Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Building the Security "In" is the Way to Go

by Chris Parkerson on 3/25/2007
Topics: Encryption

Last week, Seagate Technology announced that it had begun shipping disk drives with built-in encryption technology for data stored on its disks. Such an implementation ends up transparent to the end user because it takes advantage of advances in encryption hardware to encrypt and decrypt information 'on-the-fly" -- which means that it is done while written and read from the disk. A few PC manufacturers have already signed up to offer customers with laptops with these drives.

Hopefully, Seagate's move is just one of many coming from the industry where the necessary encryption technology that businesses -- and even some end users -- need comes "built-in" to the products they buy. Here at RSA, we have been a proponent of the approach of built-in security for a very long time. I personally believe that the best security for businesses is going to come from a security infrastructure that is built right into the devices, computers, and major software applications that they buy. It just makes sense! Why? Because billions of dollars per year in corporate I.T. budgets are spent on security solutions that can only touch a small segment of the entire infrastructure where sensitive data might live. This is because many of these infrastructure components hide their complexity in order to make them friendlier and more valuable to customers. The downside to this is that hiding this complexity makes it difficult for security products to lock them down properly. Admittedly, those of us in the security industry have come up with some pretty creative ways to lock down sensitive systems, even when we can't get into all of the possible nooks and crannies that could be exposed to a threat. But, let's be real, these methods are not foolproof.

Hard drive manufacturers understand how to make hard drives. Mobile phone manufacturers understand how to make mobile phones. Business application providers know how to build applications. Vendors in all of these areas need to understand that the only security that is really going to be formidable against threats is the type of security that actually understands the ins and outs of their systems -- the type of security that they can and should build directly into those systems. And accomplish this with some expert help if needed. We are hearing constantly from customers that this is what they want and what is necessary in order to meet the security requirements of today's I.T. world.

Hopefully Seagate's move is just one of many forthcoming in the industry towards making security an even more integral part of the I.T. infrastructure. EMC, of course, announced when it acquired RSA Security last year that such tight integration of security technology within the other EMC products will be a top priority. We have seen the first fruits of this with the release of EMC Symmetrix with support for RSA SecurID two-factor authentication. There are many more developments coming down the turnpike from us that you'll be hearing about in the months to come.

Of course, you are probably wondering what it means for security vendors like RSA if everyone gets the message that security should be built-in. Well, we definitely have the expertise and offerings to help any company build the proper security controls into their products. But, we also recognize that the key value an information security technology provider can bring in this new paradigm is making security manageable. Ensuring policies are consistently enforced, propagating security rules for data to wherever that data might live or be processed, and enforcing appropriate separation of duties among users. There is honestly no reason or need for "god-like" users in today's I.T. infrastructure; it is too risky. There is also a need for more open standards, something RSA has been involved in for quite some time. These standards will help ensure interoperability among different security implementations and ease integration of new systems that support security into your I.T. environment. As more and more vendors start to get the message that security is no longer an island left to those in the cubicles ten floors below, the need for standards will become even more apparent. I hope that this important move by Seagate as well as moves by EMC is a catalyst to some real needed change in how we approach information-centric security.

Comments

No comments for this blog entry

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication