Posts Tagged ‘RSA’

EMC’s Approach to Vulnerability Response

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

Let’s face it – real software products have security vulnerabilities! While building strong secure software development practices goes a long way towards detecting and helping to eliminate security vulnerabilities during the development process, a strong product security program also needs to be prepared to properly handle and respond to security vulnerabilities found in the product after it has shipped. (more…)

Split-value Cryptographic Authentication: Building Advanced Threat Resistant Software

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Advanced Threats are deeply impacting the way we develop secure products by fundamentally changing our working assumptions. We used to design and develop products to be attack resistant assuming that the environment where they will be deployed may be compromised. We now have to develop and design products assuming that every system in the customer environment, in the development environment and in the supply chain may be compromised. (more…)

In Cloud We Trust…

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Throughout 2010, surveys have shown how the lack of trust in cloud computing is slowing the adoption of cloud services. This week at the RSA Conference in San Francisco, California, securing the cloud is on everybody’s mind. Not surprisingly, many are still outlining a piecemeal approach to cloud security using the same recipes that have not worked in the past several decades. However, several credible and powerful voices are emerging from the noise to offer a much more compelling approach to accelerating the adoption of cloud services. The idea is to build a new comprehensive cloud trust model that exploits the unique characteristics of cloud and virtualization. Now, the good news: Leaders in cloud computing are making trust the centerpiece of their strategy and the technology to build this trust model is available now.

In a vision paper entitled “Proof Not Promises: Creating the Trusted Cloud”, industry veterans from EMC, RSA and VMware share their vision for trust in the cloud. The authors have updated Ronald Reagan’s formula for controlling the Soviet Union: “Trust but Verify” into its cloud equivalent: “Trust = Visibility + Control”. The paper provides a convincing and inspiring perspective that wraps several of the concepts we have previously discussed in this blog: the opportunity to use virtualization to provide better security and the irreversible evolution towards information-centric security that is built into the cloud infrastructures. The juxtaposition of these concepts with very concrete technology proof points and the endorsement of the industry thought leaders make the paper a must read for any IT decision maker who wants to rip the cost and agility benefits of cloud computing sooner rather than later.

In a related announcement that makes this vision even more concrete, we (the RSA cloud team) announced the Cloud Trust Authority, a set of cloud services to provide cloud customers control and visibility over cloud providers. In its initial instantiation, the Cloud Trust Authority will provide control of enterprise identities and visibility into cloud providers’ compliance posture. The Cloud Trust Authority Identity Service is a cloud-based identity federation hub that enforces strong authentication and control access to cloud resources. The Cloud Trust Authority Compliance reporting service provides to cloud customers compliance reports for cloud providers based on the Cloud Security Alliance GRC stack. We all believe that this new trust model will drastically simplify the trust relationship between cloud customers and cloud providers by using an intermediary, the Cloud Trust Authority, to handle the most complex technical integration required to provide compliance and to secure identities, information and workloads in the cloud.

What I like the most about the trusted cloud conversation is its tone. It completely changes the role of the IT security department from a whining team that everybody avoids to a critical partner in the definition the enterprise’s cloud strategy. All the sudden, the security team is solving the identity management, information control and compliance problems and are sitting between the IT department and the cloud promise of flexibility, agility and cost reduction.

Forget the surveys, the industry is getting ready for a new cloud computing motto for 2011 and beyond: “In Cloud we Trust”.

Cloud and Virtualization: Surpassing current levels of security

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Earlier this month, RSA, The Security Division of EMC released a new RSA Security Brief entitled “Identity and Data Protection in the Cloud: Best Practices for Establishing Environments of Trust.” This Brief is authored by security and virtualization experts from VMware and across EMC and offers guidance and actionable best practices for organizations faced with the challenges of securing identities and data in the cloud.

The brief received a lot good of press coverage in outlets such as SearchSecurity and DarkReading. The brief also reinforces one of the core tenets of EMC’s cloud security strategy: Our strong belief that virtualization and cloud are major disruptors that will lead to new architectures with levels of security that surpass the level of security you can get in traditional IT architectures. (more…)

The Security-aware Cloud

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

To build security into the IT infrastructure demands much more than secure software. It is also about having the IT infrastructure products deliver intrinsic security value as a core capability of the product and fully integrated in terms of management and enforcement with the other non-security related capabilities of that product.

The proof-of-concept of the integration of EMC Atmos cloud optimized storage with RSA Data Loss Prevention (DLP) Suite, which we demonstrated at the recent EMC World 2009, is the perfect illustration of how security integrated into the infrastructure can (more…)