Subtlety and Terrain in IT Security
“Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent’s fate.”
-Sun Tzu
“In difficult ground, press on; On hemmed-in ground, use subterfuge; In death ground, fight.”
-Sun Tzu
Source: http://www.suntzu1.com/content/who_is_sun_tzu/
Citrix wrapped up their Citrix Synergy 2011 conference last month in Barcelona and some of you may have noticed a blog post mentioning a collaboration with RSA to integrate RSA SecurID and Citrix Receiver…and I thought it would be worth a more general commentary.
RSA has issued a formal press release on this today as well: http://www.rsa.com/press_release.aspx?id=11566
With the increase in effectiveness of attackers and the corresponding decrease in more traditional defense techniques, IT and Security staff are looking for “game changing” components to bring the battlefield back into their control or at least make it more favorable. What Sun Tzu might have referred to as choosing your terrain and, when that doesn’t work, cheating!
This demands a lot of things, but it also demands that we push the envelope aggressively and use new technologies as they present themselves, such as virtualization, to protect organizations.
So a little about Citrix Receiver (apologies if I don’t do as good a job as Kurt or the gang would : it’ a universal software client (i.e. iOS, ‘Droid, BB, Tablets, Linux, Mac, Windows, thin clients and probably even some kitchen appliances!) that allows organizations to deliver applications, desktops and data to end users, whether corporate owned or BYOD-style. It’s of enormous interest to IT departments because of its efficiency in improving IT “utilization”*
It’s significant to us in security because it is a great way to abstract data, provide isolation and frankly a new set of tools to establish logical zones and governance of data among them.
And if you are in security you know this is a good thing.
So now we can provide integrated support for RSA SecurID…meaning that hackers have to jump through much bigger hoops to abuse an identity and get to data since that data doesn’t exist by default on the device itself.
Strong Authentication + Applied Virtualization = Game Changer
It’s all about convenience and a higher bar: reduce the ability (by making it progressively harder and more expensive) for bad guys to get to the data that matters. You can in fact use technologies to get the speed right, the access better, the convenience improved and the security bar a little higher. This sort of technology integration, invisible to the end-user, is even more critical as tablets and other devices explode making powerful computing ubiquitous and continual.
So the integration is market ready and optimized…that’s a pretty cool thing for taking control of the terrain and, most importantly, doing it in a way that makes technology more accessible and usable and not just another speed-bump in productivity!
* In spite of its use in IT, I don’t like the word utilization. It’s a personal thing. I think IT has the only application of the word where “use” would not suffice, so I use it grudgingly here. Sorry for the idiosyncratic and personal-pet-peeve related foot note!, and feel free to find places where you could use “utilize” instead “use” and let me know!
