DIDW: An Interview with Symantec’s Rob Clyde
Here’s my rough notes from the first session, please expect the writing quality and grammar to be degraded. My comments / editorializing in brackets prefaced with “SJC”
Rob Clyde, VP of Technology, Office of the CTO
Phil Becker, Editor in Chief, Digital ID World
Phil: Identity in computing started with security
Rob: Looking at protection, what can we do to protect the information, interactions, etc. Attacks are now financially based. Identity theft is key.
Phil: Shift from locking things down to providing protection?
Rob: Yes, protection and confidence to allow folks to do what they want to do online
Rob: Lots of past business if focused on information and infrastructure, now focused on protecting the interaction
Phil: This also raises company’s confidence in what they are doing re: compliance / regulation perhaps?
Rob: Compliance is huge. Two pieces: 1. Comply with regs, 2. IT governance in general to provide competitive advantage. Sloan biz school found those with strong IT governance were 20% more profitable…
Phil: Why is that true?
Rob: Choosing projects carefully, linking IT carefully with the business
Phil: Compying with business vs. security outlook - lockdown is keeping people out, protection is opening things up to get what you need to get done.
Rob: Huge paradigm shift. NAC is a big shift. Cellphones are another. 15 yrs ago device choice was employer mandated, today, device is generally chosen by the employee / consumer. But still most of us need to use laptop defined by the employers. With policy frameworks, users can choose which devices they want at the laptop level provided they comply with policy [SJC, this sounds great but security is one of a dozen pieces around desktop operations, what about software licenses, support calls, etc., I'm not sure the endpoint platforms have the simplicity of a cellphone to make this viable. If desktops did just a couple things, this makes more sense. I'd like to see this in the future though.]
Phil: What about the dumb network vs. smart network debate?
Rob: Need to manage security via policy but trying to push support from the IT department to the end user itself…
Phil: What happens to categories in products themselves around security? NAC itself will reach across some of these boundaries.
Rob: One thing that will happen is a lot of interoperability. Lots of SIMs out there but big problem is IP address or process can be determined but that identity is much harder to determine. NAC + Endpoint compliance defines the “What” which is closely linked to the “Who.”
Phil: Any thoughts on how the evolution of this? What comes first?
Rob: 802.1X will drive this with endpoint compliance, NAC, and 802.1X. Slow uptake on 802.1X. Non-.1X is more prevalent today.
Phil: Could they unite at the identity store and management level first and then move down the stack?
Rob: No single identity store will happen, lots of stores long term but the exchange of information will be key.
Phil: Looking out at the world re: 802.1X, do you see the other protocols there to do the interconnection that is desired?
Rob: Lots of good ideas, many fairly immature. Most of work is around identity information exchange and SSO. Problem is how do you establish the identity in the first place? Broker-based identity? How can the end-user trust the server. Those are the though problems.
Rob: Easier for enterprises since they have to show up to get a badge and that could be leveraged moving forward. In B2C, this is harder. Many have stopped giving out information online. People concerned about websites stealing identities.
Phil: Is this where we need 3rd party broker?
Rob: Yes, we’re there on the money risk, but not the identity theft risk.
Phil: Security evolution requires identity management. Links between event detection and identity itself. How does this come together?
Rob: This has to come together. Security of exclusion has accounted for most of the revenue so far. Security of inclusion is the wave of the future. Need more collaboration, etc.
Phil: What is the wavefront of where the money is going which allows us to see this?
Rob: The nature of the threat is now more financially motivated. Companies are concerned about the insider threat. IT governance and regulation. These things cause this convergence.
Phil: Purpose of the network is to remove the concept of location as being significant. Network security has been about building perimeters which undermines the overall goals of the network.
Rob: Mindset that wants to go that way, but lots of mandated security, etc. People would like to see a different way. Perhaps making your internal network the Internet essentially using secure applications. Jericho is looking at this. 25% of help desk time is spent resetting passwords. Lots of additional problems, perhaps we need less IT over time for desktop support.
Phil: How can customers prepare?
Rob: How can I manage the network by policy rather than by specific configurations and mandated software. Look for apps that are more web based which protects things. This allows a smaller perimeter.
Phil: So people in the office are outside the perimeter just like remote workers?
Rob: Sure, just like a VPN connection. [SJC - The peer-to-peer issues here are huge. Hub and spoke networks sacrifice an awful lot of functionality and availability]
Technorati Tags: Digital ID World, Symantec