The ‘wired for security’ approach for adapting to the new IT-saturated world is the subject of Enrique Salem’s scrutiny expressed in this section.
If we want real protection, we have to let go of the lockdown mentality, and we have to think about this notion of what we’re calling “wired for security”. Now let me talk a little bit about how this works. As we look at what the digital natives are doing, they’re creating a lot of complexity. And so our current security model on its own will not get the job done. We need something new, we need to rethink how do we secure the enterprise. More than just bigger and stronger protection, we need to stop being the people that say “No”, and partner with our user communities. We need an entirely new layer of security, as connected and as mobile as your workforce, that allows us to maintain strong governance, compliance and control without impeding good work.We need a layer of protection that is wired for social and wired for security. But it’s one thing to say “wired for social” and “wired for security”. But the question is: how do we make it happen? How do we make it possible? I think we need to start by defining it. What we’re going to need to do is deliver authentication, authorization and auditing, but in a new way. This new layer of protection will have to have a very sharp focus on a few things. The first thing you’re going to need is very flexible identity management. It will have to be built on an expanded definition of identity established through credentials, through device, through geo and policy – as close to a single sign-on as possible, with access control and user management across all cloud-based services, including your employees, your business partners and your customers. It will need to handle all forms of sign-on that are being used every day. It will need to be able to de-provision users when they leave your organization – not just their accounts, but also remove the information that they were accessing. It will have to work with our existing identity management solutions. This new layer of protection requires a new kind of information security, an access control point, a new place to control where information leaves and comes into your enterprise. It will be a software gateway that recognizes identity and has an understanding of every piece of information that goes in and out of your enterprise. And that’s what’s key here. We’ll need a new notion of the old firewall. We need a reverse firewall to keep critical information in. It has to be able to watch the outbound flow of data. And that means this notion of “bring your own device” isn’t really about the device. It’s about how you organize and categorize information. It has to watch outbound flow of traffic, and it needs to look at it file by file, with more than just a binary “yes or no” control. It’ll need to be content aware, it’ll need to be intuitive and policy-based, with the ability to block when necessary, but also to encrypt without getting in the way of what your users are trying to do. And this new approach will also require complete auditing; full visibility into the flow of information between individuals in one company and another. It needs policy enforcement, clear definition of management, and it needs to work ubiquitously. It has to keep track of who is accessing what, to what level, with what device, depending on where they are and who they are. It has to record all access and information security events, monitoring the interactions between people and information, creating a cloud audit trail, giving you consistent visibility across internal and external IT resources.
Now, you and I both know what I just described is not an easy task. We’ve been talking a lot with our customers about how to do this, what’s worked and what hasn’t. And one of the things they continuously bring up is that we have to reduce the administrative burden to make this possible. We can’t depend on the end users tagging the information. So we need a broader set of policy. We need a system that can learn and adjust. It needs to be transparent, but always active, so that you always know what info you have and where it’s going.But the approach I’ve outlined is critical, but it’s not the only thing we need to do. Why is that? Because with this new generation come new vulnerabilities. We’ve seen every time there’s a new technological advance, it has brought an associated number of exploits. We know about Brain and Code Red and SQL Slammer, even Stuxnet which I talked about last year. The approach I’ve just outlined will not be enough, because advanced persistent threats have become more targeted. And this new generation assumes that the connected world is safe. They place so much information online that we must change how we protect identities, information and interactions.