The Boardroom With...
Mr. Jeff Bardin, CISSP, CISM, NSA IAM
Director, Risk Management
SecurityStockWatch.com: Thank you for joining us today,
Jeff. Please give us an overview of your background and your role at EMC.
Jeff Bardin: My current role is Director, Risk Management
in the Global Security Organization at EMC, where I have responsibility
for business resiliency, security awareness, policy, risk management,
security testing, threat and vulnerability management, identity and access
assurance, and more. Since joining EMC last fall, I have been charged
with honing business risk management and ensuring the durability of EMC’s
operations during times of outage or potential disaster; refining the
ability to minimize business risk; and maximizing the return on investment
while driving business opportunities and competitive advantage.
Prior to EMC, I was the Chief Information Security Officer for Investor’s
Bank & Trust, a financial services firm acquired by State Street Bank.
Prior to that, I was the Chief Security Officer for Hanover Insurance,
a property and casualty insurance firm. I was fortunate to be awarded
the 2007 RSA Conference award for Excellence in the Field of Security
Practices and the information security group at Hanover won the 2007 SC
Magazine Award for Best Security Team.
SecurityStockWatch.com: We understand you’ll be
speaking at the upcoming Hacker
Halted – 2008 Conference. May we have an overview of the topics
you’ll be addressing?
Jeff Bardin: It is a bit of a different topic but emanates
from my background. I’ll be addressing fringe extremist activities
within cyberspace, and in particular their use of Western encryption schemes,
our educational institutions and our social networking sites, as well
as their development of several security-related tools used to hack, to
perform distributed denial of service attacks and to secure their communications.
There are some very interesting and disturbing activities underway in
cyberspace that create at-risk situations for U.S. citizens. There are
extremist efforts in cyberspace to bring down anti-Islamic websites, steal
credit card information, organize online communities, and distribute extremist
material using various computer-based methods. The actual title of the
keynote is ‘Cyber Jihad: The Virtual Hand of Terrorism?’
I’ll take a look at to what extent fringe extremist groups use the
Internet as a weapon, a resource, and/or a target; where the skills are
being acquired for this activity; and how our infrastructure continues
to be used as a weapon against us.
SecurityStockWatch.com: Please give us an overview of
EMC’s information risk management strategy and your information-centric
Jeff Bardin: As an EMC executive focused on information
risk management, I work very closely with my colleagues from RSA,
The Security Division of EMC. As you might know, in September 2006,
after over 20 years of providing leadership to the security industry,
RSA Security was acquired by EMC. Driving this merger was the recognition
that customer needs had changed, and that traditional approaches to information
security were no longer sufficient. Increasingly, what should be the most
important company asset—information—was in danger of becoming
its greatest liability.
RSA is leading the information security industry’s current transformation
which is being fueled by the need for security to be firmly aligned with
business strategy, with the result that organizations are increasingly
looking at security in the context of risk. By helping our customers to
understand and address the risk that their high-value information is exposed
to throughout its lifecycle, security can become a true enabler of innovation
and critical business initiatives can be undertaken with confidence. The
bottom line is that the battlefront in security has already changed from
securing the perimeter to protecting the information itself, and EMC and
its RSA division are in a great position to make that happen.
Let me clarify information risk management in a little more detail. Managing
risk is a process. First you need to discover and classify the information,
people, and IT infrastructure that underpin key business initiatives and
business processes. Next, define policy to describe how sensitive information
should be protected, and after that, apply appropriate technology controls
to enforce policy and mitigate the most significant risks. Finally, audit
the environment to help ensure compliance with internal policy and external
RSA provides information-centric security solutions in the areas of Identity
Assurance, Data Security & Security Information and Event
Management, and here’s a breakdown of the solutions that
we provide to customers:
Identity Assurance – Identity assurance is a methodology
and set of capabilities that minimize the business risk associated with
identity impersonation and inappropriate account use, thereby enabling
enterprises to allow trusted identities to freely and securely interact
with systems and access information. Identity Assurance supports the information
risk management process by helping define and enforce policy around users
and access and by providing the essential technology controls to mitigate
risks related to unauthorized access. In this area, we provide four key
areas of technology:
- Authentication – This includes the ubiquitous RSA SecurID two-factor
authentication system as well as our Adaptive Authentication technologies
that assure identities to a system, resource, information or a transaction
based on risk.
- Fraud Prevention – The RSA Consumer Protection Suite offers
protection against identity theft and other external threats targeting
customers - regardless of the channel they choose to conduct their business.
- Access Control – This technology manages large
numbers of users while enforcing a centralized security policy that
ensures compliance and protects enterprise resources from unauthorized
- Credential Management – Credential management solutions provide
lifecycle management and policy administration for credentials used
in the identity verification and assurance process.
Data Security – Data security is an important
technology area for protecting critical information. Our RSA Data Loss
Prevention Suite discovers, monitors and protects sensitive data from
loss or misuse whether in a datacenter, on the network, or out at the
endpoints. Our RSA Encryption Suite provides persistent security for information
that requires encryption controls, that can secure any level in the IT
stack: storage, database and file server, application, end-point, and
We also offer EMC Documentum Information Rights Management Services
that control, secure and track sensitive information wherever it resides
to enhance document security. Finally, many people know RSA as a pioneer
in encryption based on the RSA algorithm and RSA BSAFE technology which
was designed for application and device developers and which has been
an industry staple for over 20 years.
