Securing the Cloud: Work With Users to Build Best Practices

By Steen Christensen — Director of Information Security, EMC Global Security Organization

In today’s rapidly changing IT world, business users in your organization are going to seek the agility and increased capabilities of the cloud whether or not your IT operation sanctions it. So your efforts to provide IT security in the cloud need to start with embracing that fact and working to build secure practices from there.

In EMC’s Global Security Organization, we found that the best way to secure the cloud is to actually become a part of it rather than trying to fight it. As a part of the solution, you can build better, secure offerings that will allow you to protect your data and get a better experience for the user.

For the past nine months, GSO has been identifying shadow IT applications (or business-managed IT) in the cloud using a security monitoring appliance, RSA NetWitness, in conjunction with increased security analytics.  This gives us a comprehensive view of our network traffic, including shadow IT.  And rather than blocking those shadow users from continuing their cloud-based operations, we work with them to provide IT-controlled solutions that will still serve their business needs in a secure way.

Continue reading

Striving To Be Less Necessary: Developing Future Security Leaders Is Crucial

By Doug Graham, Senior Director, Global Security Office – EMC IT

I would no doubt turn a few heads if I said, “I’m trying really hard to get to the point where I make no decisions and do no work.” But the fact is, if I ever got to that point as Senior Director for EMC’s Global Security Office, I would be an extremely effective leader by developing my team to lead without me.

I don’t expect to get to that state of leadership obsolescence any time soon. However, I know that a crucial part of being a leader in today’s new Information Security paradigm is working to develop future leaders in our organizations. And one of the hardest things about leading is developing leadership skills in others because as you do, you frankly become less necessary.

Those are some of the points I explored in a workshop about Developing Cross Functional Leadership Skills at the 2014 RSA Conference in San Francisco.

While I am sure that many of the conference attendees will be there to learn new technical skills to be better leaders, these skills are only one of many ways leaders gain power and influence in their organizations.

Continue reading

2013 Global IT Trust Curve Survey: The Impact On Today’s IT Decision Makers

TrustIT

 

 

 

 

 

 

Today, EMC and RSA announced the results of the first-ever Global IT Trust Curve Survey. Through a survey of 3,200 IT and business decision-makers in 16 different countries and 10 industry sectors, EMC took the pulse of C-suite audiences and their awareness and opinions of EMC Trust IT — Advanced Security, Continuous Availability and Backup & Recovery.

Continue reading

The Era of Protecting By Enabling: Securing Enterprise File Sync

By Dave Martin — Vice President and Chief Security Officer

IT managers today are on the forefront of information delivery services. Users are demanding highly available and secure data transfers that are flexible enough to serve them on the road and multiple devices. The days of traveling physically to a secure location to access a file are fast becoming extinct.

Technology transformation has a major impact on how and where we share information, so it’s natural to expect it to also impact how we provide trust for that information. We stay connected across more devices than ever, in more places. It no longer makes sense to apply old methods of static controls and expensive locks, which mimicked our approach to security of physical locations, in a fast-paced, widespread environment. Traditional methods applied to modern data flows ultimately hinder even authorized processes and builds bottlenecks, which prompts users to seek out other service providers.

That is why new and more complete enterprise solutions have been developed to meet the requirements of the end-user as well as IT and Security; they are flexible enough to enhance whatever users have, wherever they are, and make enterprise file sync and sharing (EFSS) easy yet trusted. Better service means more visibility and control while delivering automated and safe EFSS. Users gain the access they demand and IT reduces risk, once the following three key elements are present:

Continue reading

Security Rules To Live By: Using Your Best IT Judgment

By Doug Graham, Senior Director, Global Security Office – EMC IT

In the world of cyber security, we have reached the point where we feel the need to codify security behavior by telling people what to do and what not to do. But sometimes I wonder if security policy should rely on a much simpler approach—the notion that  people already have a sense of right and wrong and should be encouraged to use their best judgment.

Certainly, security policies are complex. There are many of them and they are scattered around all over the place. But so is the law. And when was the last time you had to pick up a law book to know what’s right or wrong? In most societies, the law stems from basic commandments. Most of us have those principles drilled into us from when we are young. So we might not know specific laws, but we have a sense of right and wrong.

