Boardroom
EMC

In The Boardroom With...

Mr. Jeff Bardin, CISSP, CISM, NSA IAM
Director, Risk Management
EMC
www.EMC.com
NYSE: EMC


SecurityStockWatch.com: Thank you for joining us today, Jeff. Please give us an overview of your background and your role at EMC.

Jeff Bardin: My current role is Director, Risk Management in the Global Security Organization at EMC, where I have responsibility for business resiliency, security awareness, policy, risk management, security testing, threat and vulnerability management, identity and access assurance, and more. Since joining EMC last fall, I have been charged with honing business risk management and ensuring the durability of EMC’s operations during times of outage or potential disaster; refining the ability to minimize business risk; and maximizing the return on investment while driving business opportunities and competitive advantage.

Prior to EMC, I was the Chief Information Security Officer for Investor’s Bank & Trust, a financial services firm acquired by State Street Bank. Prior to that, I was the Chief Security Officer for Hanover Insurance, a property and casualty insurance firm. I was fortunate to be awarded the 2007 RSA Conference award for Excellence in the Field of Security Practices and the information security group at Hanover won the 2007 SC Magazine Award for Best Security Team.

SecurityStockWatch.com: We understand you’ll be speaking at the upcoming Hacker Halted – 2008 Conference. May we have an overview of the topics you’ll be addressing?

Jeff Bardin: It is a bit of a different topic but emanates from my background. I’ll be addressing fringe extremist activities within cyberspace, and in particular their use of Western encryption schemes, our educational institutions and our social networking sites, as well as their development of several security-related tools used to hack, to perform distributed denial of service attacks and to secure their communications. There are some very interesting and disturbing activities underway in cyberspace that create at-risk situations for U.S. citizens. There are extremist efforts in cyberspace to bring down anti-Islamic websites, steal credit card information, organize online communities, and distribute extremist material using various computer-based methods. The actual title of the keynote is ‘Cyber Jihad: The Virtual Hand of Terrorism?’

I’ll take a look at to what extent fringe extremist groups use the Internet as a weapon, a resource, and/or a target; where the skills are being acquired for this activity; and how our infrastructure continues to be used as a weapon against us.

SecurityStockWatch.com: Please give us an overview of EMC’s information risk management strategy and your information-centric security solutions.

Jeff Bardin: As an EMC executive focused on information risk management, I work very closely with my colleagues from RSA, The Security Division of EMC. As you might know, in September 2006, after over 20 years of providing leadership to the security industry, RSA Security was acquired by EMC. Driving this merger was the recognition that customer needs had changed, and that traditional approaches to information security were no longer sufficient. Increasingly, what should be the most important company asset—information—was in danger of becoming its greatest liability.

RSA is leading the information security industry’s current transformation which is being fueled by the need for security to be firmly aligned with business strategy, with the result that organizations are increasingly looking at security in the context of risk. By helping our customers to understand and address the risk that their high-value information is exposed to throughout its lifecycle, security can become a true enabler of innovation and critical business initiatives can be undertaken with confidence. The bottom line is that the battlefront in security has already changed from securing the perimeter to protecting the information itself, and EMC and its RSA division are in a great position to make that happen.

Let me clarify information risk management in a little more detail. Managing risk is a process. First you need to discover and classify the information, people, and IT infrastructure that underpin key business initiatives and business processes. Next, define policy to describe how sensitive information should be protected, and after that, apply appropriate technology controls to enforce policy and mitigate the most significant risks. Finally, audit the environment to help ensure compliance with internal policy and external regulations.

RSA provides information-centric security solutions in the areas of Identity Assurance, Data Security & Security Information and Event Management, and here’s a breakdown of the solutions that we provide to customers:

Identity Assurance – Identity assurance is a methodology and set of capabilities that minimize the business risk associated with identity impersonation and inappropriate account use, thereby enabling enterprises to allow trusted identities to freely and securely interact with systems and access information. Identity Assurance supports the information risk management process by helping define and enforce policy around users and access and by providing the essential technology controls to mitigate risks related to unauthorized access. In this area, we provide four key areas of technology:

  • Authentication – This includes the ubiquitous RSA SecurID two-factor authentication system as well as our Adaptive Authentication technologies that assure identities to a system, resource, information or a transaction based on risk.
  • Fraud Prevention – The RSA Consumer Protection Suite offers protection against identity theft and other external threats targeting customers - regardless of the channel they choose to conduct their business.
  • Access Control – This technology manages large numbers of users while enforcing a centralized security policy that ensures compliance and protects enterprise resources from unauthorized access.
  • Credential Management – Credential management solutions provide lifecycle management and policy administration for credentials used in the identity verification and assurance process.

Data Security – Data security is an important technology area for protecting critical information. Our RSA Data Loss Prevention Suite discovers, monitors and protects sensitive data from loss or misuse whether in a datacenter, on the network, or out at the endpoints. Our RSA Encryption Suite provides persistent security for information that requires encryption controls, that can secure any level in the IT stack: storage, database and file server, application, end-point, and network layers.

