Anton Chuvakin is Director of PCI Compliance Solutions at Qualys. He is a noted security expert and co-author of Security Warrior. I interviewed Anton recently about the different security challenges facing organizations today.
PS: What do you see as the biggest security challenges for organizations using Enterprise 2.0 technologies?
AC: Assuming you mean web applications and web services, cloud computing, and social networks to collectively mean “Enterprise 2.0”, I’d say that challenges start from a nearly complete diffusion of where your corporate data can reside (distributed storage), can be processed (outsourced processing) and can be “accidentally” found (that mobile device or a netbook). Next, let’s now mix it with an amalgam of vertical, national and cross-border regulations, mandates and laws. Add a sprinkle of other new technologies, such as virtualization. Top off with ever-increasing cybercrime, spiced with a still-low chance of criminal prosecution and you get today’s Security Challenge Cocktail! Will it get better? Only after it becomes worse–and only if you are an optimist.
PS: How have these challenges changed over the past five years?
AC: The key thing is that all the new challenges go on top of the old challenges, rather than replace them. This is scary. So, we used to think that custom malware, DDoS and insider attacks were bad; now we focus on so-called “web 2.0” threats and data loss and theft, but also have to continue focusing on the threats that were “hot” in the past decade; none really went away. I was thinking about it and I wanted to name one BIG information security problem that has actually been “solved” or at least effectively “dealt with”-and failed to do so. Even something as simple as spam isn’t really solved, but mitigated.
PS: What are the specific dangers posed by de-perimeterizing the enterprise?
AC: Well, imagine that you have no idea whatsoever where your data is. On top of that, you have no idea where your regulated and sensitive data is. You have no idea how it is protected (if it is protected at all) wherever it is located or passing. And, technically, you are still on the hook for complying with regulations concerning that data, despite the fact that you have no idea where it is.
PS: What tools do organizations have at their disposal for countering increasing threats?
AC: As problems go on top of other problems, so do the tools that help solve the problems. Do not believe those who say that “firewalls are useless” or “anti-virus is dead.” They still solve old problems that still need to be solved, plus some of the tools found new uses. For example, you used to think that a firewall blocks access from the untrusted Internet to your network-and that is still somewhat true. However, now firewall also helps you block attempts to extrude the data from your network by blocking suspicious connections from the inside to outside. Among newer tools, log management and security information management, data loss prevention (DLP) and web application security scanning are rapidly gaining ground as useful for dealing with today’s challenges.
PS: Which industries have generally dealt with these challenges best so far? Which are lagging?
AC: The financial industry is typically named to be the best–and it well may be. Qualys Laws of Vulnerability research indicates that financial services industry companies patch the security holes almost three times faster than, say, manufacturing. This is a good indicator of overall security program maturity, not just patching the holes. PCI DSS is pushing retail sector forward, but they are often considered laggards as well.
PS: You’re waiting on line in a coffee shop and hear two CIOs discussing security. Before you pick up your latte and walk away, what’s the one thing that you tell them?
AC: “Drop that data!” Accept that you have failed to protect the data and stop obsessing about doing it. Choose to change your business process (whether via cloud computing or outsourcing or whatever) in such a way that reduces (or, ideally, eliminates) the spread of sensitive data to remote offices, laptops, mobile devices, untrusted partner systems, etc. For example, when reading about recent data breaches and losses, I always wonder, “Why did that lost laptop contain the social security numbers of 200,000 people? What was their security team thinking?” Eliminate the data if you cannot adequately protect it. It is not easy, for sure, but you already know that protecting the data spread across your whole network and a set of other networks and the Internet is impossible…
For more about Anton, you can visit his website.