QUESTION & ANSWER

Solidcore CEO to focus security on virtualization

By Dennis Fisher, Executive Editor 04 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

There are a lot of concerns around how easily virtual machines can be turned on and what the security model is there. And those are legitimate concerns. Anne Bonaparte CEO, Solidcore Systems Inc.

How has the focus of the company changed since you took over as CEO?
Anne Bonaparte: I've been taking it to the needs customers have around compliance, and specifically around PCI compliance. PCI seems to be the best fit because it's the most prescriptive and it has actual deadlines. We have very interesting technology and in the beginning it can suck a lot of time when you're going out and marketing and telling people about the technology. But Rosen [Sharma, Solidcore's former CEO and current CTO] did a great job with that and now we're in a position to really work on the customer problems. We're in that stage of the business where we have money in the bank, the product is tested and we're in good shape. Technology is great, but there's a consequence if you don't solve an actual business problem

Anne Bonaparte

So compliance has become the problem that you solve?
Bonaparte: In a lot of customers it has. We're shifting to the PCI problem specifically because all of these point-of-sale systems in stores have Windows on them now. We have experience working on that problem with ATM manufacturers. Those machines run Windows now, but all they really need to do is give you money. Our traditional customer has been the CIO or CSO who is concerned about security, change management and a lot of other things. And that's what our solutions do really well. Now we have a totally different guy as a customer who is all about speed and efficiency. The POS systems in these stores can not have delays or inefficiencies. Our systems are very fast because they're not checking signatures or going back and forth to a whitelist all the time. The store managers aren't that interested in the wow factor of the technology. They just want it to work.

Virtualization security: What risks do application virtualization products pose to enterprise security? Phrases that continue to be used to describe application virtualization are "isolation" or "bubble," but Michael Cobb examines the possible threats. Virtual network tool gives firm view into virtualized environment: Nielsen Mobile uses Altor Networks' security analyzer to gain insight into virtual network activity. Initial virtualization costs could outweigh benefits: It could be costly for companies to sort out the new governance, oversight and manageability issues being introduced by virtualized environments.

Retail is a tough segment to be focusing on right now.
Bonaparte: It is. People say, "You're going after retail? In this market? And you're making money?" And I say, "Sure." It may be that some of the retail segments are going away, but the ones that survive will have to be PCI compliant. And PCI is the fastest way to a dollar for us right now. And in business you always want to get as close as you can to the top line. The retailers are the ones who have been getting hit by the data breaches and they're the ones with a need for this. A lot of customers do it because they have to, but people shouldn't just be checking a box on things like PCI. Use the energy to do what's right. If you have a problem, it will affect your overall brand. In this environment, some people are being penny wise and pound foolish.

What other directions do you see for the company next year?
Bonaparte: One intriguing direction for us is the virtualized environment. It's growing very quickly right now, especially with people latching on to the cost benefits. Antivirus doesn't work well in that environment and we've been looking at it to see if our systems can be applied to virtualized environments. It turns out that they can, so we're working on some things there. We can help maintain the sanctity of that environment. There are a lot of concerns around how easily virtual machines can be turned on and what the security model is there. And those are legitimate concerns. I think that's an area that we can help with. And we're also thinking along the lines of something that will help instill a sense of trust in the POS systems for users. Something like what VeriSign was able to do with the checkmark for websites. We want users to think of it as something you can trust.

Your products aren't strictly security products, but do you think that we're starting to see a shift away from the old model of a new product for every new threat?
Bonaparte: I think we do have to shift the model, especially in some environments where things should be closed by default -- process control systems, for example, and manufacturing control systems. There's a cost benefit to it and these things need to be controlled in a different way than home computers or desktops and servers. We've had too many years of technology chasing a problem. The most important thing is security at the core, and controlling the IT infrastructure is key to that.

Tags: Virtualization Security Issues and Threats,  PCI Data Security Standard,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary