Computer Security: How to Meet the Complexity Challenge

Carlos Solari is the vice president of security solutions at Alcatel-Lucent/Bell Labs, and the former chief information officer for the Executive Office at the White House. He has more than 25 years’ experience in government and private industry, and has amassed a wide breadth of experience in computer security, law enforcement, public safety and defense.

He spoke recently with Baseline’s John McCormick. This is an edited version of their conversation.

Obviously you’ve been around for quite some time, and seen the world from some interesting vistas. From your perspective, what do you see as the biggest challenge out there right now for computer security professionals?
Well, I’m not sure that there is one thing, but let me say that there may be some things that certainly rise up. At the top of my list is the fact that the separate infrastructures for telephony, for data and for video are coming together. In the industry, we call that convergence. It’s coming together around the Internet Protocol as the underlying means with which to communicate.

The services are going to blend. The TV will behave like a phone and an access point to the Internet. And the same with the phone; it will behave like an access point to the Internet for Web browsing and also, potentially, to stream in video.

We’ll be moving everything so that it can be packet-based. And that means a tremendous benefit—new services like location-based services.

We also are very mindful of the security issues and the threats that can manifest themselves with this blending of these infrastructures.

We’re already seeing a lot of convergence.
Yeah. It’s happening around the world. And we’re starting to see how those threats that have existed in the data side of the world with IP have started to manifest themselves in voice and video.

With convergence, everything becomes vulnerable.
Everything becomes vulnerable, but more important, not only do they become vulnerable by the sheer openness of IP but also by the complexity of making these things work together. Today we have a hybrid kind of connectivity with IP and legacy systems that is going to be there for many years.

Secondly, as we know in the IP data side of the house, the reach of the threat is global and the folks who conduct cyber-attacks can reach from around the world.

As soon as you go IP, and as soon as you start to allow these services to come into play, [there is] the potential for these threats to not only take advantage of that complexity, but also to reach across these infrastructures.

As we’ve seen with some of these organized cybercrime groups based in Eastern Europe.Exactly. The point is that we’re going to see more of ?that happen where we haven’t seen it before-in telephony, for example.

There’s even a whole new vocabulary for this, isn’t there?
We are starting to see the new acronyms or the new words that are being coined that describe it. There’s the term Spit, for instance, for spam over Internet telephony.

What else are you concerned about from a security standpoint?
There is also the fact that in the past, there was a separation between the enterprise network carriers and the service provider carriers. But in the future a lot of that will be blended, as service providers, for example, get into the business of managed security services. Businesses are going to connect to businesses through networks that are provided by a service provider that allows these services to be enabled and to take place.

We’re connecting people in different businesses who share applications to conduct transactions together. That requires a level of trust between the two enterprises. That means we need to have a method by which we can attest to that state of security of the partners. This is where the standards and the certifications are important.

You’ve talked in the past about trust-based computing, where access to a network is granted only after there has been a validation process and an exchange of credentials.It comes back to that.
Here we’re speaking to the trust that needs to be established at the entity level—companies that need to share information with each other, citizens dealing with the government, and government agencies dealing with each other, as well as consumers dealing with business.

So, as entities exchange information, they can exchange it in a way that their separate networks stay protected. The data that is being shared is used in a manner that is agreed upon, and is in conformance with how it is expected to be used—and not compromised or abused.

From a practical standpoint, what should CIOs and CSOs be doing now?
This is no new revelation, but certainly, thinking that you can just protect your network at the perimeter-those days are long gone. We know that data has to be available to the workforce where that workforce actually does its work, which is increasingly mobile and ubiquitous.

The job has become tougher. You really need to think more about what framework or what approach to take to ensure that you’re dealing with the issues in a consistent and a prioritized way. You can’t deal with everything at the same time—nobody has those kinds of resources.

One piece of advice is to organize around a good security framework. That can be a challenge because, as I mentioned earlier, infrastructures are changing.

The second thing I would say is to recognize that the world of the past—where you had a physical security guy, a personnel security guy and a fiber or I.T. security guy—is going away. These worlds are blending quickly, or they need to. And increasingly we need to figure out how to deal with [them] from an overall risk perspective. And the technologies that are blending these things together require that you understand all the elements of physical, logical security.

With everything changing so quickly, how do CIOs and CSOs keep up? How do you keep up with the technologies, the threats, the various risk management approaches?
That’s a really good question because a lot of my background was primarily in the enterprise world, and I thought I understood the issues of security on that side of the house pretty well. Then I get exposed to this telecom industry in a very detailed way, and I find out that I’ve been missing a whole lot.

So, you have got to stay plugged in. You need to tap into resources where you get information online. You need to read the trade journals, the periodicals, those kinds of things.

But you also have to go beyond that if you are going to be in the world that I work in. You’ve got to tap into the companies and academia—the researchers—who are working on the tougher problems. And to be able to gain insight ?into that world, you really need to make contact on a personal level to get to know the leaders in those areas ?to know how they’re approaching what they see as tough problems, and to be able to start recognizing where technology is going in the security field.

When you talk about technology, I’m reminded of something you said in a past interview—that while you have to make sure that you have security technology in place, you can’t be too dependent on technology.
Technologies don’t work in a vacuum; they work with people. A simple example is intrusion detection. It generates a lot of information that humans, in the end, have to try to sift through to determine what is relevant, what they ought to be concerned with. We can’t think of technologies as silver bullets.

Do you think we will ever get to the point where we really have information resources locked down?
Well, I think to some extent there’s a certain amount of embedded awareness that is coming forward from everybody. Microsoft has taken a serious approach now to how they deal with the issues of security. We’re starting to see security embedded more into everything from the operating system to the applications. So, to some extent we’re going to see some relief there.

But I think that the complexity that we’re going to go through with hybrid connectivity—between legacy and new IP infrastructure—is going to keep us, at least for the foreseeable future, in a lot of turmoil. The change will keep us busy in terms of security.

I think that the new innovations [that are] coming forward are going to really challenge the definition of privacy. The new interconnections—between business-to-business and all of the different associations that can be made—are going to continue to challenge the question of how you protect content.

There aren’t always simple, easy answers because there ?are so many different scenarios that can be applied, depending on the association. Some of these associations are quite temporal.

And so, I think we’ve got enough to keep us busy. The maturity of how we think about security in terms of processes and how we deal with it from a technology perspective is going to continue to challenge us.