We had the opportunity to explore this new vision for security in our birds-of-a-feather session on “Building Your Trusted Cloud.” We talked about the threat landscape for cloud, security capabilities that cloud service providers should have, best practices in security for the cloud and in engaging with CSPs. And there were great questions that led us into topics that we hadn’t foreseen.

One of the best of these questions was from Mike Versace of IDC, who asked “What are the big breakthroughs that will make a difference in cloud security?”

Mike’s question was excellent because it challenged us to think about what really mattered in establishing and maintaining that sea of trust. RSA’s Rob Sadowski responded with the developments in GRC tools, best practices and standards that help you manage the risk inherent in moving data and workloads into private, hybrid or public clouds. RSA Software Engineer Matt Coles emphasized the embedding of data security capabilities into technology, like encryption built into storage. EMC infosecurity expert Davi Ottenheimer spoke to the critical developments in embedded security in the virtual infrastructure. Matthew Gardiner of RSA called out the importance of new developments in security visibility and analytics technologies. And EMC security consultant John McDonald spoke about the breakthroughs in risk-based authentication as critical to the mobile user environment.

It was great to have such a range of breakthroughs recognized, especially because they also represented a good cut at the most essential capabilities for establishing trust in the cloud. Sure there’s lots of work still needed in making these breakthroughs fully effective. But the essential elements for establishing and maintaining the trusted cloud are here. Maybe that’s the biggest breakthrough of all.

• 

Most of the keynote, delivered by David Goulden (EMC COO), was about the new ViPR storage controller and data services capability being released later this year, including a demo of ViPR by Andy Brown, CTO of UBS. But towards the end of the keynote, David invited Jason Rader, Chief Security Strategist for RSA (and a presenter at #EMCworld this year in the RSA session on “Assessing the Value of Information Assets”) to show how cybersecurity attacks can be detected and responded to. Jason did a great job showing Jeremy Burton and all of us in the audience how potential attacks are visible in Archer, how they can be analyzed to determine whether the attacker has caused damage or exfiltrated information, and how the incident can be tracked and responded to effectively.

The solutions pavilion opened for a reception after the keynote. It was great to see that cybersecurity had a substantial presence there as well. RSA has a dedicated booth this year, including a theater with security-related presentations like “Anatomy of an Attack”. There were also quite a few other security-related vendors, like Varonis, who are doing  with a great demonstration of their support for big data analytics in detecting anomalies in access patterns.

So it was a good day for cybersecurity at #EMCworld, including our four well-attended security-related sessions. Lots of interest, lots of energy! I’m looking forward to the rest of the week.

• 

I’ll be moderating the BoF, drawing on the recent Cloud Security Alliance meeting at RSA Conference US in February, the review of OECD Security Guidelines in Paris in early April and my presentation at the Cloud Security Summit last week in Orlando to frame the most critical security questions that enterprises need to consider when establishing private clouds or engaging with cloud service providers. The presenters that I mentioned in earlier blogs (John McDonald, Jason Rader, Matthew Gardiner, Matthew Coles and Yael Villa, who will be presenting instead of Michal) will join me to explore these questions. We’ll be joined by other cybersecurity experts from RSA and EMC, including Davi Ottenheimer, Rob Sadowski and Ash Devata. And there will be lots of opportunity for folks in the audience to pose questions, respond to points made by the panelists and introduce issues that are top-of-mind for them.

You never know where the conversation will go in a BoF! But I’m expecting that we’ll focus on four major topics. The first is the threat landscape for the cloud, especially for the public cloud. What threats do you need to need to consider when thinking about cloud deployments? How do you assess the risk implied by those threats? What do you do about mitigating, transferring or insuring against those risks?

The second topic is security capabilities in and for the cloud. We’ll explore questions such as what should you expect from a cloud service provider in terms of controls and visibility? Where are we in terms of embedded security in cloud infrastructure and where are the big gaps?  We’ll then turn to the third topic: best practices when you entrust data and/or workloads to the cloud. How do you decide what data you can entrust to the cloud? What can you do to enhance the security of mobile devices accessing apps in the cloud, such as in terms of multi-factor authentication?  Finally, we’ll look at the security issues in managing the relationship with the cloud service provider. How do you decide what level of trust you can realistically have with a CSP? What kind of visibility can you have, really, into their infrastructure?

