Dell's GM of data security, Brett Hansen, spoke with ZDNet's Jason Hiner at the 2018 RSA Conference. They discussed Dell's approach to security in the face of ever-evolving threats.
Watch the video interview above or read the full transcript below.
Hiner: Let's talk a little bit about what you and your team do. You have a very broad and ambitious goal, which is attacking client PC security. Tell us about what you guys do, how you do that.
Hansen: We have two missions. The first is, as you said, client security. How do you make that platform as vulnerability free as possible? Securing, hardening that platform. The second mission is we have a set of agnostic software solutions that are focused on how do you enable the modern workforce? How do you find that balance between security and worker productivity?
Hiner: Very good. Of course, the elephant in the room when you think about security and client security these days is Meltdown and Spectre. That happened last year and caught the industry by surprise a little bit. How has that affected what you do, and what has been the impact, and how are you guys thinking about it now?
Read also: Lawmakers: Why were flaws kept secret from industry? | Linux and Intel slowly hack their way to a Spectre patch
Hansen: Meltdown and Spectre, just really intensified the focus of how do we do a better job in the industry of reducing the likelihood of a critical vulnerability like this? At Dell, we have a set of actions across our supply chain, across our software development lifecycle, and across the physical hardware itself to try to compress, limit, reduce. Nothing is ever 100% for sure, but how do you make that likelihood as small as possible?
Hiner: Let's zoom out for just a second. For the past decade, there's been this acknowledgement in the industry that our old model of security, building a very strong wall, and anybody who gets inside then they're okay, they can access anything, has just not worked. It doesn't work in a world with so many mobile devices, with so many telecommuters, people working remote, contractors, IoT, all of these things. We're moving more to this model of perhaps your risk management data focused security, bringing in machine learning and AI, how is that evolving the approach to security not just for you guys, but industry wide how is the way we're thinking about security evolved?
Hansen: I'm encouraged by the term data-focused because we all get wrapped up in protecting the devices, or the networks, or the data centers, which are merely the vessels that are holding what is really important. We need to be focusing on the data. As an industry, we need to move past our former paradigms of, as you said, creating walls. Things have changed, people have changed, the workforce has changed so that attempting to build walls and restrict the movement of data is going to, ultimately, lead to more leaks. We need to change our paradigm and our thinking from walls to allowing you to protect data wherever it moves, whoever has access to it.
Hiner: What are some of the biggest challenges that you guys face? Of course, the endpoint is the front door to security for a lot of ... the attackers come through. When you're thinking about how you approach security in today's world, how are you guys thinking about it, and what methods are you using to make sure that those things are taken care of, are covered?
Hansen: You hit the nail on the head when you talked about how workers have changed. Last fall, we ran a survey of a few thousand line of business professionals. Our approach was let's get a better understanding of what the people who are handling data have to say about it. The survey came back with a good news, bad news story. The good news was overall, the workers felt a level of accountability, they acknowledged that data security is important. I have to play a role in that. Great. When it came to actually making the right decisions, the decisions that are going to ensure the risk profile of the company is met, that there is a limitation or limiting the likelihood of data leakage if data policies got in the way of getting their job done, out with data policy.
That's the challenge that we face today is companies are looking to empower their workforce, they're looking to transform, they're looking to drive greater productivity and collaboration. Unfortunately, that comes with the likelihood of increasing security risk.
Read also: Dell and HP pull Intel's buggy patch | Intel: Stop firmware patching until further notice
Hiner: There's a lot of effort that's been put on education, and those kinds of things, but what's often missed is giving the worker a reason to care, why they need to understand. Do you run into that? Did your survey bring out anything that talks about the proper ways to educate, and the ways to educate users so that they actually care and have some buy-in to the company's mission, those kinds of things?
Hansen: Again, another piece of good news is two thirds of the employees that we surveyed said, "Yes, I've had education," yet less than half of them felt like that education really stuck. I think you've hit another really good point here, which is you need to make the education relevant to them. Help it speak to them. One example that we've seen that's been successful is not just having one blanket education across your entire workforce. Start to spend some time targeting. Engineers are different than finance, finance is different than HR, HR is different. The more targeted, the more relevant you can make it to me the more likely I am to care.
Hiner: How about once they are educated, and once they have a realization of what they do, how it affects the overall security what are you seeing? Did the survey talk about sending sensitive information around, that was in there wasn't it?
