I was in Stockholm a couple of weeks ago to speak at an EMC Forum and was able to sit in on the keynote, given by Chad Sakac. As anyone who has attended EMCworld knows, Chad is a great speaker: energetic, interesting and insightful. His keynote explored the theme of transformation, including the transformation of the old world of static security to a new world of dynamic security.
What struck me in Chad’s keynote, as well as in the discussion of this topic in a recent blog by Chuck Hollis, is that the insight here is not just a question of innovation, important as that is. More significantly, it provides essential thought leadership, bringing forward a succinct and compelling statement of the issues security must address and of a strategy for addressing those issues. It presents security as a core consideration in embracing the transformational opportunities and imperatives confronting organizations. It demonstrates that leadership goes beyond developing best-in-class technology to developing the fundamental understanding of the transformations that technology must respond to and serve.
RSA has a long history of exactly this kind of transformative thought leadership, starting with the publication of the RSA algorithm in 1977 and continuing through the announcement of Distributed Credential Protection just a few weeks ago. One of the most core areas of thought leadership for RSA over the past few years has been the trusted cloud and secure virtual infrastructure. This is the focus in a recent publication on side-channel attacks by Yinqian Zhan and other researchers, including Ari Juels, Chief Scientist at RSA.
The research is important, demonstrating the seriousness with which an organization needs to consider security implications when moving sensitive information and workloads to a public cloud provider. It’s a rigorous investigation of one way in which the shared infrastructure of a cloud service provider could be exploited by attackers. But as Ari says in his blog on the paper, the attack is fairly narrow, though the implications are broader than the attack itself and similar attacks might be mounted against other hypervisors. The research, focused on Xen rather than HyperV or VMware, is readily demonstrable in a lab environment but harder to accomplish in the real world. The RSA Labs page on the attack touches on mitigation strategies for that attack in terms of physical isolation of workloads. Good practices like being vigilant in patching can also help mitigate the risk of the attack.
In fact, the leadership represented in this research is complemented, and even surpassed, by the thought leadership that Ari and other individuals throughout RSA have done in technologies and strategies enabling trust in the cloud and virtual infrastructure. RSA has done extensive work, both independently and with a broad range of partners, on the strategies that mitigate the risk for external attacks, insider attacks and inadvertent compromise of security or privacy. We have taken a major role in organizations like Cloud Security Alliance, dedicated to realizing trust in the cloud. We have acquired and developed technologies like Asset Criticality Intelligence that are fundamental to cloud security. RSA Labs has also done ground-breaking work in developing technologies that enable enterprises to audit the security and availability of data entrusted to the cloud.
Nowhere is RSA thought leadership in security as clearly evident as in our vision for and commitment to trust in the private, public and hybrid cloud and the virtual infrastructure that enables it. It’s at the heart of the transformation to dynamic security that Chad and Chuck describe. But it goes beyond dynamic security, beyond attack modeling, beyond technology: to exploring the critical roles of people, process and policy; to leadership in critical standards efforts; and to engagement with colleagues across industry, government and academia. RSA will continue to provide thought leadership for the real and fundamental issue of what attackers can do and are doing. But at the same time, our thought leaders like Ari, like my fellow bloggers, like Art Coviello and our executive team will also continue to drive that bigger discussion of how security can support and advance the transformational opportunities before us.