A rapidly evolving threat landscape and fundamental changes in the way information is accessed and used are driving the need for a substantial overhaul of long-held security practices, industry leaders said at the launch of the RSA security conference in San Francisco.
"Our industry is ripe for a transformation," said Art Coviello, president of RSA Security, the security division of EMC. "Security has become much more about imposing limitations, and it is time for that to stop."
Rather than perimeter defences, what is needed is a more "information-centric" security model that still allows for new ways of using information, he said. The approach means making security an integral portion of the business rather than a bolt-on component. "We need to build dynamic security right into our information infrastructure. It is no longer enough to take an outside-in approach by building a fortress," he said.
Delivering the inaugural keynote address, Microsoft chairman Bill Gates urged companies to think beyond traditional "glass-house" and perimeter-centric security strategies focused largely on keeping intruders and malicious activity out of corporate networks. What is needed, he said, is a "far more powerful paradigm" that uses security as a way to secure information access, not as an impediment to access.
"People want more access" to information, and they want that access at any time, from wherever they happen to be, and via whatever device they happen to have, Gates said. "Traditional network perimeters are fading away," mandating new approaches to security, he added.
At the same time, the threat landscape has evolved in dramatic ways, said Craig Mundie, Microsoft's chief research and strategy officer, who shared the keynote address with Gates. When Microsoft first started working on its Trustworthy Computing initiative about six years ago, most attacks were carried out by script kiddies looking for notoriety, he said. Today, attacks are a lot more serious and "nefarious" than they used to be.
"We kind of built our systems assuming everybody was really good and we knew who they were – and as long as we were secure within the enterprise boundary," that was good enough, he said.
Going forward, the focus has to be on figuring out ways to enable easier information access while ensuring proper user and device authentication, data integrity and confidentiality, he said.
The use of internet protocol security (IPsec) technologies for instance, can allow for better user and device authentication on an enterprise network, he said. Similarly, rights management technologies are needed to exercise better control over information and who has access to it, he said.