Security no longer about ‘no,’ but ‘know’

• New trends and threat landscape forcing a rethinking and re-strategizing of security in organizations
• It is about giving the right people the right access to the right information on the right device

GIVEN today’s threat landscape and technology trends, security in an organization has gone from “No, you can’t do that” to “know” – identifying who is accessing what kind of information, and where.
 
Touting his company’s Content-Aware Identity and Access management (IAM) vision, Vic Mankotia (pic), CA Technologies vice president for Security in Asia Pacific and Japan, said that security has to move from being seen as an investment or significant procurement to being a business enabler.
 
“It is about people, access, information and device – giving the right people the right access to the right information on the right device,” he told a group of journalists in Kuala Lumpur recently.
 
Mankotia, who before he took up the CA Technologies gig, had spent 10 of his 16 years of industry experience at security software vendor Symantec Corp, said that companies were creating many layers of protection, but noted that cyber-threats were getting more specific in their attacks.
 
The challenge of keeping an organization’s IT infrastructure secure is made more complicated by four key trends – and stop me if you’ve heard this one before:
 
First, it has become a very data-centric and connected world: An IT ecosystem will include both internal stakeholders and external partners.
 
“For instance, take your typical airline as it purchases fuel – it will be connected to the petroleum company and a bank,” Mankotia noted. “You have three companies from three different verticals, all on a common platform.”
 
Second is the Consumerization of IT. “Everybody has multiple devices; desktop shipments may be declining, but there has been a rapid increase in the number of access points,” he noted.
 
The third trend is the need to optimize online interaction. “So many transactions take place online now – in fact, every business aspect has its own online presence,” he said.

Finally, with the cloud, “the perimeter is disappearing,” he said. “There is no longer a DMZ (demilitarized zone); it’s hard to say where your system boundary ends these days.”
 
“Until security becomes a business enabler, you cannot reach the cloud,” he quipped.
 
Today’s workers, especially the younger generation, also communicate differently, using a plethora of platforms. You may have your traditional email users to the social media users; from one-to-one to one-to-many and all the way up to many-to-many communications.
 
All this is forcing a rethinking and re-strategizing of security in organizations, Mankotia said.
 
“Security cannot be reactive any longer; it has to be proactive,” he argued. “You have to know the identity of who is accessing or requesting data, know the risk or value of that data, and know the content or what exactly is being accessed.”
 
“With that, many organizations are looking at Identity Intelligence.”
 
The airport analogy

Traditional Identity and Access Management (IAM) stops at the point of access, CA Technologies said, adding that its Content-Aware IAM vision takes it a step further to help control users, their access and how they handle information. This approach helps organizations protect critical information from inappropriate use or disclosure.
 
Quoting a global survey, Mankotia said that 58% of organizations reported suffering a privacy breach in the past year; with each breach costing an average of US$7.2 million to fix and recover, as well as in terms of damage.
 

CA Technologies’ Content-Aware IAM can be likened to security in an airport as one travels (click slide to enlarge).
  
In Mankotia’s example, your passport is the first layer of security – it identifies you. After that, you need a boarding pass, which is essentially access control. The next step is authentication: That stern security guard facing you down and checking to make sure you are who you say you are, and headed in the right direction.
 
Those videotapes in the lounge and at the gates – they’re recording your session. Your baggage check-ins and x-rays are to determine the contents of what you’re carrying through. Finally, your first-class to economy seating is all about determining and provisioning user privileges.
 
“We’re the only company that provides such an end-to-end portfolio,” Mankotia said.
 
In February, the company announced it was adding capabilities and integrating new releases of its access management solution CA SiteMinder and CA DataMinder (formerly CA DLP), to deliver a Content-Aware security solution and help organizations protect the information stored, accessed and used in the Microsoft SharePoint environment.
 
Saying that CA SiteMinder had strong brand equity, the company has renamed the products and solutions in its security portfolio using the “Minder” naming convention, as illustrated in the slide above.
 
No software-only panacea

Mankotia said he was great potential in Malaysia for his company’s products in three main industries: Banking and telecommunications being traditional targets, with healthcare picking up as more patient data goes online and may need to be shared across practitioners.
 
But while touting CA Technologies’ solutions, he cautioned that there was no software-only solution to the challenges organizations face today in securing and safeguarding their data.
 
“You have to have a combination of people, process and software,” he said, adding that there were other key takeaways he wanted to communicate:
 
“The trust we bestow on people in the connected world is far too high compared with that in the real world.
 
“Finally, 80% of the data people are sharing today is unstructured data – and how this is being shared is the biggest security risk facing organizations.”