Cloud services are being adopted increasingly by organizations. But with adoption comes increased concern, says Symantec's Francis deSouza.
The first thing organizations are worried about is making sure they have the right controls around who should have access to data in the cloud, says deSouza, Group President of Symantec's Enterprise Products and Services.
So, how can organizations ensure cloud security and the protection of their data?
"A good starting point for companies is to look at the cloud and make sure that they have at least the same levels of controls around the information in the cloud as they do with the information in their own environments," says deSouza in an interview with Information Security Media Group's Tom Field [transcript below].
The level of accountability for an organization shouldn't change whether the data sits in its own data center or in the cloud. The security process also needs to revolve around access control, he says. "Who should have access to what cloud services?"
And ensuring cloud security calls for information protection, making sure that encryption and data loss prevention technologies are applied where necessary.
Lastly, security requires governance and compliance "to make sure that [companies] have a good handle on what's happening in the data centers that form the cloud for them," deSouza says.
In an exclusive interview, deSouza discusses:
- How to ensure cloud security;
- The evolving threat landscape;
- What's most misunderstood about mobile security.
deSouza is group president of Enterprise Products and Services at Symantec. In this role he leads product management, engineering, industry relations and operations for Symantec's enterprise security, information management, storage and availability management and managed security services solutions.
Most recently, deSouza served as senior vice president of the Enterprise Security Group where he led Symantec's Endpoint Security, Messaging and Web security, Data Loss Prevention, Compliance and Security Management, Endpoint Management, Encryption, Endpoint Virtualization, and Identity and Authentication businesses. deSouza joined Symantec through the company's acquisition of IMlogic in February 2006. At IMlogic, he was the founder and CEO, building the company into a recognized leader in the rapidly growing market for instant messaging security with more than 750 customers across 23 countries.
TOM FIELD: To get started, tell us a little bit about yourself and your work with Symantec please?
FRANCIS DESOUZA: I'm responsible for our enterprise portfolio here at Symantec and that encompasses three broad areas. The first one is security for the corporate market. The second one is information management, helping customers deal with the exploding amount of information in their environment, things like back-up, archiving and e-discovery. The third one is availability, making sure that their information and their applications are available when they need them.
Breaches Impacting Security Discussions
FIELD: I said at the start of this conversation that in 2011 we saw a number of high-profile data breaches, some of them involving security companies. What impact do you believe these incidents will have on the discussions we have at RSA Conference 2012?
DESOUZA: Coming out of 2011, companies are at the point where they're saying, "Look, it's not a question of if or when they will be attacked, it's a question of how they're they going to defend themselves against it." It's not if or when, but it's about now and what you're doing about that. Some of the big things we saw in 2011 were that more and more of the attacks were advanced and targeted at particular enterprises. A lot of them had involvement of an insider, so companies are thinking about how they defend themselves from an insider-led attack. The attacks were also more information-focused, so the targets were the information assets of companies rather than the infrastructure. And all of this is happening in the context of a hyper-connected enterprise.
Cloud Security Concerns
FIELD: There are a couple of key topics that are coming up at RSA Conference 2012. I'd like to ask you about them. The first is cloud security. Where do you see us making progress with cloud security?
DESOUZA: I think what happened over the last couple of years is that we're seeing cloud services being adopted more and more by corporations, but in a recent survey we did we're actually finding that there's an increased concern about the security associated with moving applications to the cloud. In one recent survey we did, for example, 44 percent of CEOs that we surveyed said that they were cautious about moving business critical applications to the cloud and 76 percent of them said that security was their biggest concern.
So what are companies concerned about? Well the first thing they're worried about is making sure they have some of the right controls around who should have access to what cloud services. For example, everybody wants their employees to be able to use cloud services to do their job, but if an employee leaves, the corporation wants to have some control around whether that employee should continue to have access to that information.
Secondly, they're concerned about the security of the information that's going to the cloud, and so they're looking for things like encryption controls or data loss prevention controls to make sure that appropriate information is being posted to the cloud, and that when it's in the cloud it's being secured appropriately.
Then finally, what they're concerned about is making sure that they have the right level of governance so that they can demonstrate compliance to the relevant regulations that they are subject to. They want to make sure they're getting either audit trails or be able to demonstrate that they've done the right things to the information that's stored in the cloud, because even though it may be in the cloud, corporations are still responsible for it.