Hansen: Yeah. I guess, that's the key here, which is education's fantastic. We support it, we do it ourselves. It's not sufficient. The reason is, first and foremost, we're all people, and we're motivated to get our jobs done as efficiently as possible. There is a likelihood that a security policy and how we perceive as the most effective way to get the job done will come into conflict and we need to acknowledge that employees are going to ignore security policy.
Hiner: To get their work done?
Hansen: Exactly. You've got to embrace that perspective of education is a element, but it's insufficient on its own.
The survey found that 72% of employees are willing to share sensitive data outside the organization, that's a very large percentage. It could be they have very legitimate reasons. When you think about the new modern workforce, the new modern organization, Dell has hundreds of partners and suppliers, we need to be able to collaborate. Each one of those partners is a trustworthy company, but the ease of being able to distribute information lends itself to someone getting at some sort of negligent action, some sort of nefarious action that could compromise and that's what we need to deal with.
Hiner: Speaking of partners and suppliers there have been some studies that have been done recently that even banks, some of the most secure organizations in the world, they have an incredibly secure front door, but what is left open is those side doors. Those partners that they have, that have that free access in and that's how attackers are often using to attack companies that are ostensibly very secure.
Read also: Linus Torvalds criticizes Intel's 'garbage' patches | Apple backports Meltdown fix to older macOS versions
You have some of the same things to deal with, you have partners who put either software or have components in your machines. How do you make sure those are secure and how hard of a job is that?
Hansen: It's a big task, it's a vital task, and it's a task that all of the IT community should be focusing on. First and foremost, we have very clear policies around our expectations of our partners, around component security, physical security, software limit lifecycle. We provide those, we back those with education, we back those with assessments. It can't just be simply, "I told you to do this," and then turn away. You have to back it up with some real work in a collaborative fashion.
The second is trust only goes so far. You've got to go and double check.
Hiner: To verify?
Hansen: Trust and verify, pen testing, reviews on a regular basis. One of the most important elements though, going back to people, is ensuring that everyone involved in the development of the product is aware of security, is thinking about it, it's top of mind. Safety first. Like you see it at all the construction sites around San Francisco, the big signs of safety first. Safety first should be part of how we develop product and software code. The overall industry needs to embrace that in a much more thoughtful manner.
Hiner: You have your own pen testers that are doing some audits and verifications of these third parties that are connecting with you. How often do you guys go back to a partner and say, "Look, this is not meeting the standards. We need you to improve"?
Hansen: We're always going back to partners and talking with them about how they can improve, and we also point to ourselves as an example. You mentioned pen testing, we go a step beyond that. We have the same folks who are doing the pen testing then spend time, not a day or an hour, but weeks with our development team helping them learn from the things that they could do better.
I wouldn't call them mistakes because it's not mistakes, it's how do I continue to enhance my skills? How do I continue to do a better job of protecting through good software development? Our teams will come back, they'll sit down, they'll train them, they'll talk about what hackers are looking for, all the nuances. It's a culture that has to be developed. It can't just be something you say, "Hey, safety's important," and you move on. It is something you think and breathe every day, so it's not an easy fix.
Read also: New updates bring fix for unbootable AMD PCs | Four things every Windows admin needs to do now
Hiner: Those pen testers find all the ways that ... essentially acting like white hat hackers, find a way to get in, breakthrough and then they sit down with the developers and tell them like, "Here's how we did it. Here's how we got through."
Hansen: Next time you're doing this you're going to be one step better at this. It's always this continual seeking improvements. How do we keep driving improvement? Again, we're never going to get to the point of saying, "Oh yes, there will never be any sort of vulnerability." That's not a possibility. Let's do everything in our power to try to reduce that and that includes investing in people, and policy policies, and tools.
Hiner: Very good. For Dell and for the machines that you make, one of the things that we see is as much as there's been a focus on mobile and there's been a focus on the internet of things most knowledge workers are still sitting down at a computer every day, at a laptop or a desktop, increasingly mostly laptops. What are the things that are different now than they were even a decade ago in terms of the way that you guys secure your machines? What are the things that you guys have learned, and the ways that you've been able to move this forward, and move security forward?
