Techworld Australia brings you an in-depth Q&A with Symantec’s Chief Technology Officer, Mark Bregman.
Techworld: What’s Symantec’s current take on the evolution of IT security? Mark Bregman: For the last several years our stated goal was to help customers secure and manage their information. We, the industry and customers have realised that it is really the information which is critical asset in an enterprise. Intellectual property is the capital of most companies these days. We used to focus on securing the infrastructure to protect the information which lives on it. Today, information moves very fluidly and you can’t ensure which part of your infrastructure it may be on. In fact with cloud computing it could be on someone else’s, so how do you extend security beyond infrastructure to information?
Most of our products and services that customers would be using today are really infrastructure products -- endpoint protection for your PCs, storage management and backup and archiving, endpoint management products, availability software… but the past few years we have focused on information security with acquisitions such as Avanti for data loss prevention, PGP and GuardianEdge for encryption availability, then adding technologies we have developed internally such as Data Insight to access metadata based on storage utilisation around who is using what information ,what files, and who owns them.
Above that is a layer called information governance and that is where it comes together and you talk about things like policy - -who can do what to which data.
What motivated the Verisign acquisition? The need to provide stronger authentication and ultimately identity management solution to drive policy and compliance. They bring us key technologies around authentication, certificate management, between Verisign and PGP some PKI infrastructure capability, scalable key management capabilities. That all will be at the heart of some kind of federated identity solution. Organisations need to not only manage within their organisation, but between them and their partners, suppliers and sub-contractors, the enterpriser and its customers.
What’s your reading on Intel/McAfee? First of all it endorses the importance of security. For a major industry player like Intel to go shell out a significant amount of money to purchase McAfee reaffirms how important security is in the total scheme of information technology. It is too early to tell what they will do with it…. It won’t affect our strategy and what we do with it.
Independent of McAfee and Intel we think mobile security, and beyond mobile security – security of other network connected devices – is going to become much more important. At the end of this year there will be more non-PC internet connected devices than PC-based devices. What is sometimes missed when we talking about that is that it won’t be smartphones or iPads but will be things like smart meters… my washer, dryer, microwave oven [that will be IP connected] as manufacturers want to get a better sense of how people use these devices and they want to do things like remote diagnostics for lower support costs and deliver new services into those devices to create new revenue streams. That “internet of things”, as some academics have called it, will need security.
Are you in discussions with AMD by any chance? We are in discussions with a lot of vendors – lots of chip vendors including Intel on this. It is no secret. This is a hot topic among both semiconductor vendors of all types – Intel and AMD as well as smaller ones like Infineon and ST Micro, ARM and many players building much smaller level controllers.
What is happening with Symantec and the cloud? We announced a cloud-based net backup solution. Customers now using our NetBackup product can now do that in the cloud via our partner Nervonix. Their data centre is not yet in Australia so for some customers that is a barrier. So we will explore opportunities for domestic, in-Australia partners to build out equivalent services. The deal we have with Nervonix is not exclusive.
Has Symantec been continuing its discussions with the Australian government on mandatory data breach notification laws? It is a topic we have been engaged in here and in the US and the EU as it is something which is important to have clarity around data breach notification laws as we operate in a global economy. Among the 50 states in the US we have 47 different data breach laws, some of which are in conflict. In some states If I inadvertently lose encrypted customer data I have to still notify the data even though only some government agencies would be able to decrypt that data. In other states because it is encrypted that is covered by safe harbour. Say we are a California –based company doing business with a customer in New York but our data centre is in Tuscon Arizona. Which law applies if the data is lost? So a consistent law at the national level would help. When you look at that internationally the same problem applies. That is why we are focused on having consistent, actionable data breach laws which are in the best interest of the consumer but also which are manageable by business.
What is your view of mandatory ISP data retention laws? One of the challenges is with any kind of regulation like that is that it sounds good until you spend five minutes doing the math and you figure how much data that is. Depending on how long you retain it you either have even more data which makes it hard to find, or by the time you go look for it, you may not find it. So I don’t think it is very practical. It is the kind of thing that on the face of it sounds like a reasonable idea but when you actually try to work through scenario – how would you use it? – it very quickly looks a lot less practical.
What should organisational security priorities be during the next 12 months? One: they have to still focus on securing their infrastructure. When I say securing I mean not only from a traditional security point of view but making sure if a piece of hardware fails you are not going to lose the data. Backup, recovery, all of that.
Two: Make sure you are managing your infrastructure carefully as you can’t secure it properly if you aren’t managing it well.
Three: secure your information. That is distinctly separate from the infrastructure because information increasingly moves around. I could have tremendous security around the infrastructure that supports my corporate data, but then someone like me or our CEO will figure a way to copy it onto their iPad which is insecure. Unless you are putting security with the information you are still exposed to risk.
Four: think hard about how to secure people – the identity piece. I don’t think we have all the answers on that today but it is something which for CIOs should be front of mind. I don’t mean deploy active directory – that is a part of it. You need to think about how you manage identities – of people, of service your people use – so you can be assured when it comes to the issue of policy, who has access to what action to which information. That is really the only control you have over the security for your critical assets.