How to Secure the CloudEnsure Authentication, Encryption of Cloud Channels
Cloud computing continues to be a hot topic for organizations, says Entrust's David Rockvam. What issues should be top-of-mind when using the cloud, and how can organizations ensure security?
See Also: Security at the Speed of Your Network
"How you get there is going to be really important," says Rockvam, Entrust's CMO and GM of its Certificate Services business. Whether organizations are outsourcing and using cloud-based applications like Salesforce.com, or putting their own internal applications into the cloud, "You have to make sure you're securing the cloud," Rockvam says in an interview with Information Security Media Group's Tom Field [transcript below].
Organizations need to ensure that authentication and encryption are in place, Rockvam says. "You're going to have to be making sure that those channels to and from the cloud are protected," he says, especially mobile devices which are often used to access cloud-based applications.
In the coming year, Rockvam says more solutions will be introduced to enable users to authenticate to the cloud. Also, vendors will be placing solutions into the cloud for organizations to use.
"Instead of you running and managing that authentication solution or having your own certificates, why not go to a provider that puts that in the cloud for you," Rockvam asks.
In an exclusive interview, Rockvam discusses:
- How organizations are coping with BYOD;
- Cloud computing, authentication and other security challenges;
- The topics discussed at RSA Conference 2012.
Rockvam is Entrust general manager of Entrust Certificate Services and chief marketing officer. Rockvam joined Entrust in 1998 as a senior manager where he helped drive relationships with system integrators and consultants, and also lead marketing programs to help increase Entrust's professional services revenues.
Rockvam's broad experience includes significant involvement in Entrust's initial public offering in 1998. Since then, he has helped drive the company's customer value-add initiatives, enhanced analyst relationships and streamlined external communications across the financial and press communities.
TOM FIELD: To get us started, why don't you tell us a little bit about yourself and your experience, please?
DAVID ROCKVAM: I've been with Entrust for coming on 15 years now, so I've kind of seen Entrust through it's progression as a company and been around the security space for that amount of time as well. I've kind of filled many different roles, from strategic partnerships to running investor relations - as we're a public company - to our chief marketing officer and now I run our SSL business. Many people don't know - we've become the number-two player in SSL. That's been a really good growth area for us as we look in some of the newer areas around cloud and mobility - some of the things we'll talk about today. With my experience - I don't know what number this is - I'm probably on number 13 or 14 on my trips to the RSA conference. I've been hitting it quite a bit and looking forward to this year.
FIELD: There have only been 21 of them. The 21st is coming up so you've hit more than half of them easily.
ROCKVAM: I feel like it; that's for sure.
FIELD: You mentioned mobility. As you know, mobile security is a huge topic at RSA this year. What do you see as the key challenges that organizations are facing?
ROCKVAM: When you look at mobility, there are a couple of different things. I think we've been in mobility for quite some time but I think the real change this year has been a lot of people talking about BYOD, bring-your-own-device, as that has become a real challenge for CISOs, CIOs and the companies in general. In the past, you were issued a company BlackBerry and that was what you used and there was no debate about that. The company controlled that. The company made sure it was safe for it to be on the network, all those kind of things. With iPhone, Android and the tablets that have all hit, everyone two or three years ago started showing up at work with all these new devices and just expected them to be on the network. I think there was some resistance at first, but I think with the people I talk to out in the market, resistance quickly changed to, "We've just got to do it." I think that's the biggest change we've seen around mobility and the strong growth there. ... Companies ... can't just say no, so they've had to deal with it and that's creating huge security concerns for companies. That's what you're going to see a big focus on this year, how do we deal with all these growing numbers of devices and how do we make sure they're secure?
FIELD: That's a good point - BYOD. It's something certainly we're hearing about everywhere. It's not a question of whether organizations are going to be introduced to it; they already are. In your experience, how do you see organizations getting their hands around the security issues that come with BYOD?
ROCKVAM: ... One is making sure who that device belongs to. Then you can authenticate that device. Looking at that authentication, there are a couple of different things. You have to authenticate to the device. How do you unlock it, right? You have to have username and password. You have to have some type of authentication on it. Then it's, how do you make sure that device is the right one that should be authenticated to your network? So, you're putting digital certificates on it. Are you relying just on that username and password? What are you going to do, because that device has gone from just getting on your Internet to getting e-mail, to being able to access different applications; whether you're allowing someone to get on your network or whether you're allowing them to take that personal device or even company-issued device and use it to access applications in the cloud, like at Salesforce.com or Microsoft 365. It's becoming more and more important to make sure that the device is secure, that the data that's on it is secure and that the device is being used by the right person. The way we look at it is it all comes back to authentication, authenticating the person who has the device, authenticating the device itself and making sure that it's the proper person.
