RealTime IT News

Art Coviello, President, RSA

Art Coviello RSA Conference 2007 is history, but the show provided a lot of security food for thought.

For example, the pervasive theme was that IT security will soon become so tightly integrated into the IT infrastructure that the standalone security market will dwindle down to innovative startups. So we can expect a lot of consolidation in the high-tech industry on that front.

That was a key theme of the keynote delivered by Art Coviello, executive vice president of EMC and president of RSA -- EMC's  security division –- who lived through an acquisition of his own company last year. Coviello fleshed out the points he made in his keynote in a discussion with after the show wrapped.

Q: What was your impression of this year's RSA conference?

Every year we say "It was the best conference ever." But it seems to get better and better. We had maybe 60 to 80 more exhibitors than the prior year -- about 360 exhibitors. We had 17,000 attendees, which is an all-time high. We had 2,300 submission spots, about 500 people spoke. It was incredible. We think it was pretty rich in terms of content.

Q: At the beginning of your keynote, you complimented Bill Gates for adding the security features he did to Vista. Were you saying that tongue-in-cheek, or was that sincere?

No! I get asked that. It was very legitimate. People are just so freakin' tough on Microsoft. I give Bill a lot of credit for leadership and I congratulated him for it. He deserves a lot of credit for coming to RSA four or five years ago when it was a hostile environment for him to step into. That took courage.

Technology like BitLocker in Vista is a good addition. I think a lot of the things that they did around the kernel to protect that operating system was right on. Give them a break. I think they've worked hard. So, it was genuine.

Q: You said in your keynote that in a few years we won't have a standalone security market. What's your reasoning for that?

I really was trying to drive the point that IT infrastructure and IT security are coming together, and I genuinely believe there won't be a standalone security industry. What people didn't seem to pick up on is when I said there would be a few innovative startups and that there would be standalone applications.

I had an interview today where the person asked what benefit does an EMC customer get from buying SecureID from you that they couldn't get from buying SecureID from you as an independent vendor.

And I said "largely nothing." Standalone security applications like SecureID would be pretty important. But let me put it to you another way. What about using SecureID for access to a Web application? What if you got Web single sign-on and access control for users' rights and privileges? What if those user rights and privileges gave you the opportunity to get at encryption keys that were managed by us, and you use those keys to decrypt sensitive information that you, as a rightful user, needed to get at?

That continuum of security technologies created would tie nicely to information that would be stored on an EMC platform. So it makes abundant sense for EMC and its overall information infrastructure strategy to have us as a key component and provide that continuum of technology into the information that is stored on an EMC platform.

And yet, I could take SecureID, which was at the start of that chain, and have it used as an independent element in another solution that might work with a whole host of other vendors' products.

Q: So even though EMC acquired RSA, you still position SecureID as a standalone application.

Exactly. I guess you could say we have an independent franchise to build out security technologies. But in time, a lot of what we do will accrue to the EMC product lines.

Q: How deep will the integration go? Will we see it across the Clariion line, and how is it going to play into Documentum, SMARTS and Infoscape technologies?

RSA will play into all of them. The question is not one of opportunity, but prioritization. I just came from a meeting with a major money center bank in Manhattan. I was meeting with the CIO for a major EMC and RSA account...I was going through the rationale of the merger. He was saying one of the issues they have is with the information that goes to tape and which of those tapes need to be encrypted.

He's talking about how they need to do a better job deciding which information is important enough to encrypt. I said, "We haven't talked about security yet. You're just making the argument for why EMC and RSA got together because what you're talking about so far is an information management problem that ends up with security implications and ramifications that we can help you with. Wouldn't it be nice to have the ability to classify and tag that data and have our ability to encrypt it for you?"

He said, "That's exactly what we're looking for."

Q: How is RSA going to flesh out its plan to deliver this information-centric security?

Protecting the information can be done in a layered fashion and in oblique ways. One is to protect data from people who can get at it. So things like authentication and access control, even though it's centered on people, are really protecting the information and creating a layer of protection.

But at some level anyone can encrypt an application or a desktop file, or a database or a file on a file server, or information on disk or tape. Our strategy would be to encrypt it across all of those, either with partners or ourselves and manage the keys and have the system to do it.

But information has this nasty habit of always wanting to travel, and it doesn't always want to be at rest where you can encrypt it. How do you protect the flow of the information when it's in use?

We've mastered pattern-recognition technology to identify people. Why can't we apply similar technology to identify flows of information? Why can't we create policy-enforcement engines so that when we spot anomalies we can stop information from flowing. That's really how I see us building out our portfolio.

The other thing I talked about is the ability to audit. We have an audit technology we acquired from Network Intelligence. That product gathers huge amounts of data around incidents and events that we can correlate and spot patterns.

We're going to do internal development around the pattern recognition. We might supplement it with other technologies that we develop or buy. I wouldn't necessarily rule out an acquisition by us in the data-leakage space.

Q: Any other areas you're looking to either build or buy to bolster this information-security plan?

We're looking at doing more fine-grained access control, and that could be a build or buy to add to our Web access management capability. Other areas that we're interested in would be expanding our portfolio in fraud monitoring in the consumer sector and anything we can do. That's essentially it.

I told EMC's board of directors that with the components we have today, we have enough to build a $1 billion franchise that Joe [EMC CEO Joseph Tucci] talked about at the time of the acquisition and that anything else we bought we would view as on top of that.