Ensuring Cloud Security
FIELD: Based on your research and based on your work with customers, what do you feel needs to be done still to ensure security in the cloud and give these executives the confidence that they need?
DESOUZA: A good starting point for companies is to look at the cloud and make sure that they have at least the same level of controls around the information in the cloud as they do with the information in their own environments, because their level of accountability doesn't change whether the data sits in their own data center or sits in the cloud. That revolves around some key areas. It's around access control. Who should have access to what cloud services? It's around information protection, making sure that things like encryption or data loss prevention are applied where necessary so that the right things are happening when information is sent to the cloud. Then thirdly, it's around governance and compliance to make sure that they have a good handle on what's happening in the data centers that form the cloud for them.
Mobility and BYOD
FIELD: To go in another direction, I want to talk with you about one of the hot topics that's emerging with this conference and that's mobility and the trend of bring-your-own-device to work. We all talk about this; we all deal with it. In your experience, what's most misunderstood about this BYOD concept and the security challenges it brings?
DESOUZA: One thing I will say is that we're definitely seeing a very rapid adoption of mobile devices in enterprises. In one survey we did, 59 percent of enterprises that we surveyed said that they were making their line of business applications accessible from mobile devices, so we're definitely seeing companies embrace mobility very rapidly. One of the things that I think is misunderstood is what's the nature of the security concern? What we're seeing is that the big challenge around mobile devices is a little bit different from the challenge around fixed devices.
The top concerns are things around data loss. They're saying, "Look, I'm concerned about the possibility of malware on a device, but I'm more concerned about the device getting lost and what information could be on that device." One of the key differences between mobile security concerns and PC security concerns is that data loss prevention is the top-of-mind issue. The second thing they're saying is that, "I need to be able to apply sound security principles on mobile devices, even if I don't control them." This whole notion of bring-your-own-device is challenging companies around how they deliver security to devices they don't control. Companies are asking for a way to enforce a level of control around things like passwords, for example, being able to wipe corporate data if the device gets lost, and also a base level of malware protection on those devices.
Re-Focus Security Priorities
FIELD: You made a good differentiation there between fixed devices and mobile devices, and it occurs to me that the security industry has grown up around fixed devices. But with this influx of consumer devices, mobile devices, what are the areas now that security professionals must re-focus themselves on?
DESOUZA: What mobility really changes is who owns the device and who controls the device, because it's a big change to go from fixed to mobile, but it's a much bigger change when mobile means that the device is not even owned or controlled by the enterprise. Mobility enabled the bring-your-own-device phenomenon and that's very disruptive from a security perspective. What it has done is caused a re-think of how you deliver security in a mobile world. It has caused a realization that the most important asset that needs protection is actually the information asset, not necessarily the device itself. And the most important questions in security are not, "Is the device protected," but, "Who are you and what information are you trying to access?"
What this means for security professionals is that they're looking for technologies that help them control corporate information as it goes to mobile devices, and so it's things like data loss prevention on mobile devices. It's being able to wipe the corporate information from devices if the device gets into the wrong hands. It's about being able to enforce strong authentication on mobile devices so you know who exactly is getting information to the corporate assets.
Symantec's Key Messages
FIELD: A final question for you. We've talked about cloud security and we've talked about mobility. We know these will be hot topics at RSA Conference. What are going to be Symantec's key messages at this event?
DESOUZA: I think the overall key message is really going to be ... the future of security is around protecting information assets and identity assets in the new world, and to do that there has got to be a renewed security focus on three areas. The first one is around delivering security in a cloud environment where increasingly corporate data is not just stored in a data center, but is stored in third-party data centers and things like SaaS vendors, for example. One key message is going to be around how companies can ensure the integrity and protection of their information in a cloud and hybrid environment.
Next, we're going to talk about securing mobile devices, especially in a world of bring-your-own-device. We're going to talk about making sure that information assets aren't lost on mobile devices through things like enhanced security through data loss prevention.
Thirdly, we're going to focus on how we can help companies protect a highly virtualized environment in their data center. A lot of companies are viewing virtualization as their onramp to the cloud, and we're going to talk about the security challenges associated with doing that and how companies can address those challenges.