Speaking of Security – The RSA Blog and Podcast

In his keynote this week, RSA’s Executive Chairman Art Coviello challenged the security industry “…to jump ahead and intercept the future – to see things as they might be – not as they are”.

The timing of this message is significant! We are at one of the most crucial points in the history of IT.  In the next five years, we will witness the most dramatic change in how IT is delivered and consumed.  Research from leading analysts and anecdotal evidence all around us is indicating that IT spending on cloud-based services (SaaS, PaaS, IaaS) will grown from 3% of total IT spending to 30-40%. Let’s pause for a moment – that is a MASSIVE shift in spending and an *unprecedented* shift in culture and attitude.  Never before have we witnessed such a shift of infrastructure and applications out of the organization’s hands and into the hands of external cloud service providers.

This move is natural. Can you find a single organization out there with a mission statement that reads “We shall strive to own and operate our own IT”?  IT is a vital but supporting function that most companies would love to consume as a utility delivered by external, expert service providers so that they can focus on whatever their core business might be.   But this state is not easy to achieve.  It will take at least a decade because the cloud has not matured enough to address the complete and diverse range of enterprise IT needs of organizations across different sizes, vertical industries and geographies.  Despite this, it is quite clear that organizations are moving rapidly to the cloud.  The popularity of Salesforce, Google Apps, Amazon Web Services, ADP, Workday, Terremark, Savvis and a whole host of other SaaS/PaaS/IaaS services is proof.  These cloud services have permeated organizations virally through the users and often without the active involvement of the internal IT departments.

The Problem

The early success of cloud services has not yet translated in exponential and unbridled growth.  Two major security-related problems are preventing broad adoption of cloud-based services.

First, there is a general deficit of trust in external cloud services.  Trust is a big word but is appropriate here.  Trust comes with control and visibility.  Organizations recognize that they cannot have the same level of control and visibility over cloud services as they have over infrastructure that they own and operate.  But, they cannot achieve even remotely comparable levels today.  This is because service providers offer rudimentary security controls at best and these controls differ by service provider.

The second problem is a new one for the IT industry and is systemic.  Each organization and each service provider would have to establish and maintain large numbers of point-to-point integrations with each other.  Integrating with complex security infrastructure of one external entity is hard enough.  Doing it with dozens or hundreds of external service providers or tenants is very resource intensive and unsustainable.    No matter how much technology we throw at it, if the security industry does not offer a fundamentally new approach to solve many-to-many problem, widespread cloud computing will not take firm hold.

RSA’s Answer

RSA answered the call this week with the RSA Cloud Trust Authority (hyperlink – http://rsa.com/press_release.aspx?id=11320), a set of cloud services spanning identity security, information security, infrastructure security and compliance for secure and compliant cloud computing.   I describe it in some detail in this video below:

How does this offering fundamentally address the problem describe above?  Why RSA?

1. We will enable a hub and spoke model for security integration and trust relationships.  By offering security services in the cloud and for the cloud, we will all but eliminate the need for point to point security integration between participating service providers and their tenants.  Each organization or service provider will only have to integrate with the Cloud Trust Authority for functions such as identity federation and compliance reporting.   They will not have to be aware of the complexity and diversity of each other’s security infrastructure freeing them up to focus on what they really set out to do – offer and consume the cloud service.

2.  RSA will offer a wide set of security capabilities thanks to its rich portfolio of leading technologies spanning identity, information and compliance.   We will leverage partner technologies where appropriate – for example, the initial beta offering in 2011 will leverage the Tricipher cloud service acquired by VMware.   Most importantly, RSA will link these technologies in meaningful ways just as we do with our on-premise solutions at our customer sites. Several identity federation services are available in the market today but none address data security, infrastructure security and compliance along with it.  The RSA Cloud Trust Authority is the first offering to target a comprehensive set of capabilities.   In fact, our initial offering in 2011 will offer both identity and compliance services.

3. Solving the problem will require an ecosystem approach.  If a dozen offerings like the cloud trust authority emerge, we will create a problem similar to the one we want to solve (limiting the number of entities and technologies with which organizations and service providers have to integrate).  For completeness of the offering and to create the necessary concentration of capabilities in a single cloud-based entity, RSA will leverage its industry partnerships with infrastructure and security vendors.   Also, to ensure the largest possible ecosystem of trust, RSA will recruit the key service providers.  Service providers will benefit by working with the most prominent security solutions provider rather than having to work with several.

4.  Last, RSA is a leader in virtualization and cloud computing.  We have delivered several industry firsts in the area of virtualization and cloud security over the last 2 years (monitoring, GRC, strong authentication, DLP, etc.).   RSA is also a major SaaS provider itself protection hundreds of millions of online identities and transactions with its cloud-based offerings.   In other words, RSA is a leader in delivering security solutions ‘in the cloud and for the cloud’ already.  We feel strongly that we are well suited to step up to take this challenge and create the necessary strong ecosystem and innovation.

We know there is a long road ahead and we know we cannot do this alone. This is a call to action for the entire IT industry.   Please reach out to us with your views and join us in solving a problem that is bigger than all of us.  The biggest reward if we get this right would be the pride of having paved the way for the biggest IT transformation of our generation.

Let’s grab this opportunity to create a lasting legacy!

•