When I grew up in Glasgow, Scotland, my mother would use a phrase that would drive me insane. When she’d tell me I couldn’t do something I wanted to do and I’d ask why, she would say “that’s not the done thing.” I’d always wonder what this “done thing” was. The done thing was, of course, what was normal for society to do.

It seems like we sometimes forget that people have a sense of right and wrong when it comes to behavior in the workplace. One well-known exception is retail giant Nordstrom which, up until several years ago, used a 3 by 5-inch card as its “employee handbook.” It listed “Rule #1: Use your best judgment in all situations. There will be no other rules.” There was another paragraph inviting employees to ask their managers questions at any time. (Nordstrom still urges employees to use their best judgment but does now hand out a more detailed handbook with rules and legal requirements.)

Continue reading

Happy Cyber Security Awareness Month: Getting Free-Thinkers To Pay Attention

By Doug Graham – Senior Director, Global Security Office – EMC IT

If you’re like me, you think about cyber security all day, every day. You may even dream about it. It’s why I’m an IT security professional (and probably not the most interesting guy you’ll ever meet).

But since most people have other things on their minds most of the time, it takes a special effort to get them to focus on the importance of IT security. That’s where National Cyber Security Awareness Month—which occurs every October—comes in.

While setting aside a month to promote cyber security may not seem like the most hard-hitting tool to tighten security for your organization, it actually is a great opportunity to do just that. That’s because more than ever cyber security is all about peoples’ behavior and raising awareness is one of the best ways to have an impact on that.

What we have come to realize in IT security is that policy, compliance and governance alone won’t achieve cyber security for your organization unless people take those policies and rules and use them to make the right security decisions. The reality is that whether it’s people in their homes or in the workplace, we depend on individual behaviors to safeguard IT security—or anything else for that matter. If you don’t lock your door, people can walk straight into your house. If you leave your car unlocked, there’s a greater chance it —or something in it— will get stolen.

Continue reading

2013 RSA Conference Shows Risk Management A Growing Priority

By Doug Graham, Senior Director, Global Security Office – Risk Management

The 2013 RSA Conference provides a terrific venue for industry leaders to share and communicate, but one topic, I couldn’t help but notice a dramatic rise in interest: Risk Management. Over the past three RSA Conferences, I have seen our Risk Management seminar increase from a peer-to-peer session of 25 people two years ago to more than 800 people at this year’s session — and with good reason.

The idea of risk management resonates deeply within the industry, including the need and practice of risk management and the desire to bond security, data analytics and the business. A well-rounded discussion was generated from the audience that focused on a number of pivotal ideas of risk management: What does risk management mean to an organization? How does an organization measure success? How can an organization work more collaboratively to push back against threats?

Risk Management and the Business

As we in security continue to study and execute the science behind risk management, we understand more and more that it cannot be managed in a bubble. Risk management, to be truly effective, must move into the business. Ultimately, the security organization cannot accept the notion of an impenetrable or perfect system as a matter of doing business. By evangelizing risk management into the business, we create a new sense or priorities and responsibilities in which non-security and non-IT business users assume risk management as their own.

When this occurs, perspective is gained on how other units respond to risk, even down to financial management and financial risk. In that regard, risk management no longer lives in a vacuum and advocates begin to pop up throughout the organization. These advocates will expand the network of risk management and operate in a way that bolsters an organization’s security posture. That was an important message from this year’s RSA Conference.

Continue reading

Communicating Risk Management in the Face of Constant Threats

By Doug Graham, Senior Director, Global Security Office – Risk Management

In the face of an ever-changing security landscape that presents constantly unique threats, an enterprise’s defense must be robust and complete with multiple layers of prevention and defense strategies.

While enterprises may arm themselves with the most technical controls possible, a critical element to a proactive defense is communication. When we speak about communication, we refer to a strategy that goes far beyond messages to your employees about the latest security guidelines being handed down. The key to communication is removing the perception that the security organization is an obstacle to doing business.