We also offer EMC Documentum Information Rights Management Services that control, secure and track sensitive information wherever it resides to enhance document security. Finally, many people know RSA as a pioneer in encryption based on the RSA algorithm and RSA BSAFE technology which was designed for application and device developers and which has been an industry staple for over 20 years.

While I am on the subject, let me tell you about how we have been integrating encryption key management technology from RSA directly into the broader information infrastructure. Our customers want built-in security – not bolted-on security – and we are delivering that to them. For example, EMC PowerPath Encryption with RSA protects information at rest from unauthorized access or the unauthorized removal of a disk drive or array from a secured environment. We recently announced EMC Connectrix MDS Storage Media Encryption (SME) with RSA which is a SAN-based solution for encryption to tape or virtual tape. And we have major partnerships with Cisco and Brocade for similar technology.

This is just an example of how we’re integrating security into the information infrastructure. RSA’s authentication, access control, and security information & event management technologies have also been integrated into various products from other parts of the EMC business.

Security Information and Event Management – Here at EMC, our customers are telling us that the need to swiftly and effectively act on security challenges and address compliance regulations has never been greater, yet expanding enterprise networks and data traffic have been producing an exponentially increasing log file volume. The RSA enVision Platform is our “SIEM” solution that enables organizations to transform raw log data into critical information to support compliance, security, IT and network challenges.

SecurityStockWatch.com: What are your target markets and what is your perspective on the market drivers for RSA solutions at this time?

Jeff Bardin:
Our target markets include those that have the most sensitive information to protect and the most to risk as a result. Our largest markets include financial services, healthcare, technology, retail and government. Here in the U.S., more than 90% of Fortune 500 companies use technology from RSA, so we have customers in all major verticals.

EMC’s customers want to work with fewer vendors with broader security offerings that can provide a holistic approach to information security. Security budget justifications are trending towards risk factors throughout the information infrastructure. We’re seeing a dramatic increase in spending to prevent data breaches and protect credit card data and personally-identifiable information. Key management and data loss prevention technologies have been particularly popular in this respect.

It’s also important here to note that both consumers and businesses still face an increasingly-sophisticated crimeware ecosystem which specifically targets vulnerable groups, including employees of financial institutions and executives. This crimeware ecosystem is complex, methodical, and professional, focusing on social engineering, vulnerable applications such as enrolling new customers, and vulnerable channels such as telephone banking. Just like businesses, cyber criminals have a “go-to-market” strategy that starts with attacking the largest major markets first (like the United States). Now, to give a couple of examples, we are seeing increasing online fraud in Japan and a dramatic increase in malicious online activity based in the city of St. Petersburg.

SecurityStockWatch.com: Are there one or two “wins” or success stories in the enterprise or government verticals you’d like to talk about?

Jeff Bardin: Starting in the area of consumer identity protection, we are protecting over 120 million online accounts worldwide. Well-known customers to your readers include Bank of America, Wachovia, Washington Mutual, E*TRADE Financial, Wells Fargo and ING Direct.

One specific enterprise win that comes to mind is Accor North America, the major hotel operator. RSA Key Manager has been critical to Accor North America’s ability to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS), and rapidly implement a progressive data protection strategy. Accor North America operates six hotel brands, and they share the booking of reservations between the properties and the central infrastructure. There are several different networks and applications that share credit card information on a daily basis. Accor wanted the ability to encrypt transaction information at each hotel, and also encrypt transactions as they were processed at the call center or via the web.

The US Social Security Administration is a major win in the government space, and they have purchased 100,000 user licenses for RSA Card Manager. (RSA Card Manager software is designed to manage the entire credential lifecycle and serves as the central hub for integration with other critical components of a smart card-based identity and access management strategy.) The Social Security Administration had to comply with the Homeland Security Presidential Directive 12 (HSPD-12) mandate by the end of October 2006 and selected RSA Card Manager to provide smart card management for its employee identification system, including the issuance of PIV cards for all employees, and management of the lifecycle of the digital certificates stored on the cards and the cards themselves. There were essentially two series of requirements that needed to be met. One in the system itself with components that include identity proofing, registration, credential issuance and management. The other included the specific security requirements for the card as well as interoperability with other government agencies. RSA was one of the first companies in the HSPD-12 space to be certified by the GSA and to be put on the Approved Vendors List.

SecurityStockWatch.com: Thanks again for joining us today, Jeff. Are there any other subjects you’d like to discuss?

Jeff Bardin: Sure, I would like to talk briefly about innovation. We are seeing a deeper and more expansive commitment to business innovation and the executives who we serve believe they must innovate to compete – and they realize information security has a critical role to play. True business innovation requires risk, but heightened security threats and requirements seem to place the goals of information security and business innovation in direct conflict. We believe the time is right for a new way of thinking about security. Given the current and future challenges confronting today's enterprises, information security must be a full partner at the innovation table. To this end, we are working with some of the top security leaders in the world to spark an industry conversation that will bring this vision closer to reality. We’re emphasizing the importance of getting ahead of the business, of understanding where the business needs to go – and figuring out what the business inhibitors are from a security perspective.