Cloud security is necessary, but in order for IT organizations to regain control, security has to start above the cloud, in the ozone layer, Symantec CEO Enrique Salem told the crowd at RSA Conference 2011.
Extending the cloud computing metaphor, Salem introduced a new security framework that Symantec calls O3, named after the Earth's ozone layer, which shields the planet from harmful elements and the affects of the sun, and is made up of three molecules of oxygen.
According to Salem, the concept of O3, like the ozone layer, is a three-layered approach to security: A policy engine, or rules engine to create the rules that govern information, devices and identities in the cloud, including the legacy corporate identities users already own and control; a protection layer where employees and devices are authenticated before they gain access to the cloud and the rules in the policy engine are enforced; and a monitoring layer, or compliance layer, that gives visibility into how policies are being enforced, provides documentation and reports for regulatory compliance and security management across platforms, devices and operating systems.
Salem said with O3, clouds like Salesforce.com, Amazon and others can be protected by a single cohesive framework.
"It has to be a layer above the clouds," he said, adding "It's policy, protection and monitoring."
Salem said the concept of O3 comes as the old ways just won't cut it. Massive security threats like Stuxnet have changed the game, requiring a new approach to security.
"When you look at Stuxnet, it will be remembered as the attack that moved the game from espionage to sabotage...This is a sophisticated, elaborate and meant-to-destroy attack." he said. Salem said Stuxnet, which targeted critical infrastructure, was the first attack of its kind, but will likely breed similar targeted attacks.
New, targeted threats like Stuxnet, coupled with the consumerization of IT and the explosion of social media and information punctuate that the industry needs to regain control.
"It wasn't that long ago that you as security professionals had control," Salem said. "You had control of the desktop, you had control of the database, you had control of the applications, you had control of the servers, and to some extent, you even had control of the users."
Add to that mix that significant growth of cloud computing, and the face of security changes even further.
"Key information and applications no longer sit in your data center," he said.
For Symantec, that means offering services from the cloud, such as security, backup and recovery, DLP and others under its Symantec.cloud umbrella. But Salem said offering security in the cloud requires a new approach, O3, which adds governance, protection and visibility to deliver control, confidence and trust.
Salem couldn't say exactly when products and services built around the O3 concept will start hitting the market, but said the identity portion will lean heavily on the technology Symantec gained with its acquisition of VeriSign last year.
Salem said he expects the channel to be a key component in furthering the Symantec O3 strategy from both a resale and security services perspective.
"The channel has a role to play in how we reach out to customers," he said. "Our priority is to make sure all of these solutions help the channel address this market."