This is the first time you will be speaking at an RSA Conference. Can you give us a sneak peek of what you are going to be talking about during your keynote?
I am going to talk about the increasingly important role of security in organizations. Companies are becoming more heterogeneous and disperse. Meanwhile, a new class of mobile and wireless devices is emerging, and businesses are distributing more and more of their business functions, not only internally, but across a variety of providers. This is an incredibly complex networking environment that needs a very strong security infrastructure.
Furthermore, you need to have this infrastructure well integrated with management infrastructure and data management infrastructure. And we're learning as we work with clients that it is not simply what you access but where you access it from and what the access allows you to do. For example, you may allow people to look at their bank balance, but you may be very careful when that person tries to modify their balance. You may ask questions such as who they are and where are they. This whole notion of context and location in conjunction [with security] is becoming [critical].
Integration is going to become increasingly important. It has been too hard to implement the security that we should have.
Let me deal with the semantics with the word security. Security means a whole range of things: keeping bad things out of their environment; having access to the right things at the right time. Within the broad spectrum of what we call security, there are a large number of tasks and subtasks. The historical method of dealing with this in a granular way is making it more difficult than it should have been.
We need to see more and better integration of security from a data management aspect. [But there is] not going to be a one-size-fits-all approach. Threat management, for instance, will continue to evolve. Can I catch all the malware at the network level? [I can't say yes with] certainty. Therefore, I think you need to assume there will still be need for threat protection [at the agent level]. We're seeing insider threats to be one on the key priorities for 2007. What are you seeing from your customers?
I am on the board of Visa so I can see this from the perspective of the financial institution. This is an issue that worries them more than any other. Who has access to what and what is the separation of duties? How are they protecting sensitive information?
The [problem is] the systems we architected over the last 30 years are not at all architected with the protection of data in mind. Instead, they have evolved with a strong trust model in place. Now we are recognizing that the assumptions of that trust model--to trust certain classes of users--is an invalid assumption.
Because of the fragmentation with the way systems are built, [there are]; more and more points of entry for bad guys to get access to information.
Federation is becoming a very important business model for our clients, and the technology is going to need to evolve. There are very few people that provide all their own services internally. We do a lot of our own IT processes. But we outsource our 401(k) processing, employee user services, our HR services. Each one of those systems needs to be federated into a model. We still have responsibility for the security of the data and the protection of the users' information. None of that responsibility goes away. We're seeing more federation, more SSO.
But we need to come up with ways to make it easy, and the need for that has gone up dramatically. Unless we can provide a simple, easy-to-manage identity and access control system, the benefits are outweighed by the pain of users. There were some recent reports of flaws in BrightStor ArcServ. What measures have you taken to address these vulnerabilities? What is CA doing to help ensure that its products are protected?
This is a challenge that all of us in the software business face. As much as we might try to implement best practices to ensure we don't introduce technology that has known flaws or ways of being exploited, we don't have a perfect system. CA has dramatically increased testing. We've put in place processes that look for all known bad coding practices. Yet it is still a fact of life that people are prodding and prodding. We get 10,000 reported vulnerabilities reported to us every month. This puts the onus on us to test and design for a world where people are doing those things. At the same time we've got to be realistic. No technology provides total protection, so there is a need for diligence. You've built some of your security offerings through acquisitions. Are there any holes in your offering or technologies customers are asking for that you may make further investments?
The single biggest opportunity we see is customers moving from this gatekeeper view of security to a more integrated federated management infrastructure: The need to have access to information and data in the context in which it is being used and reduce the risk of abuse. This is very evolutionary and we see a trend to two-factor authentication. I still believe the IAM area has a great deal of opportunity and has a great deal of innovation requirements. What type of security practices does CA employ? What keeps you up at night when it comes to security?
There are two things. We are diligent in the application of security. There is a point where you can make it so hard to users that you turn people off. And it is getting that balance right.
I worry as a CEO about people accessing systems that they shouldn't be. We need the right administrative processes in place. We need to make sure people are taken off systems when they no longer have a need to use them. This is very mundane stuff but today it is done more manually than it should be.