Hansen: The number one thing that we've embraced is yes, we need to do all we can to secure the platform, but when it comes to the worker interaction with data Dell has an agnostic portfolio of software that works across Dell devices, old and new, works across HP, Lenovo, Mac, Android. Why? As we talked about earlier, data is going to move. The expectation of today's worker is, I'm going to have multiple pieces of glass some are going to be company-owned, some are going to be personally owned. I want access to my application, to my data regardless of what the piece of glass I'm using, regardless of location I'm at, and that creates inherent security risk.
We've embraced a portfolio of software, which is focused on how do I protect data at rest, in motion, and in use regardless of location, regardless of who is using it? That's the new world that we live in.
Hiner: Dell Software Solutions that aren't just about securing Dell PCs, they're are about tracking your data wherever it goes on any device, every device?
Hansen: Yes. That's an important element because the world's not proprietary anymore, it's not even just on Microsoft. It goes beyond just one OS. We need to embrace this new modern paradigm of data is what matters. Don't let that get caught in devices or operating system, let's get caught up in as data moves and flows, as I send you a piece of data I still want to control it. I don't want you to be able to send it to 26 people without my permission, it's my data and that's important to me as a business. We need to keep driving that perspective and that philosophy home.
Hiner: What does that look like in terms of a solution? Is that an installed solution on each device? Is it a way to encrypt the data? How does that work practically if I'm a company, and I want to install that solution?
Hansen: You purchase it just like any other software-based solution. For your employees we load an agent, as an employee want to control data, but not create too much friction, sorry. If I was to send you a document from my Dell account to your account I can send it to you, there's a little bit of friction that says, "Do you really want to send this? This person's not a part of Dell." I say, "Yes," you automatically have access to that document. Again, the company still controls it, so I have data rights management over the top of this, so I can control, do you print, do you copy, do you paste, do you expire, do you embargo. I can prevent you from sending it to someone else because maybe it's just for your eyes only.
The most important element is I can monitor what's happening with that document. Think of the whole new world of cyber intelligence that opens up as we start to look at every document being a source of intelligence. Where is it? Who's accessing it and what are they trying to do? You bring that into a broader sim and now you can really start to identify what's happening in your world focusing on the important stuff, data, not endpoints, networks, data centers.
Hiner: Your own solution, does it work across solutions, Office 365, Google Docs?
Hansen: Absolutely. It has to because that's, again, the new world that we live in. That's why what I think is important is taken, even though I know Dell is a major manufacturer, we also are focused on how do we help our customers transform? We've heard loud and clear from our customers they want to empower their workforce, they want to be more collaborative and flexible. They love the idea of an employee being able to pick up a piece of glass and access the applications and data they need. That's a great story, but you have to do it securely.
Hiner: That push and pull between efficiency and security, where does that net out in terms of what the industry needs to do to really move forward? We know we've got a security problem clearly, security has been getting worse and worse, incidents have been increasing. Where do you feel like the industry needs to go in terms of managing that convenience versus security, and what can be done to improve it?
Read also: Oracle's critical patch update offers fixes against CPU attacks
Hansen: I talk to customers almost on a daily basis and from the interaction I have from seeing best practices, from seeing some very worst practices I usually come out to three key themes. First and foremost, have a strategy specifically for your workforce in your ecosystem. Your own employees, your partners, your contractors, supplementals. What is my strategy? So many companies they build body security tools, they implement them, and they're like, "Well, this is a working," because it wasn't aligned to a broader strategy. What is your strategy? Are you a manufacturing company? Are you going to have large numbers of partners and suppliers? Are you going to be more of a holistic, standalone, isolated organization? That's going to influence the policies and then, ultimately, the tools.
Once you have your strategy then it's your policies. Make sure you clearly articulate those, make sure your employees understand them, as you called out earlier make sure they're relevant to the employee. I'm not just broadcasting this dictatorial set of actions, I'm helping inform you of how you can do a better job as an employee.
Then, third is the tools. For the tools it's all about moving away from walls and moving towards protecting the data. Protecting the data's not building a wall, it's acknowledging it's going to move, it's going to be shared, and that's a good thing, but do it in a secure manner.
Hiner: Very good. Moving from, again, this network centric security model to that data-centric security model not even just in the cloud, not even just on mobile devices, but even from a desktop perspective as well.
Hansen: It's going to be everywhere, you need to protect it everywhere.