At EMC, we have moved to empower people by breaking down barriers of communication between IT and the business. Through this approach, we have found success broadening the responsibility of risk management and changing the core behaviors of individuals that results in a stronger security posture and overall defense.

Continue reading

EMC Security Chief Highlights New Strategies to Meet Big Impact IT Trends for 2013

New, advanced technologies continue to provide a faster, more agile environment. But those technologies – cloud computing, mobile platforms, Big Data and social media – can widen the exposure companies face to potential security threats.

To help companies remain proactive in their security measures, the latest Security for Business Innovation Council (SBIC) report titled, “Information Security Shake-Up: Disruptive Innovations to Test Security’s Mettle in 2013,” offers a forward-looking analysis of the new enterprise threats in 2013, and recommendations for how security teams can limit risk.

The report also examines four strategic steps enterprises can leverage to strengthen their security programs, including: How to boost risk and business skills, court middle management, tackle IT supply chain issues and build tech-savvy action plans.

You can learn more about the SBIC Trends Report 2013 by viewing the following video featuring EMC Vice President and Chief Security Officer Dave Martin. We have also discussed related topics in previous blogs on this site, which combined with Dave’s video and the new report, will offer a full picture of security innovations we’ve explored at EMC.  

Keeping the Bad Guys on the Run: Working Together to Neutralize Cyber Threats

By James Lugabihl, Senior Manager, EMC Critical Incident Response Center, EMC IT

Threat intelligence is king. The more you have, the better positioned you are to protect your organization from cyber attacks.

But staying on top of threat intelligence to fight these sophisticated attackers requires a new, collaborative approach to security—one that most companies and organizations haven’t embraced as yet. We need to be able to continuously share information on the latest cyber attack techniques on malware and email campaigns beyond our own networks in order to defend against an onslaught of external and internal threats. We need to “talk” to each other to warn against the latest tactics.

Getting beyond “defend” mode

Most companies are still in “defend” mode, using the traditional firewalls and other perimeter-based tools to guard their networks and data. While you don’t want to get rid of those old war horses, your company does need to expand its capabilities to defend against and respond to the more sophisticated threats. By tapping into what other organizations are seeing in terms of attack techniques, tactics and procedures (TTPs), you can detect such threats much earlier and minimize damage.

I manage the Critical Incident Response Center (CIRC) at EMC, tasked with defending the company’s revenue stream and future market value from cyber threats. At EMC, we believe we have been able to achieve a uniquely high level of incident response capability using much of our own cutting-edge information security technology.

Continue reading

Changing Our Information Security Culture: EMC’s New Collaborative Approach to Reducing Risk

By Doug Graham, Senior Director, Global Security Office – Risk Management

What do corporate IT security and healthcare have in common these days? Both are undergoing a cultural shift in which customers are being asked to take responsibility for their own well-being.

Just like getting individuals to focus on proper diet, exercise and screening efforts can help prevent health problems and keep everyone’s medical costs down, so can getting IT users to embrace proper security practices help prevent costly security complications for employees and the company they work for.

At EMC, this realization is driving a major transition in our approach to security. We are evolving from a centralized global security team that dictates regulations to the business units that consume IT without their input – to a dispersed security force that works with the business to understand their needs and create policies and standards that the business can live with.

Last year, our Global Security Office (GSO) began a multi-year effort to transform its security approach.
Continue reading

Big Data Takes On Security

When it comes to IT security, we are at an opportunistic intersection.  Each and every day, we hear more and more about how the increasingly complex and aggressive threat landscape is impacting the security of companies around the globe.  However, Big Data strategies and technologies are rapidly approaching the intersection and arming us with the analytics we need to more proactively assess risk and identify threats.

