RSA president on cloud security: desktops are most vulnerable
By Carol Ko 24-Sep-2010
The new cloud security solution was designed to help manage security, risk and regulatory compliance of cloud infrastructures. Based on the RSA Archer eGRC platform, the dashboard feature is expected to enable organizations to better assess their security and compliance posture across their VMware virtual infrastructure.
"Demonstrating compliance on virtualized platforms has been a labor-intensive and highly complex process, particularly as many of our customers require FISMA compliance," said Chris Day, chief security architect, Terremark Worldwide, a leading global provider of managed IT infrastructure services.
FISMA, short for Federal Information Security Management Act of 2002, is a United States law that recognized the importance of information security to the economic and national security interests of the country. Title III of FISMA, aka E-Government Act, requires each federal agency in the US “to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.”
Day continued, "We've given input throughout the design of the RSA solution and fully support their shared vision with partners VMware and Intel. Using the RSA solution for cloud security and compliance will enhance our ability to assess the security of the virtual infrastructure and help the customers that choose Terremark for their cloud infrastructure respond to compliance audits."
Most vulnerable point cloud infrastructure
Art Coviello, RSA’s president and EMC’s executive vice president, met with the Hong Kong media for the first time last week at the launch of RSA’s cloud security and compliance. Below is an excerpt of an interview with Coviello on cloud computing security:
Asia Cloud Forum: In terms of data security, what are the most vulnerable points in a cloud computing environment?
Art Coviello: There are still lots to be resolved. To date, most virtualization has been about the virtualization of servers. And initially, people virtualize their non-critical apps, and then they virtualize their critical apps. Slowly but surely, when virtualization technology has premiered the whole organization, they go out to desktop [virtualization]. So what I worry about is at the desktop, that we don’t the same level of security to stop Trojans from finding a way in.
If you have a virtual desktop, you can update your anti-virus for everybody in a split second. Because you don’t have to reach out to every individual desktop -- the desktops are all sitting in one central location. The other thing is, is you can create zones where you are in the unsafe part of the Internet, presenting one face, but you create kind of an air-lock if you want to bring any kind of information back to your real desktop. And then at the end of the session, the virtual desktop disappears, and the only information that comes through the airlock would be permitted to go back into the cloud.
So these are things that we have to work through and overcome. I think the weakest link right now is creating these hardware roots of trust and then at the desktop, but we’re working on actively to solve those issues as well.
Having said that, virtual environments are at their worst no worse than the physical. So no one should hesitate to go to a virtual desktop infrastructure. No one should hesitate to virtualize their server environments and consolidate their data centers. There’s just too much money to be saved.
I actually had a chief security officer (CSO) say to me, “My VMware salesperson is telling me not to worry about security. I am the chief security officer, that’s all I worry about -- security.” And I said, “Well, rest assured, we’re already building security in.” Then I took him through some of the things that we were doing. But keep in mind: at its worst, virtual environments are no worse, and can be made to be a lot safer [than the physical environments]. The objective is, use virtualization technology and have infrastructure that is more secure than the present physical one.
Can RSA's cloud security solutions protect corporate data stolen by insiders who have full access right to them?
Coviello: First of all, recognize that no security system is perfect. If for instance, I wanted to figure out a way to send confidential financial information outside of EMC, I could conceivably look at the confidential financial information -- not downloading any of it -- just may be know something as simple as what the result of our quarter was? Did we exceed expectations or didn’t exceed expectations? All that I would need to know are the facts -- I wouldn’t have to put it in a USB stick or email it to anyone. I’ll just need to call somebody up on the phone and say, “Hey, I just got the company’s results, we over-achieved expectations, buy the stocks because the stocks is likely to go up.” Or “We didn’t meet expectations, sell the stocks.” Anyone could do that.
So no system is perfect. The security controls are designed to minimize risks. We’ll never solve the problem of crime in the virtual world and the online world any more than we solve in the physical world.