Cloud Computing Challenges
FIELD: You used a couple of key words in the last few minutes. One is authentication, which you just were talking about. You also talked about cloud computing. What are some of the key security trends that you and your customers are most concerned about this year and you think we'll be talking about at RSA?
ROCKVAM: Clearly mobility is going to be right up there at the top. And I think cloud is going to be not far behind it, because the way we look at it, a lot of what people are using these mobile devices for is to get at these cloud-based applications. So whether you're outsourcing or using a cloud application like Salesforce.com or Microsoft 365, or you're taking some of your internal applications and you're sticking them out in the cloud, how you get there is going to be really important and people are using mobile devices; people are going to be using their laptops and desktops. So you have to make sure you're securing to the cloud.
Then you have to make sure that the traffic running across that is then protected, so you're going to have the authentication there. You're going to have encryption and you're going to have to be making sure that those channels to and from the cloud are protected. I think we're going to see a lot of cloud solutions this year when I look at it, people wanting to enable you to authenticate to the cloud. There's also going to be the whole other side of it, which is people taking security solutions and putting them in the cloud for you to use. If you were going to want to go to enterprises in government and say, "Instead of you running and managing that authentication solution or having your own certificates, why not go to a provider that puts that in the cloud for you?" You can just call on the level of security you need when you want it and you don't have to worry about that. I think mobility and the cloud are going to be big issues this year.
Another thing you're going to see this year and I'm interested in is there were a lot of breaches this past year. What we've been used to is Zeus and other Trojans and breaches happening by malware, and that's still a huge and growing issue, but I think another issue that came up in 2011 was all of a sudden the security companies started getting hacked, from the RSA token issue to Vasco and DigiNotar, to now even Symantec has had some issues around some code that was hacked. Those are going to be hot topics this year because [for] customers, that's the question they're asking us and that's the question they're going to be asking people at the conference this year. How are you making sure that the keys to the castle are protected? I think that's going to be a hot topic for people when they're out and around. They're going to want to make sure that not only are the products you're selling me going to help me secure my employees, my business applications, my partners and my customers, but how are you going to ensure that your software and your products are protected and aren't going to cause a breach in that fashion? There will be a lot of talk this year around that.
FIELD: I was thinking that when you were talking about being number two in the SSL space, this is an interesting time to be in that position. You must be getting some interesting questions.
ROCKVAM: It is. When we talk to customers, that's something that is very high on their list now, and for us we think it's a good thing with our trusted brand and being in the security space for over 15 years as a company. We've grown up with security being paramount. We don't do anything without security and trust being top of mind and I think this has kind of been a wake-up call this past year to companies in the security space, that we have a duty to make sure that we're protecting those keys to the castle because our customers rely on that. In our customer meetings that's one of the first things that comes up and one of the first things our customers tell us. Getting something for a great price is one thing, but don't you guys cut, cut, cut inside to give us that great price just to be forsaking security levels. Make sure your house is in order and tight, because we rely on you.
Breaches Changing the Security Discussion
FIELD: You make a good point. As I think about it, this really is the first RSA Conference we've had since the significant security company breaches. What does that do to change the message you bring to the RSA Conference crowd, maybe change some or influence some of what you're announcing at the event?
ROCKVAM: With mobility and cloud, it brings a brighter spotlight to the need and requirement for security. What we're going to be talking about at the RSA Conference this year is going to tie in with a lot of things we've talked about. We're really going to be leaning into mobility, so what our products can do around strong authentication and keeping mobile devices secure and enabling those devices to be used for the key applications that your employees want to use them for, as well as how we then protect a lot of the cloud-type applications. I think that's going to be key to us. Then, also another part that's going to be big this year is our tie-in with the MDM providers, the mobile device management guys. I think those people are going to be front and center this year as well. We look to show some partnerships in those areas.
FIELD: A final question for you. You're an RSA veteran, as you say. What's your advice for attendees to maximize their experience at RSA Conference?
ROCKVAM: You've got to get around and see everything that there is. I mean there's a lot out there. ... If you're going to the sessions, there are a lot of great sessions out there. You have to balance that with time you want to spend on the floor seeing some of what the vendors have to say, and I think what you have to do is you have to ask for the demos and see what's real out there and make sure that those vendors you're looking at really push us, push the other people, push us around, make sure what we say we're doing we're really doing, and I think you have to ask the tough questions of the vendors that are out there. Are you making sure that the keys to the castle are protected in your company? I think those are some questions that people haven't asked in the past. I think those are good things. I think it's just about getting out there and meeting a lot of people. If you're new into the security space, it's a tight network of 15,000 people that will be there. But going there 15 years in a row, it's amazing how many faces that I see are the same, so you start to make those contacts and year-over-year you see where people have moved around to. It makes a really good networking event as well.