RSA 2012: New Technologies Are Double-Edged Sword, Say Security Execs

The explosion of enterprise data and the influence of the younger generation on business computing are forcing changes to the IT security model that companies simply can't ignore, IT industry executives said Tuesday at the opening of RSA 2012 in San Francisco.

Enrique Salem, president and CEO of Symantec, described the younger generation, i.e. those born in the 1990s, as "digital natives." This group, he said, tends not to rely on a single source of information, such as search queries, to obtain information. Instead, digital natives collaborate to solve problems, and they readily turn to cloud, mobility and social networking technologies to find what they're looking for.

"This is the future of business," Salem said in a keynote at RSA. "It is a freight train of change that is hitting like a sledgehammer."

Joe Sullivan, chief security officer at Facebook, joined Salem onstage to discuss how the social network is adjusting to the changing usage patterns of its audience.

Sullivan cited Facebook's decision to do away with the Subject line while developing its messaging product as one example. Because digital natives don't pay much attention to inboxes, getting rid of the Subject line went largely unnoticed, he said.

"We have to design our product for those digital natives and understand what they want," said Sullivan.

Meanwhile, older members of the IT-using populace, which Salem called digital immigrants, have already clawed their way through the primordial mud of the early Internet. Common wisdom within this demographic is that locking down access is a surefire way to ensure that networks are secure, but this approach slows creativity and problem-solving, Salem said.

Digital immigrants, Salem said, should take a page from the younger generation's playbook by getting rid of the lockdown mentality and adopting a new enterprise security model focused on identity management and monitoring what's going inside, as well as outside, the network perimeter.

Symantec is working with VMware and other vendors on just such a model, but the IT industry will have to help out as well, as standard APIs across cloud services are needed, Salem said.

Another trend that's forcing changes to the security model is so-called Big Data and the analytics it relies on to extract value from masses of information.

The Internet of Things, powered by sensors and devices, has vast potential for business but also brings risks to individual privacy that must be addressed, Scott Charney, executive vice president of Trustworthy Computing at Microsoft, said at RSA.

As Charney noted, geo-location data in particular is driving new and potentially lucrative new services, but the privacy implications of ubiquitous tracking, and user generated content, are looming as challenges.

Charney told the story of a hospital that was seeing an unusually high number of patients returning within 30 days of being discharged. After taking patient data and putting it into the cloud, the hospital eventually figured out that all of the patients had stayed in the same room number, and that there was a bug in the room that was causing people to become re-infected during each successive hospital stay.

Big Data analytics are helping businesses fine tune their operations, but the flip side, Charney said, is that the technology can analyze data about people in ways that could impact privacy. And while the Federal Trade Commission's Fair Information Practice Principles (FIPs) are designed to inform users what data a company is collecting, people are tuning out due in part to the sheer volume of notices they are getting.

As a result, said Charney, financial companies are now looking at Facebook profiles and photos to determine which of their customers are risks to default on loans, and insurance companies are scanning the social network for photos and other evidence to use in insurance fraud cases.

So-called Advanced Persistent Threats are wreaking havoc on organizations, including governments, and addressing this will require changes to the way security is designed to protect key assets, Charney said.

In Charney's view, most APTs aren't advanced at all, relying as they do, on unpatched systems and social engineering. He said what makes APTs dangerous is that they are persistent -- they occur over time and exhibit attackers' steely determination to get specific types of information from the target.

"We need to adapt out security strategy, need to detect if someone is getting in, and just as important, we need to contain it," Charney said. "We fundamentally have to think different about how we architect networking for containment, including least privilege inside the perimeter."