Beat the bad guys

Symantec’s Nigel Beighton believes information integrity can strike the balance between availability and security — and protect you against quick-witted hackers

  • E-Mail
By  Caroline Denslow Published  June 5, 2005

|~|main_interview_symantec.jpg|~|Symantec’s Nigel Beighton believes a trust model is key to the relationship between a company and its customer.|~|In the information age, it is natural to consider data as the most important part of anyone’s business. That is why protecting and managing information and making information work for you should be on every company’s agenda. Information integrity is a new approach, which Symantec has designed to help companies make information both 100% available and 100% secure. According to Nigel Beighton, director of enterprise strategy, Symantec Europe, Middle East and Africa, information integrity is about ensuring information is easily accessible to those authorised to use them while at the same time making information inaccessible to hackers and phishers. IT Weekly sat with Beighton who defined Symantec’s information integrity strategy and how the company plans to leverage on its core strengths and acquisitions to develop solutions that will make the balance between security and availability possible. What is Symantec’s approach to information management —what you call information integrity? In very simple terms there are two sides to it: there’s the protection side and there’s the availability side — you protect it from everything that’s bad, and the availability aspect to it is to keep it up and running regardless. What it means is protecting it and making it available. The more interesting sub-line that runs under that is a good question about security. That is, you have security for two reasons. One is that bad guys exist. The second one is, if the technology is generically secure, we really don’t have to protect it. If you look at things like doing data backup, it is a very simple function in business terms but it is an important step for both legal reasons and security reasons. In terms of backup, people used to do it for two reasons: one is ad hoc; because they hit the [save] button. They just decided to do that in that point in time. The second is because it’s scheduled to be done on a certain time, for example, a company does data backup every Friday night. But really, that’s not reacting to threats that come from outside. The third bit, which is what customers need to understand, is that the level of risks has increased. Therefore, your IT infrastructure needs to be able to respond to that level of risk. That’s where we are going with information integrity. All functions now should be aware of risks, whether it’s your clustering, your fail-over or your backup so that you will be kept aware, so that you will be able to react to risk. It’s about being ready when the level of risk increases, that if a company gets compromised, it’s still okay because it has reliable backup systems. There are two parts to that: one is building the necessary technology while the other one is about having the content and the view of what the bad guys are doing, because having that view and being able to feed that to the technology can help you react quickly enough. One thing we have learned about how hackers operate is that it’s a speed game. The average time it takes for them to build a threat is about five and a half days, or sometimes it’s even quicker. And there’s no way for people to rush around backing up things. What you want is that if the level of risk has increased — there’s a software vulnerability found that relates to your software — the whole system takes an automatic backup. That’s what we have to get to, to having the whole infrastructure securely protected. With information management, Symantec says companies can benefit from regulatory compliance, resiliency in infrastructure and protection from online fraud management. Can you explain how? The regulations are certainly becoming a much bigger area as people look to want greater assurances in their investments. The reason you’ve got Basel II is because they want to make sure that there’s transparency in their market, to make people feel comfortable investing in companies. Part of that reason is they want to have some penalties to make sure people do the right things. People also want to know about risks. If I was an investor, I want to know about political risks. I want to know more about government risks. I want to know more about shifting markets and competitive risks. Because IT now is so much part of people’s delivery — and more importantly — business is now suddenly all about dealing with customers, what is happening now is the risks involved are more about customer risks. One of the big risks for customers is somebody stealing their information and misusing it. It’s not just the fraud issue: it’s also about reputation. You can think of so many companies that have built their whole business on the reputation you trust them to deliver. If I look at the whole range, eBay for instance, it’s all about a trust model. People want to trust you. The reason why security is becoming more important is because they want to know about risks and equally they want to know if they can trust the company because they don’t want to experience any security breach or issues. And if they are having these problems, they are assured that these issues are being reported so that they will be fixed; that these things don’t get hidden. In terms of legislation you look at things such as the California 2003 Customer Act. You’ve got a situation where that is now being seen as a very good act that was put in place and which will be rolled out for customers across the US. It basically says that if you hold customers’ data and you think there may be a breach —you think somebody might have taken the data — then you need everybody know, you need to let the customers know, and you have a responsibility to do that. And it’s important because a lot of people wonder why this is important or why their information matters to companies. The number one crime on the internet right now is theft of human information — theft of human ID. If I steal your credit card I can probably get about US$2,000 to US$3,000 before my buying patterns give me away. But if I steal your ID, if I steal your social security number, your passport number and your name, I can set up a bank account and get up to 20 or 30 times more than stealing your credit card. That’s why we are so concerned about the theft of ID. That’s why the California Act was put in place because people