Mushegh Hakinian is Security Architect at Intralinks, a SaaS provider that lets customers share sensitive data with counter parties or vendors in or outside the enterprise firewall in a compliant and controlled way. Users upload proprietary information into Interlinks "information exchanges" for review, reading, printing and modifying in defined roles of reviewers, managers etc. Its customers come from highly regulated industries such as life sciences, law firms and capital markets who use the service to manage processes in loan syndication, M&A, due diligence, safety reporting and clinical trials. A member of the nonprofit Cloud Security Alliance (CSA), Intralinks serves more than 1 million professional users and 800 of the Fortune 1000.
How do you talk to customers about data security in the wake of all these high-profile breaches?
We tell them they should want to work with a company that grows specifically from a security mindset. As a lot of people are now finding, information security, especially software security and Web application security is a rather complex thing with a bunch of moving parts. Security is hard people to do as it is but even more difficult to introduce after you have your SaaS or other product configured and put into production. If you designed with security in mind, it helps you tremendously to introduce security features as the threat climate changes, but if you have to introduce later on or bolt on security measures, those things usually introduce a lot of friction and user inconvenience and are often unsuccessful. So we were lucky that was in our DNA but a lot of the pure Internet companies who depend on how many people they reach see that security kind of runs counter to that. It's possible but very difficult and costly to take those kinds of applications and elevate security on those.
Now people seem to be revisiting the security of their cloud partners, though the cloud movement itself seems irresistible.
Cloud service providers are part of the IT infrastructure of their customers and that's just a fact. But if I am a buyer looking for potential partners, I would first look at how easy it would be to extend my own security environment into that environment, how willing that vendor would be to provide me with information about their security controls, allow me to set up and configure my own controls. You want to remember that while the nature of applications used by consumers has changed for business and government, the threat environment is also changing. The gmail attack was targeting White House officials and that requires a different conversation than fighting off criminals or kids looking for bragging rights. Now a third party is suddenly going against nation states as an organized and resourceful adversary and that changes the equation.
Intralinks is a member and subject matter expert for the nonprofit Cloud Security Alliance that is organizing an industry response to cloud security. How can the association deliver success as a group?
The image of cloud computing is now very mainstream, if you have email it's probably outourced somewhere and email is such an important part of business, sometimes over 50 percent of your communication goes through it. What CSA and specifically the vendors can is to actually use the many wonderful standards and documentation sets CSA has already delivered. The cloud controls matrix is comprehensive and covers everything from compliance to security architecture. You'd be surprised by how much of that is implied but not implemented. There is a cloud metrics initiative that includes audits and assessments. I don't thing the security alliance is designed to be a security operation center to respond to attacks. Their initial statement is about promoting the best practices and educating.
Cloud security will still fall to the user after all, won't it?
Yes, but security specialization comes down to economics. There is no consumer culture that rewards the good players. It's very difficult for consumers to gauge which providers are doing great work on the security front and if you are spending more on security, it doesn't guarantee any specific return. When customers are more aware of those issues, they probably start paying more attention to specific security considerations, start rewarding the good citizens and that will promote more cloud security.
Can the vendors define themselves better on those terms?
You can say, 'I have a top-notch encryption implementation,' but what does that mean? Those things are very difficult to compare. Or, you can say, 'I am certified for this particular standard.' Those things always cost money, but it's not clear how you'd go to management to justify such an investment. In certain cases there is no excuse for doing specific things. The technology has evolved so much from 2004 - 2005, when it was pivotal for banks to require two-factor login. The technology has grown and prices have fallen to the point where there is no excuse to not have proper authentication mechanisms.
Is there a level of security or keywords people should be listening for?
People should not be talking about having secure passwords or sharing sessions. This has been solved as a utility function. Yet unfortunately a lot of extremely popular websites don't have those features available. Some are going in that direction and some not. Economics should play a part and people producing a robust service should be rewarded for that. I'm pretty sure it will happen, maybe just through publicity of things going right as well as wrong.
Should we expect a lot more embarrassing or costly security failures in the near term?
The threats will always be there, no question about it. Threats will always apply to cloud computing too. People will try to use you to do certain bad stuff. The applications and APIs can always be abused, and that will start with insiders. How it will pan out will depend on the business. I don't know how much of a business like a Sony is really affected by this publicity, they're not primarily in gaming as far as I know, so it's their business decision to make. What I see happening is there will be a security maturity level where people realize these threats are real, and the benefits to hackers are real, they will start to implement countermeasures.
What gives me hope is that a lot of those countermeasures are known, they have been there for years and some know how to use them and others will make the investment. A couple years ago everybody was saying we have the firewall, the encryption, intrusion prevention. If you dig a little deeper all that meant nothing because you put up those walls at the same time you were opening a port and let everybody come in. You need to be granular and pay attention to your specific adversaries. What events are showing is that even if you re a Web email provider, your adversary might be a nation state so you need a comparable standard.
With so many partners we are transferring our trust and putting our data in their hands.
They say there are trust boundaries, but trust no one is a very good policy to a guy like me. But other things are even more visible right now. Especially with mobile coming into wide play, computing is kind of back to dumb terminals. You have a tablet at one end and a server at another and and nobody knows what is connecting those two things together, public, private, a lot of places to screw up and business to be made in securing all of those details, channels and services. It will be exciting to watch the competition between the good guys and the bad guys. The bad guys have traditionally had the advantage because they don't have to play by the rules, but we have the means and we're going to get there.