Hard security

Keeping the digital nasties away from the enterprise network is a never-ending task that can be a significant drain on resources. ACN sits down with Thorsten Stremlau, principal security consultant for Lenovo EMEA, to explain further.

Tags: BotnetLenovo GroupMalwareUnited Arab Emirates
  • E-Mail
Hard security
By  Nathan Statz Published  October 18, 2009 Arabian Computer News Logo

Are you mainly interacting with clients on an implementation level or with CIOs on a strategy level? From a strategy level all the way through to an implementation level.

Today the presentation I held was mainly on strategy at a very high level. On the other hand, I also get involved with projects – for example implementing biometric solutions in schools or developing methodology for safely encrypting hard drives once data has migrated across.

Do you believe we will see more research and development into hardware-based security measures?

Yes, absolutely, the trend – and it’s been going that way for a number of years – is to go with hardware security. What we have seen from our perspective is the integration of the trusted platform module (TPM). If you research my name you will see that I’m both positively and negatively associated with the TPM. [Negative] ones from the privacy groups – who obviously launched a huge campaign against the TPM because they primarily thought that Microsoft was going to use it for digital rights management and application protection. Then positively because I have worked with the TCG in many areas to integrate the TPM, the security chip, into a host of different applications.

I was actually one of the guys that helped integrate the TPM into Thinkpads and Thinkcentres in 1999. I guess from that perspective, embedding the TPM was the first step towards a hardware-based type of security environment.

In your interactions with Middle Eastern CIOs, do you find  they have the same concerns and levels of understanding as those you deal with in Europe?

In the Middle East it is actually a higher one. I haven’t been able to find out exactly why it is yet, but in Europe as a whole it seems as if security is a cosmetic mechanism. Something that is really prevalent is ‘I’m going to implement something that somebody told me is security, then I can put a check in a box that says I have implemented security.’ In the Middle East, one of the things I am finding when I come down here is that people poke into the technology – they query: “Why does that make any sense?”  They query the loopholes that they’ll find. They just have the perception that I’m down here and there’s more interest in the actual security than just putting a tick in the box.

There are constantly reports about how botnets, spam and viruses are all getting worse – is there any actual good news in security?

Actually I think so; all of the bad news is leading to one thing – user awareness. I can throw as much technology at security, [but] it is never going to improve if that one person carries a document out the door in paper form. The positive news that I see from a security perspective is that all of this bad news is increasing the general user awareness of security problems. A couple of years ago when a popup would appear in Internet Explorer that would say: Do you want to install this free software? They would immediately click ‘yes’ before thinking about it. Users now are aware of phishing and malicious code and won’t do it and will simply click ‘no’ twice before they click ‘yes’ once.

With the amount of threats and security risks, how do enterprise buyers prevent themselves from spending too much on security?

You should never implement security without doing a proper return on investment (ROI) analysis. There is a very clear ROI on security and you always need to know the value of your data. If that piece of paper is worth US$2,000 then you should never spend more than $2,000 protecting it – very simple. My goal as a security consultant is to make it $2,001 expensive to try and hack and get that piece of paper. I’m never going to sell a customer a solution that is going to cost $10,000 to protect data that is only worth $2,000. It’s one of the bad features of the security industry – that of selling by fear. You shouldn’t sell by fear, you should sell by ROI.

Are you encountering CIOs that are still spending in the region?

Yes, especially in the region. There was a bit of a time I guess where it slowed, but at the moment, talking to all the guys here, they need all the help they can get. 

When Windows 7 is officially released and available, are you planning to produce a range of Windows-7-only laptops?

We will continue to support XP until 2012 officially. If I tell you that I can also tell you that I have about two or three dozen customers that I am still supporting Windows 2000 on.

It depends on the size of the customer but officially support for XP will end in 2010 and I don’t know when support for Vista will end. We will continue to support all of the operating systems, and XP is a vastly popular one.

Even after Vista was introduced and the majority of corporate companies were still on XP, for us to go: “Sorry guys, we’re dropping this,” the market would rebel and we’re not going to do that.

Thorsten Stremlau is the principal security consultant for EMEA at Lenovo.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code