Cloud push a chance to 'embed security'

Move toward cloud computing allows industry to prep right levels of security controls--an opportunity not available since invention of Internet, says top RSA executive.
Written by Vivian Yeo, Contributor on

SINGAPORE--The cloud computing momentum presents a chance for industry players to "embed security" into the IT environment--an opportunity not available since the Internet was invented, said an IT security veteran.

Art Coviello, RSA

Art Coviello, president of RSA, the security arm of EMC, pointed out that building security--"like it's never been done before"--into cloud infrastructures would lead to an era of seamlessness and transparency, and "fundamentally better" security in the virtual world than the physical realm.

Speaking to ZDNet Asia this week during a stopover in the island-state, Coviello described security that is not bolted on after the fact, and with the ability to be invoked whenever the occasion warrants, as characteristics of embedded security.

"We have an opportunity to do that embedding [of] security with the full context of the type of threats that exist and with an eye on how they might develop in future," he explained. "We have an opportunity to really understand the risks to cloud infrastructures before we implement them and in so doing, set up the right levels of authentication and access control and in the case of multi-tenancy, separation of data, so that we give people confidence these infrastructures will withstand not only the test of time but [also] threats to a large degree."

Coviello, who is also executive vice president at EMC, is scheduled to elaborate on these messages in his opening keynote at next month's RSA Conference in San Francisco. On its part, he said RSA has been "doing a heck of a lot" with sister company VMware to embed security technologies such as data loss prevention, into the virtual environment.

He noted, however, that creating the right policy frameworks would be one of the biggest issues in the drive to embed security into cloud infrastructures. Policy frameworks, he explained, play an important role in the understanding of how security works in a cloud infrastructure and the implementation of security measures.

"If you don't get a holistic view that that type of framework can provide, then it's hard to imagine that you can adequately secure the infrastructure," he said.

Industry trends, added Coviello, increasingly point to the need for security to be embedded into IT infrastructures. Citing a Goldman Sachs report released last year, he noted that the security industry was becoming more "barbelled"--numerous large security companies and small startups exist, but there is "almost nothing in the middle".

Of the large-sized players, only McAfee and CheckPoint are pure security companies; the remaining vendors have been acquired by infrastructure players, said Coviello. Symantec is the only exception, as it bought an infrastructure company, he noted, in a reference to Veritas.

He added that the Goldman Sachs report supported his view that there was "no need for a standalone [player in the] security industry".

"So I don't have to quit my job…yet," he quipped, referring to comments made in 2008 that he would quit his job if the standalone security industry was not dead in three years.

Editorial standards