While I am on the subject, let me tell you about how we have been integrating
encryption key management technology from RSA directly into the broader
information infrastructure. Our customers want built-in security –
not bolted-on security – and we are delivering that to them. For
example, EMC PowerPath Encryption with RSA protects information at rest
from unauthorized access or the unauthorized removal of a disk drive or
array from a secured environment. We recently announced EMC Connectrix
MDS Storage Media Encryption (SME) with RSA which is a SAN-based solution
for encryption to tape or virtual tape. And we have major partnerships
with Cisco and Brocade for similar technology.
This is just an example of how we’re integrating security into
the information infrastructure. RSA’s authentication, access control,
and security information & event management technologies have also
been integrated into various products from other parts of the EMC business.
Security Information and Event Management – Here at EMC, our customers
are telling us that the need to swiftly and effectively act on security
challenges and address compliance regulations has never been greater,
yet expanding enterprise networks and data traffic have been producing
an exponentially increasing log file volume. The RSA enVision Platform
is our “SIEM” solution that enables organizations to transform
raw log data into critical information to support compliance, security,
IT and network challenges.
SecurityStockWatch.com: What are your target markets
and what is your perspective on the market drivers for RSA solutions at
Jeff Bardin: Our target markets include those that have the most
sensitive information to protect and the most to risk as a result. Our
largest markets include financial services, healthcare, technology, retail
and government. Here in the U.S., more than 90% of Fortune 500 companies
use technology from RSA, so we have customers in all major verticals.
EMC’s customers want to work with fewer vendors with broader security
offerings that can provide a holistic approach to information security.
Security budget justifications are trending towards risk factors throughout
the information infrastructure. We’re seeing a dramatic increase
in spending to prevent data breaches and protect credit card data and
personally-identifiable information. Key management and data loss prevention
technologies have been particularly popular in this respect.
It’s also important here to note that both consumers and businesses
still face an increasingly-sophisticated crimeware ecosystem which specifically
targets vulnerable groups, including employees of financial institutions
and executives. This crimeware ecosystem is complex, methodical, and professional,
focusing on social engineering, vulnerable applications such as enrolling
new customers, and vulnerable channels such as telephone banking. Just
like businesses, cyber criminals have a “go-to-market” strategy
that starts with attacking the largest major markets first (like the United
States). Now, to give a couple of examples, we are seeing increasing online
fraud in Japan and a dramatic increase in malicious online activity based
in the city of St. Petersburg.
SecurityStockWatch.com: Are there one or two “wins”
or success stories in the enterprise or government verticals you’d
like to talk about?
Jeff Bardin: Starting in the area of consumer identity
protection, we are protecting over 120 million online accounts worldwide.
Well-known customers to your readers include Bank of America, Wachovia,
Washington Mutual, E*TRADE Financial, Wells Fargo and ING Direct.
One specific enterprise win that comes to mind is Accor North America,
the major hotel operator. RSA Key Manager has been critical to Accor North
America’s ability to achieve compliance with the Payment Card Industry
Data Security Standard (PCI DSS), and rapidly implement a progressive
data protection strategy. Accor North America operates six hotel brands,
and they share the booking of reservations between the properties and
the central infrastructure. There are several different networks and applications
that share credit card information on a daily basis. Accor wanted the
ability to encrypt transaction information at each hotel, and also encrypt
transactions as they were processed at the call center or via the web.
The US Social Security Administration is a major win in the government
space, and they have purchased 100,000 user licenses for RSA Card Manager.
(RSA Card Manager software is designed to manage the entire credential
lifecycle and serves as the central hub for integration with other critical
components of a smart card-based identity and access management strategy.)
The Social Security Administration had to comply with the Homeland Security
Presidential Directive 12 (HSPD-12) mandate by the end of October 2006
and selected RSA Card Manager to provide smart card management for its
employee identification system, including the issuance of PIV cards for
all employees, and management of the lifecycle of the digital certificates
stored on the cards and the cards themselves. There were essentially two
series of requirements that needed to be met. One in the system itself
with components that include identity proofing, registration, credential
issuance and management. The other included the specific security requirements
for the card as well as interoperability with other government agencies.
RSA was one of the first companies in the HSPD-12 space to be certified
by the GSA and to be put on the Approved Vendors List.
SecurityStockWatch.com: Thanks again for joining us today,
Jeff. Are there any other subjects you’d like to discuss?
Jeff Bardin: Sure, I would like to talk briefly about
innovation. We are seeing a deeper and more expansive commitment to business
innovation and the executives who we serve believe they must innovate
to compete – and they realize information security has a critical
role to play. True business innovation requires risk, but heightened security
threats and requirements seem to place the goals of information security
and business innovation in direct conflict. We believe the time is right
for a new way of thinking about security. Given the current and future
challenges confronting today's enterprises, information security must
be a full partner at the innovation table. To this end, we are working
with some of the top security leaders in the world to spark an industry
conversation that will bring this vision closer to reality. We’re
emphasizing the importance of getting ahead of the business, of understanding
where the business needs to go – and figuring out what the business
inhibitors are from a security perspective.