access to this information?
Meeting order and compliance requirements and so on is becoming extraordinarily difficult. I think finally, you know, in case you hadn’t noticed, insiders are a major problem. At the same time, controlling the way that insiders interact with information is also becoming a serious problem. Because of the Bring Your Own Device revolution, because of consumerization, the ability to manage insiders and the way that they use information is eroding away.
If you think about what people really want, if you think about what your users are going to be asking you for, they are expecting and demanding access to information anywhere, anytime, on whatever device they want to use. They want it now and they want it fast. They want to share it with whomever they need to share it with. They don’t want security to be a roadblock to that access.
At the same time, organizations are responsible for staying in constant control of that data. We have to control who has access to it, maintain visibility, and manage the ability to manage access to that information. These are two really conflicting requirements. They are in a sort of dynamic tension with each other, and that has to be managed.
And of course, as I mentioned earlier, cloud is really throwing gasoline on that particular fire. Two hundred and eighty eight million – if you don’t recognize it – is the number (at least) of files uploaded and accessed on Dropbox every day. That’s about a million files every five minutes. I go back to the nine percent of organizations that don’t think they’re going to see increased cloud usage this year and I say, au contraire, I think they’re already seeing an increase in cloud usage. I think increase in cloud usage is occurring inside those organizations or is occurring on devices that have been or are attached to those organizations.
End users are bringing what are essentially consumer initiated cloud services into businesses to share, to collaborate, to move, to backup and to store files in incredibly large quantities in a way that is beyond their current ability to control. This is the poster child for consumerization and its impact on our ability to secure information over the next ten years. In all honesty, most organizations have yet to get their arms around this problem.
In order to get our arms around this problem, we have to move from thinking about devices to thinking about data. It seems pretty obvious because the devices are out of our control, proliferating at a rate that we can’t manage, or are simply virtual devices that exist somewhere else. We’ve got to think about data and data-centric security. The best way to do that is to focus on building data-centric security into the way that we think about information security in general. It’s the only way to meet the challenges of consumerization and mobility. But to do that, we’ve really got to focus on the core of data-centric security, and I would argue very strongly that things like encryption and tokenization are what essentially make data self-defending. They both have to remain as the fundamentally enabling approach for data-centric security. By enabling, I mean it lets you build a data centric security mechanism, but it also enables your organization to take advantage of new technologies and new approaches to more easily facilitate what your users want to do. To do that though, you’ve got to ensure that security is seamless. It has to just work. If I take information from a thumb drive, move it onto my laptop, move it into a virtual platform, and then move it off there into a cloud storage that I access from my smartphone or tablet, all that stuff has to just happen. It has to happen in a way that doesn’t impact my ability to get my job done. Ultimately, building that capability is the core challenge for IT and IT security over the next five to 10 years.
What about you? What do you think about these core problems? What other threats are you seeing? If you have any questions, comments or feedback, I’d love to hear it. At CREDANT, we work with some of the largest organizations in the world to help them build seamless data-centric data protection that allows employees to get their jobs done without causing problems. We do it in a way that reduces risk and reduces the risk of a breach seamlessly so information can move from device to device in a managed and secure manner.
As we look down the road at what the next year holds, let’s take a look at the biggest perceived data threats in 2012. It’s hard not to think about Roland Emmerich’s movie 2012, but hopefully our predictions for potential threats will be a little less apocalyptic than the ones in the movie. Perhaps a little more sensible and realistic.
There are some excellent reports out there on this topic – the Ponemon Institute released “The 2012 State of the Endpoint Report” and “Aftermath of a Data Breach.” Great resources.
In general, confidence in security is not doing very well. Sixty-six percent of people, according to the studies, felt that they are not more secure than they have been in previous years or are at least unsure about their level of security. And, that may or may not be an accurate reflection of the reality. Maybe it’s in part due to the level of coverage that breaches receive and the larger scale, hacktivism type of attacks that occurred over the course of the last year. We are either in a state where people don’t trust information security or we’re in a state of change, a sort of crossroads that remains to be seen. Regardless, there are some big decisions that need to be made.
Thinking about some of the emerging trends from last year, incidents of viruses and malware rose from about 27 percent of organizations to 43 percent of organizations. However, the organizations that made data protection a priority saw that same percentage drop significantly from 61 percent to 29 percent. So what’s going on here really?
I think what’s going on is that we’re seeing organizations actually being more concerned about other issues. In fact, I think the reason is that they think they’re going to have more important things to worry about. Not to say that malware and viruses are not real problems. They certainly are. But the big ticket items I think that are really causing concern this huge growth in mobility. The increase in the number of and the range of mobile platforms is a real challenge.
Inevitably, there’s this wave of concern building around cloud computing and how we manage cloud as it starts to grow in its impact on the enterprises. So these are what I think are diverting attention away from some of the old staples of security discussion: Mobility, resources, data mobility, mobile platforms, consumerization and cloud are absolutely huge challenges.
So what is on the rise? Mobility, hands down. Organizations saying that there was a significant risk posed by mobile devices such as smartphones and tablets increased dramatically. Nine percent of 48 percent of organizations foresee this as a problem. We’re seeing mobile platforms being increasingly targeted. Also there’s the exponential growth in the Bring Your Own Device (BYOD) realm. There’s a consumerization aspect; average employees are walking into the organization saying please connect my phone, tablet, etc. There was a study published end of last year by the Computer Technology Industry Association on the use of mobile devices in healthcare. They said that at the end of last year about 30 percent of doctors were actually already accessing medical records online through applications running out on smartphones and tablets. And that number is likely to grow to something like 50 percent by the end of 2012. The challenge of managing that and of extending controls in place to cover those devices is a very significant one. It’s not really any surprise that we see a big jump in the concern about mobile devices and mobile computing on a broader scale.
Another trend that’s on the rise is the increasing amount of virtualized environments. The 2012 State of the Endpoint Report showed 52 percent of organizations felt that their investments in virtualized environments of some kind are going to increase over the course of the year, or have already increased over the course of the year. It’s sobering to note that almost half the organizations don’t have at least one, single department dedicated to virtualization security. Most organizations simply share the responsibility between departments, which blurs the boundaries of who owns what.
Other increases, which aren’t really surprising, are that 91 percent of organizations saw third party or internal cloud computing risks increase. Most organizations are planning to increase their investment in the use of the cloud. It’s probably also no great surprise that a lot of organizations are still struggling with what that cloud strategy should look like. Forty-one percent say they didn’t really have a cloud strategy yet and frankly, I can’t blame them because it is a complex question. The strategy has to embrace the entire organization and yet the very nature of the way a lot of cloud services are delivered tends to undercut the central control of the typical IT and security organization by essentially delivering services to individual business units and sometimes individual users. It’s a complex problem and it’s getting more complex.
Stay tuned for the next post, where we’ll continue looking at data threats to watch out for in 2012.