Alan Lustiger, security architect of TD Ameritrade, began a talk on data security last week at Storage Networking World (SNW) by saying, "I really dislike vendors. They tend to be alarmists. They come to you and say, 'You have a problem.'"
The next day, one of the best-known security vendor executives in the business got a chance to refute that comment. "I bristle when I hear, as a security vendor, I only sell fear," said Art Coviello, president of EMC Corp.'s RSA Security division, during his keynote speech, in which he branded the notion "nonsense."
"I am the security guy," he said. "This is my first storage conference. But I'm happy to see, when I looked at the agenda, I would not be speaking in a world of terabytes, petabytes and exabytes. And I don't have to explain why RSA is a part of EMC."
After his speech, SearchStorage.com caught up with the "security guy" for a Q&A session.
SearchStorage: At the RSA Conference in February, you said there would be no standalone security business in three years. Does that mean RSA needed to become part of a systems or an infrastructure company to survive?
Art Coviello: I didn't mean there would not be standalone security applications. There will always be some level of specialization from the sales and development standpoints. What you will see is technologies integrated -- and not just security technologies. There are over 100 technology integrations going on at EMC, roughly 20 in security. All of these technologies will get leveraged. What we're looking to do is share services across a common security platform. We'll integrate authorization, access control, encryption and so on into EMC products. We're also building a common management platform with Smarts and other technologies.
SearchStorage: Did you expect an EMC or another large company to come after RSA?
Coviello: When EMC came calling, I was surprised because I didn't think they were that smart. Well, I don't know if I want to say that. [Editor's note: Too late]. But they are that smart.
Customers were starting to demand that EMC have security built in. EMC created a security group, and that led them to RSA. You need to encrypt data for legal purposes. Then you have keys for encryption, so you need key management. Then you need access control, who's going to need access to your data? So you need authorization. Who's the one company that does key management, encryption, access and authorization control? RSA. Then we started to build in auditing and logging around our applications.
While looking at RSA, EMC also bought Network Intelligence. Joe [Tucci, EMC's CEO] asked my opinion, I couldn't do due diligence, but I said that, strategically, I would endorse some form of authorization and compliance.
SearchStorage: During your time at RSA, did you always feel that security needed to be integrated?
Coviello: We [RSA] might have threaded the needle and become a billion dollar company, but we would've had to eventually merge with an IT infrastructure company.
I started 12 years ago as the CEO at CrossComm Corp. I said, 'There's no reason for this kind of company to exist.' It's fundamental that security has to be built in. But everything took off without security, and I said, 'Maybe there is a place for us as an individual security company.'
Then, as the nature of attacks changed and IT created a more complex environment, we were getting to where we needed to build security into the infrastructure.
SearchStorage: What technologies do companies need for airtight IT security?
Coviello: The Art Coviello of seven or eight years ago would have probably had a heart attack to hear me say this, but you can't have perfect security. You have to do the best you can and have as many layers as possible. Attackers are like water, they'll take the path of least resistance.
Information security is becoming more and more an information management issue. I was talking to a customer who said, 'I'm encrypting everything. Since I don't know what I have on tape, it's easier to encrypt everything.' I said, 'It seems to me you have an information management problem manifesting itself as a security problem.'
SearchStorage: With all the disclosure regulations out there and the need for securing data so obvious, is security still a tough sell?
Coviello: I was visiting a customer in the healthcare industry, and he said, 'We don't have the money.' I said, 'You'll have the money when you get embarrassed.'
SearchStorage: Is that the kind of comment that customers say is an example of a vendors selling fear?
Coviello: I hear that [selling fear comment] from customers. My approach is to say, 'What's your strategy about all this?' I don't lead them -- they make the decisions.
One customer said to me, 'You're just going to recommend that we buy your products.' I said, 'Nooooooooo. Of course I am. But I'm going to recommend them in a way that you need them. Give me some credit for being able to solve your problems.' IBM shows up and rolls a thousand marbles on the table and uses Global Services to get you to spend billions of dollars. EMC can give you security as part of its infrastructure, not as a bolt on.
SearchStorage: Security goes beyond products to standards. What do you think of standards, such as ISO 27001?
Coviello: Standards are great, but here's the problem with them. It doesn't matter which one you pick, as long as you pick one and do something with it. And because they are standards, they're general. I recommend an industry tailor standards and self-regulate themselves -- these standards are all best practices. They're all too general.