As a leading global technology company, EMC has wholeheartedly embraced Big Data to get ahead of this.  If you’re interested in learning more, EMC is also hosting a webinar on “Using Greenplum to Deliver Big Data Analytics” on Tuesday, Sept. 18th @ 11am PT.  Sign up here:  http://bit.ly/SyLwWV

It’s A Different IT Security World

TO CATCH A CYBER THIEF: FIGHTING SECURITY THREATS IN REAL TIME

By Ramesh Razdan, Senior Director of EnterpriseServices and EMC Distinguished Engineer, and Steen Christensen, Director, Information Security

Like just about everything else in today’s socially networked universe, enterprise IT security has evolved dramatically in recent years.  Security teams are charged with safeguarding vital information in a world connected by a continuous and rapid exchange of an ever-expanding deluge of information. And among those logging on are a growing number of cyber criminals launching continuous and sophisticated threats to organizations worldwide. Investigations have become extremely complex with the need to be able to analyze data with context and speed.

No longer can organizations rely on traditional perimeter security and firewalls to protect their vital information assets. Nor can they effectively combat today’s sophisticated cyber criminals by analyzing threats after the fact. In fact, those that think they can in today’s complex cyber world are just sticking their heads in the sand.

Thankfully, Big Data tools and platforms have evolved to meet these new threats head on, armed with real-time data gathering and high speed security analytics.
Continue reading

How Will CIO’s Meet Growing Security Threats

BUILDING TRUST WHITE PAPER EXCERPT

When it comes to protecting enterprise data, CIOs and CSOs are at a crossroads. The complexity and prevalence of security threats continue to grow, bolstered by consumer IT and mobility. The open nature of IT has paved the way for far more sophisticated attacks – beyond conventional credit card data theft to multilevel attacks. Information security executives face perhaps the toughest challenge of their careers.

The business requires and expects total freedom and choice in technology, yet risks come from any number of places: users at their desks, users working from many different mobile devices and unsecured networks, and users downloading applications at will from the Web. Corporate integration with social media sites provides a new path for malware to the network – not to mention privacy risks and even identity theft. Hackers still have many more opportunities to grab enterprise data and are getting smarter by the day. Given the pace of change in our Web-based mobile world, who knows what next month will bring?

In this interactive white paper from CIO Magazine and EMC, learn how tightening the relationship between CIOs and CSOs will help create trust, the foundation of business relationships today. Embedded videos feature Art Coviello (RSA Executive Chairman), Sanjay Mirchandani (EMC CIO), and Dave Martin (EMC CSO), and a quick survey provides benchmarking between CIO peers.
Read the White Paper

Trust, But Verify

Lately I’ve been in an increasing number of conversations about “multi-tenancy,” and its viability/fitness for use in business IT. Most start out framed as technology discussions. One recent exchange reminded me of a blog post and comment thread back in January on “secure multi-tenancy.” The comments, predictably, devolved into heated debate over who claimed which technologies could do what, who disputed whose claims, and so on.

For my own part, I don’t see technology alone as adequate. What intrigues me, though, is how many IT people that believe technology can—indeed, must—somehow address all this. Continue reading

Why EMC IT Is Going “All In” On Private Clouds – Part 5

This is the final part of a series of posts outlining how our IT organization started its aggressive journey to private clouds. Previously, I described IT’s strategy shift, the trigger for its urgency, navigating through “cloud fog,” and the unusual path IT decided upon.

In this post, we’ll take a look at EMC IT’s overall strategy for actually making this journey. Continue reading

Why EMC IT Is Going “All In” On Private Clouds – Part 4

This is the fourth of a multi-part series exploring why our IT organization is aggressively transforming EMC’s corporate datacenters into Private Clouds. Previously, I described IT’s strategy shift, its newfound sense of urgency, and navigation through some “cloud fog.”

In this post we look at the unusual course EMC IT charted for its Private Cloud journey, and how the team approached selling its plan to our top execs. Continue reading

Integrating RSA Security in EMC’s Private Cloud

Join Nirav Mehta, Senior Manager of Product Management at RSA, as he describes RSA’s view on virtualization security and how EMC’s security division is participating in EMC IT’s Journey to the Private Cloud. It includes some examples, such as ways EMC IT is using RSA technology to secure virtualized desktops.

David Freund also provided some background in this post.

Security: Don’t Leave (Physical) Home Without It

A lot of ink has been spilled recently in the press about cloud security, and even virtualized-server security. Many lead off with alarming headlines like this recent example that declares, “60% of virtual servers less secure than physical machines, Gartner says.”

Continue reading