David Spark here reporting for Tripwire at the 2010 RSA Conference in San Francisco.
Get ready for a long title and a long award name…
Malcolm Harkins, CISO and General Manager of Enterprise Capabilities Controls and Compliance Intel Corporation won award for Excellence in the Field of Security Practices Award. On accepting the award, Harkins said to the audience that security fallibility won’t be your organization’s technical infrastructure. Rather our greatest vulnerability is our underestimation or overestimation of risk.
It was a great opening to Scott Charney’s presentation. He’s the Corporate Vice President Trustworthy Computing (TwC) of Microsoft. He discussed the shared responsibility of security, explaining that it’s more than just protecting the PC, but rather about protecting the ecosystem. He went over some of the basic steps required for protection:
Step 1: Design secure products. Obvious.
Step 2: Concern yourself with identity. Problem is people want both anonymity and accountability on the Internet. To solve that issue you need to concern yourself with the application layer. A bank transaction requires identity, but a place that offers free speech you want the opportunity for anonymity.
Looking at traditional threats like Botnets, Charney discussed the major problem with IT security which isn’t like any other type of security. Online, there are many types of actors and many types of motives. All the actors and the motives look exactly the same on the network. If you’re just looking at the network, it appears to be some actor with some motive doing something. On a shared and integrated domain, good and bad actors are all mixed together.
Once you start trying to analyze the bad actors you start concerning yourself with the worst case scenarios, which can be devastating. And as you think more about it, you get stuck, and it paralyzes you.
Microsoft doesn’t look at security as a Microsoft issue, but as an ecosystem issue. What’s required is defense in depth. Charney showed one example of taking down the Waledac Botnet which first involved cleaning infected consumer’s machines, then blocking emails through Hotmail, and finally a court filing that served notices to certain sites.
Whether private, private cloud, shared cloud, or public cloud, there are shared responsibility issues we all need to concern ourselves with. Charney summed it up his presentation with these points:
- Shared Risk Management
- Challenges for Compliance
- Rich, Attractive Targets
- Shared Investigations
Identity and Privacy
- Information Aggregation
- Appropriate Use
- Global Data Flows
- Shift in Balance and Power
Check out more of Tripwire’s coverage from the 2010 RSA Conference in San Francisco.