Securing the data, not the perimeter

RSA President Art Coviello's words may have fallen on deaf ears before, but this year he believes people are finally listening.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
6 min read
SAN FRANCISCO--Art Coviello's words may have fallen on deaf ears before, but this year, people are listening.

The RSA president sees the security industry finally moving from defending the perimeter of a network to actually locking down the data within, he said in an interview. It is a message he has been repeating for years at the RSA Conference, but this year, he expects to see evidence of a response.

Coviello's words matter. Not only because he's spotted a shift that's important in a world where data breaches make headlines almost every day. His company, taken over last year by storage giant EMC, also exemplifies the ongoing consolidation and maturation of the security industry.

But not all of Coviello's predictions come true. He used to hope for a mass market for devices like its key fobs, which generate one-time passwords. Coviello still believes such passwords will go mainstream, but not necessarily through tokens.

Click here to Play

Video: Security rights and wrongs
Is security boring? RSA President Art Coviello gives an artful answer.
Click here to Play

Video: Where are all the tokens?
Coviello still believes one-time passwords will go mainstream.

Yet, while some pundits say the coming of age of information security makes it boring, Coviello disagrees. The 16th annual RSA Conference, which gets under way on Tuesday, will show signs of energy and excitement in the sector, he told CNET News.com on the eve of the industry's biggest showcase.

What do you think will be most exciting about this year's RSA Conference?
It is just the energy. A lot of the discussion though will be around this change from static solutions to dynamic ones. You will also see a tremendous amount of emphasis associated with data protection. We can no longer rely on just perimeter defenses; we have to get it protecting the information itself. You are going to see a lot of discussion about encryption. And encryption is great; it is basically the soul of RSA.

Every year, you speak about the state of the industry in your keynote address. What's your message this year?
It is time for the industry to transform itself. That transformation is actually already under way. It involves migrating from the more static perimeter defenses we have had in the past, to ones that actually follow the information itself.

When you talk about industry consolidation, as has occurred over the last year with ISS and RSA, I think what you're starting to see is that transformation--the fact security needs to be integrated into products, and products need to be more secure in the first place.

Some analysts say that's actually making security boring. Do you agree?
I think that's baloney. It really doesn't get to the heart of the issue. It is not whether it is boring or exciting. Ideally, it would be seamless and transparent.

What's happening in this transformation is that security is being recognized as an important part of the overall information infrastructure. But that doesn't mean that there won't be standalone security applications--there will have to be--but they will most be woven into the fabric of that information infrastructure.

Do you have a call to action for the industry?
The call to action is to focus on the information and less on the perimeter and to focus on the fact that information has this nasty habit of wanting to travel. We have been engaged in defense and protection, what we should be engaged in is offense and enablement, and that's going to be a radical shift. I have been preaching this for years, but I think it is finally about to happen.

People need more access to information. Things like Web 2.0 type initiatives are creating opportunities for businesses to do more online than ever before, and they can't do that if they can't do it with confidence. That's where security comes in.

RSA was acquired by EMC in the past year. How is its business changing, as part of EMC, to deliver on this call to action?
First of all, RSA is alive and well within EMC. We have gone through a fairly extensive integration process. We have been able to do that in the first four months of the acquisition without skipping a beat.

EMC, with its massive resources, gives us the ability to take a wider view of security. An example of that, we were presented on day 1 with an acquisition EMC had done of Network Intelligence, an incident and event monitoring company. Having that capability allows us to expand what we do.

Has the RSA Conference changed as a result of the acquisition?
No, the conference has not changed at all, other than that it continues to grow and expand in terms of the number of vendors that are going to be exhibiting. We're up around 360 now. And in terms of the excitement and in terms of the quality and depth of the presentation, we're close to 400 presenters this year. Roughly 15,000 people are expected to attend.

RSA is mostly known for the key fobs that generate one-time passwords. You have long had a vision of a mass market for such gadgets. Where are they?
We have made our tokens easier to use by creating a toolbar version of the token. We've recently signed up two very large banks that serve their customers over the Internet to use our tokens. These two institutions are going to use a combination of physical tokens--that might be used by high net worth customers--and a toolbar version for broad distribution across all of their millions of Internet users. The SecureID technology will indeed be used in these applications.

Are you frustrated at all at the speed at which this is going?
If you're president or the CEO of a business, you are always frustrated at the speed with which things go. Yes, of course. But I think we're right, directionally. Also, we're not relying on one technology to do authentication. We also have our risk-based authentication and our picture-recognition capability that we acquired from PassMark Security.

If you look at the three biggest Internet banks in the country, they way they have responded to the FFIEC (Federal Financial Institutions Examination Council) recommendation for having strong authentication in online transactions, each one is using a different type of RSA technology.

You're predicting that the one-time password is going to be used more broadly?
There is no question. Outside the U.S. there is far more acceptance and use than within the U.S. It is our job to create alternatives for our customers. We have been able to do this. But take Japan Net Bank, the biggest Internet bank in Japan--they rolled out 1.3 million of our tokens from April of last year through the middle part of July. That's how fast you can roll out tokens to a pretty large mass of consumers.

Is there anything happening in the industry that you believe is so wrong that it makes you want to bang your head against the wall?
It is not so much what is being done wrong, it is what needs to be done right. Antivirus is a perfect example. Antivirus enjoys a very privileged space in all security budgets and for good reason. But the fact of the matter is, in the past year there were over 200,000 variants of malware, according to Yankee Group. It is almost impossible for a static, signature-based product like antivirus to keep up with that. Antivirus needs to morph and change to behavioral blocking based on patterns that are recognized and be much more of a dynamic solution than a static. This change from static to dynamic is going to be one of the most important trends in security going forward.