Please join us for this great BoF! And I hope you’ll follow my blogs and tweets @robtwesgriffin throughout EMCworld.

• 

The application of Big Data analytics to security has resulted in a transformation not only in detecting and responding to threats. It also transforms how we establish and evaluate trust, based on understanding risk rather than expecting absolute security. This transformation doesn’t just affect security professionals. Understanding trust is critical for many of the topics that are explored at EMCworld, including cloud, virtualization, storage and document management. Understanding trust can help in enabling new business opportunities, finding more effective operational processes and working more effectively with partners.

This approach to trust through understanding and responding to cyber risk will be a focal topic in several sessions. John McDonald, well known to EMCworld audiences for his past sessions on security for disaster recovery, will be talking about how to understand and address the security risks for virtualized infrastructure. There are important ways in which virtualization has transformed risk, including in terms of ways to mitigate those risks. As always, John’s session will be great fun, as well as deeply informative.

Matthew Coles will discuss the transformation in trust from the perspective of the security capabilities that are being built into EMC products. Matthew’s responsibilities in the EMC Product Security Office give him unique insight into these capabilities and how to use them effectively.

Jason Rader will take yet another point of view on risk by describing a pragmatic approach to evaluating the value of information assets. He’ll bring to the session his practical experience in how to understand the value of your information, discussing how that understanding can be applied in critical decisions such as what information can be entrusted to the cloud.

Join us for these great sessions! And I hope you’ll follow my blogs and tweets @robtwesgriffin throughout EMCworld.

• 

One of the major themes at RSA Conference this year was the transformation in security analytics: the way that Big Data capabilities enable dramatic improvements in detection and response to threats. We’ll be exploring that transformation in many of our presentations, in our birds-of-a-feather session on “Building your Trusted Cloud” and at the EMC booth. Matthew Gardiner will give a great session on the intersection of Big Data and security in his “Big Data and Security have collided: What are you going to do about it?” He’ll show how Big Data has transformed security, making it possible to find those needle-in-a-haystack attacks.  He’ll also show how Big Data itself can be secured. Examples from sources as diverse as Target and Mr. Bean (yes, he has a lot to teach about security!) will certainly keep the talk lively.

Michal Blumenstyk- Braverman will approach this transformation in security analytics from the perspective of the attacks that she sees on a daily basis in her work at RSA’s Anti-Fraud Command Center. Though her work is highly sensitive, in her session on “Cyber Intelligence to Combat Cyber Crime”she’ll show some great examples of the attacks the AFCC has intercepted and of the underground economy in malware and stolen identities. And she’ll show how cyber Intelligence and big data analytics have transformed the AFCC’s ability to detect and respond to these challenges.

In the next several blogs I’ll talk about some of the other security topics we’ll be exploring at EMCworld 2013. Stay tuned!

• 

We face important challenges, including the large backlog of work that has accumulated since the publication the PKCS #11 v2.30 draft specification in October 2009. We spent most of the first day of the face-to-face exploring those challenges through presentations by many of the TC members, discussing not only the details of corrections and enhancements to the PKCS #11 API, but also larger questions of whether PKCS #11 can be of benefit in critical areas such as mobile, cloud and virtualization security. One of the highlights of the Monday session was a presentation by Burt Kaliski on the history of PKCS #11, showing how the standard has adapted as the needs of the industry changed. That was a very encouraging insight, especially given how many areas there are in which PKCS #11 can be of benefit.

By the end of the face-to-face, we scoped out the most critical work items that we should consider for the first release of PKCS #11 as an OASIS standard. We still have lots of work to do to nail down that list and then to realize it in the specification, other documents and supporting processes. But PKCS #11 is once again alive and well!

• 

The winner of the Innovation Sandbox, Remotium, addresses a critical problem in mobile device security: the segregation of enterprise information and applications from the personal environment on the mobile device. The problem is well-understood. The approach is well understood. The innovation derives from the details of how they solve the problem. This problem-driven approach to innovation is one I’ve taken in numerous projects: working as a consultant to identify a problem that needs to be solved and then building a product to address that need. 

What struck me in the Innovation Sandbox is that there are other approaches to or aspects of innovation that were not as well represented among the finalists. For example, in 2012 RSA introduced Distributed Credential Protection, a product that came out of an idea from RSA Labs. DCP was an innovation based on a research insight, developed from that insight to address a significant issue in password security. 

In addition to the genesis of innovation in response to a problem or in development of an insight from the world of research, there’s a third very important source of innovation. That’s the recognition that a capability that already exists can be applied more broadly, or to a different problem, or in different ways. The capability that QuintessenceLabs has developed for high-throughput generation of true random was the result of this kind of recognition of the unexpected benefit of a capability developed for other purposes. In developing their Quantum Key Distribution product, QuintessenceLabs built a capability for generating entropy by splitting a laser beam and using the divergences between the resultant splits to create a continuous, high-throughput photocurrent of true random. This photocurrent is then processed to create a bit stream, providing on the order of 2 gigabits of true random per second. 

QuintessenceLabs has productized this capability independently of their Quantum Key Distribution product, including realizing it not only in a rack appliance but also in a PCIe card. This is an innovation supporting that “value of uniqueness” that Dr. Vint Cerf discussed in his keynote at the conference: the foundational component required for cryptographic-based trust for secure mobile connections, pervasive encryption for cloud environments, credential generation and a host of other applications. 

This capability from QuintessenceLabs is a great example of innovation and the unexpected, of looking at a capability in a new way and seeing that it solves a whole set of problems that you weren’t thinking about. It also points up the importance of looking for the unexpected when it comes to innovation. We need to be sure not to blind ourselves to innovation by the very processes – even ones as good as the Innovation Sandbox — that we put in place to encourage innovation.

• 

This message has been reinforced for me in the past couple of days here at this year’s RSA Conference. My conference activity started Monday morning with the Cloud Security Alliance summit and Tom Weatherford’s keynote on his work at DHS. Much of what Tom talked about concerned the government strategy for cyber security. But I was particularly struck by his comment that one of the two fundamental directives in the recent executive order on cyber security was the requirement to increase the sharing of information in addressing threats: from government to the private sector, from the private sector to government, and between government departments. That collaboration imperative is also evident in the role that DHS is taking on, according to Tom, as the first point of contact for the private sector when seeking help from the federal government on cyber security issues.

The need for collaboration was touched on by Art Coviello in his keynote again this year. And our announcement of collaboration with Juniper is also a great example of this collaboration. Each of our companies has security information that complements what the other has. Combining this information strengthens the ability each of us has to detect and respond the cyber threats.

This imperative was already in the forefront of my thoughts. Because of how many security professionals attend RSA Conference, we scheduled the OASIS KMIP face-to-face for the week before the conference and the face-to-face kick-off meeting for the new OASIS PKCS 11 technical committee for the week after. These two standards efforts represent major collaborative efforts to achieve effective security standards. The KMIP standard has been very successful (though of course there is still lots to do), as evidenced by our recent completion of v1.1. We’re just beginning the development of PKCS #11 in OASIS, but there has been a phenomenal level of interest and support for the effort.

These announcements, activities and events may not be the stuff of Ludlum thrillers. But the collaboration imperative does have the potential to make a real difference in addressing the security threats we face.

• 

We have an impressive list of initial sponsors for the TC, including Athena Smartcard, Bloomberg, Cryptsoft, EMC, HP, Oracle, Quintessence Labs, SafeNet, SecureAuth and Thales eSecurity. As a long-time advocate for PKCS #11, as well as the convener for the TC, it’s been great for me to see the level of interest in revitalizing PKCS #11. We knew there needed to be new mechanisms, new language bindings and new functionality for the PKCS #11 API in existing areas of usage such as HSMs and smartcards. But there is a strong and growing interest among committee members in developing the API to address critical requirements in new areas for PKCS #11, such as cryptographic interfaces for mobile and cloud computing environments. We’re also looking forward to strengthening PKCS #11 in other ways, such through providing new implementation guidelines, establishing processes for interoperability testing and defining conformance profiles.

If you’re interested in cryptographic capabilities and cryptographic interfaces, I hope you’ll consider joining the PKCS 11 TC. I look forward to seeing you at the first meeting!

• 

The intent of the article, as well as the presentations on this topic, is to help architects and designers understand the issues and alternatives for symmetric key management for the cloud. The article presents three deployment models, discussing current implementations as well as benefits and disadvantages of each model. It also touches on the role of standards like KMIP in these models.

I’m looking forward to discussing these models further in my session with Cryptsoft’s Tim Hudson at RSA Conference US in February. I hope you can join us there!

•