want to know that their information is not misused. How do you apply those examples in the local scenario? You have a huge number of international companies here and if they want to raise cash or capital effectively they’ve got to go to worldwide markets. So therefore, fitting to those markets is important especially in the finance side. Laws that are easy to implement; laws that are enforceable get passed around and everybody copies them and everybody uses them. These laws become more important especially when you think about protecting consumers. Protecting home users becomes very important to government and to states because the internet really does a lot to a country to develop. It allows better education, it allows so much more to happen. Therefore, you can’t have those people abused because as a state you have a degree of responsibility to protect your citizens. The states also have an interest of trying to protect their population and their people and therefore the whole thing of why do you protect them? Why did the California law come along? That kind of legislation is what governments will put in place. People have to take responsibility for that kind of information because they want to protect their citizens. Resilience in IT architecture is about the fact that your whole infrastructure has to protect itself. IT infrastructure before now did not respond to threats. What we’re making it do is to respond to threats. The online fraud side relates to protecting the consumer. It’s such a big issue. Basically, hackers have learned why bother attacking a technology product when attacking a customer is so much easier. It’s so easy to trick people. And that’s a big issue to banks. It’s a massive issue to banks because the banks need to drive down the cost of their operations. And really driving down cost is not to have so much physical locations. It’s also to get to people who can’t get easily to services. Banking online is vital to banks because not only does it increase the level of their services, it also gives them a huge amount of cost savings. Banks worry about phishing because although it’s the consumers who seem to take most of the pain from it, at the end of the day, what you want to avoid is for people to lose confidence in online banking. What products will be rolled out under the information integrity initiative? It’s really driven by two things: availability and protection. For a long time now the protection side is our core business. Quite recently, in the last two years, we’ve acquired some company in the availability space; the reason being we knew we have to bring them together. We cannot just be in the protection space because that’s leaving everything on the edge of things. As we go forward, security has to be permanently built into a resilient infrastructure. You can’t just put it on the edge of the network. So we have the protection capability, that’s been our core business. When we realised that going forward the whole IT infrastructure has to be resilient and has to be able to respond and to be threat aware, from that intelligence we decided to go for a degree of acquisitions. The first ones were in the likes of PowerQuest, which were to do backups, and how we’ve come down to the integration with Veritas, which is all about putting together the availability side with the protection side. How do you leverage on these acquisitions? We have to integrate everything. It’s taking the security knowledge and the content and intelligence because part of what we have is the ability to understand what is going on in real-time environments. We watch what’s going on from a central network and feed it into our other IT operations. Does it make sense for a company to trust a single vendor for its information management solution, given that different software and hardware devices handle business data? Can one company provide the necessary tools to manage data given that it covers a lot of different areas? The most important bits are not about security through diversity, it’s not about the end product, it’s not about the firewall, it’s if you can pull in information. Pulling in the information together to make a decision is what’s really is important. If people want to diversify to a degree to have a different firewall here, different things there, that’s fine. That’s a commercial decision. A lot of people are simplifying things. At the end of the day they want simple lives and simple contracts. And they’ll have to deal with so many suppliers. Some people may choose to always have different technologies. The most important bit is to pull in all the information together. It’s not the end devices that make the difference; it’s the central correlation that’s the fundamental aspect. According to Gartner, there are still significant gaps in your information integrity initiative, which Veritas’ utility computing strategies cannot address, such as the need for an enterprise event console, business service views, help desk functions and enterprise-class workflow. How do you plan to address these gaps? At the end of the day we need to concentrate on what we are doing now, and getting that working and getting that right. The natural first step is to put things together — the protection and the availability side. There are other areas that are missing, such as the lack of authentication and encryption, but it is actually better for us commercially because that helps us, pushes us to partner with other people and we’re very happy to partner with those people who do that because that’s not really a part of our core business. Where do you see information management heading? What we have to do is to establish the importance of information integrity because there’s a lot of companies sitting there thinking I need product A and product B and a bit of firewall and they just think if I build a wall I’m quite happy. That’s not the point. They need to think about information and information protection and how they are going to do it. A lot of people buy some of the security technology available when they don’t really need it. They should think about what they are going to protect, rather than just getting items because that’s what they think they need to have. It’s not. You should think about what you are trying to protect. So we have quite a bit of a task going forward — getting people to sit there and identify what they are really protecting, and that’s where they should actually spend their money. Therefore, what we have to do is to convince them that they should be aware of those issues.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code