Posts Tagged ‘EMC’

EMC’s Approach to Vulnerability Response

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

Let’s face it – real software products have security vulnerabilities! While building strong secure software development practices goes a long way towards detecting and helping to eliminate security vulnerabilities during the development process, a strong product security program also needs to be prepared to properly handle and respond to security vulnerabilities found in the product after it has shipped. (more…)

Secure Software is Getting High Level Attention

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

On May 15th and 16th in Washington, D.C. hundreds of secure software practitioners gathered for the first Security Development Conference organized by Microsoft. What made this conference unique was not so much the focus on secure software practices as it was the quality of the speakers and of the attendees.

(more…)

Happy Anniversary to Microsoft Trustworthy Computing Initiative

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Ten years ago this month, Bill Gates issued a memo to all Microsoft employees announcing the Trustworthy Computing Initiative. Development was halted for several weeks to review code and to train Microsoft software engineers on security. This memo was later followed by the publication of Microsoft’s Security Development Lifecycle, as well as the release of multiple security tools. Michael Howard from Microsoft recently provided in a blog post an insider view of this anniversary. Let me share with you my views on the impact of Microsoft’s security push on EMC and on the industry as a whole.

(more…)

In Cloud We Trust…

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Throughout 2010, surveys have shown how the lack of trust in cloud computing is slowing the adoption of cloud services. This week at the RSA Conference in San Francisco, California, securing the cloud is on everybody’s mind. Not surprisingly, many are still outlining a piecemeal approach to cloud security using the same recipes that have not worked in the past several decades. However, several credible and powerful voices are emerging from the noise to offer a much more compelling approach to accelerating the adoption of cloud services. The idea is to build a new comprehensive cloud trust model that exploits the unique characteristics of cloud and virtualization. Now, the good news: Leaders in cloud computing are making trust the centerpiece of their strategy and the technology to build this trust model is available now.

In a vision paper entitled “Proof Not Promises: Creating the Trusted Cloud”, industry veterans from EMC, RSA and VMware share their vision for trust in the cloud. The authors have updated Ronald Reagan’s formula for controlling the Soviet Union: “Trust but Verify” into its cloud equivalent: “Trust = Visibility + Control”. The paper provides a convincing and inspiring perspective that wraps several of the concepts we have previously discussed in this blog: the opportunity to use virtualization to provide better security and the irreversible evolution towards information-centric security that is built into the cloud infrastructures. The juxtaposition of these concepts with very concrete technology proof points and the endorsement of the industry thought leaders make the paper a must read for any IT decision maker who wants to rip the cost and agility benefits of cloud computing sooner rather than later.

In a related announcement that makes this vision even more concrete, we (the RSA cloud team) announced the Cloud Trust Authority, a set of cloud services to provide cloud customers control and visibility over cloud providers. In its initial instantiation, the Cloud Trust Authority will provide control of enterprise identities and visibility into cloud providers’ compliance posture. The Cloud Trust Authority Identity Service is a cloud-based identity federation hub that enforces strong authentication and control access to cloud resources. The Cloud Trust Authority Compliance reporting service provides to cloud customers compliance reports for cloud providers based on the Cloud Security Alliance GRC stack. We all believe that this new trust model will drastically simplify the trust relationship between cloud customers and cloud providers by using an intermediary, the Cloud Trust Authority, to handle the most complex technical integration required to provide compliance and to secure identities, information and workloads in the cloud.

What I like the most about the trusted cloud conversation is its tone. It completely changes the role of the IT security department from a whining team that everybody avoids to a critical partner in the definition the enterprise’s cloud strategy. All the sudden, the security team is solving the identity management, information control and compliance problems and are sitting between the IT department and the cloud promise of flexibility, agility and cost reduction.

Forget the surveys, the industry is getting ready for a new cloud computing motto for 2011 and beyond: “In Cloud we Trust”.

Cloud and Virtualization: Surpassing current levels of security

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Earlier this month, RSA, The Security Division of EMC released a new RSA Security Brief entitled “Identity and Data Protection in the Cloud: Best Practices for Establishing Environments of Trust.” This Brief is authored by security and virtualization experts from VMware and across EMC and offers guidance and actionable best practices for organizations faced with the challenges of securing identities and data in the cloud.

The brief received a lot good of press coverage in outlets such as SearchSecurity and DarkReading. The brief also reinforces one of the core tenets of EMC’s cloud security strategy: Our strong belief that virtualization and cloud are major disruptors that will lead to new architectures with levels of security that surpass the level of security you can get in traditional IT architectures. (more…)