When Trend Micro Inc. (OTC:TMICY) acquired Canadian intrusion prevention systems vendor Third Brigade nearly a year ago, the Tokyo security vendor kept 50 employees from Third Brigade’s Ottawa headquarters.
Among those who stayed on were Wael Mohamed, then chief executive officer of Third Brigade and now Trend Micro’s vice-president of server security.
He recently briefed Network World Canada on how his company addresses security concerns on virtual servers and in cloud computing environments.
On the integration of Third Brigade into Trend Micro
Third Brigade's Ottawa office became Trend Micro’s Canadian headquarters. We have been under the Trend umbrella for almost a year and our first product under the Trend brand was launched, Deep Security 7, in November of 2009. We are seeing a lot of traction in areas like virtualization security. Because of Third Brigade’s success with the federal government we’re putting more emphasis on government and that’s starting to pay off nicely for us. We’re trying to use Canada as a learning ground for a lot of things. We came from a telecom background, so virtualization has been in telecom for a long long time. We have a very strong relationship with VMware Inc. (NYSE: VMW), who also have a very strong investment here in Canada.”
On Trend Micro’s government business
“Every government is looking to save money, to be able to maximize infrastructure and move to green IT. As data centres modernize they need to buy new hardware they’re looking for the best way to use that hardware and virtualization allows you to do that. To stick mission-critical machines beside non mission-critical machines, you need to have strong security controls. We believe we allow them to accelerate their virtualization plans without worrying about breaking their existing security posture.”
On cloud security
“Nobody can actually disagree that using cloud computing is the right thing. You can provision severs in matter of minutes instead of months, with dollars instead of thousands of dollars. But it produces two major issues. One is responsibility and control. Who owns what, who's responsible for what, when it comes to data, when it comes to breaches, when it comes to ensuring compliance? Security is a major concern. That doesn't mean they’re not going to go to the cloud because it's the most cost effective thing, it’s the most flexible thing. What we’ve done is said, ‘look, the model of protecting data from the outside in, where you need to have a very strong perimeter, no longer is sustainable. It must be protection from the inside out.’ It doesn’t matter where the data sits, whether it’s in a public cloud or a private cloud. So our model is all about allowing the host to be able to protect itself whether it's sitting in somebody else's grid or sitting in your own network.
We have to look at security not as closing ourselves inside the box, but ensuring that the data itself has the ability to be free, mobilized, and we have maximum security and visibility of that data. It’s not the machine anymore.”
On security products and the role of the users
“Most of the problems with security are social engineering attacks where someone tries to make a user make a mistake but it’s more than that. There are safety nets that need to be put in place. Security for the longest time was insurance, but at the end of the day, organizations have an obligation to ensure they have a proper safety net. So if somebody made a mistake and clicked on the wrong link or allowed program to that was trying to call up somewhere, and try to transfer data back and forth. Organizations need to have visibility. They need to know if there is something malicious or abnormal happening so they can deal with it. That’s why defence in depth is the only way organizations can protect their employees and their data. The most important thing is having visibility when something happens that shouldn’t. At Trend Micro, we have very strong tools that we can bring to your toolbox. But the government probably has higher needs than banking, than hospitals. The most important thing is that security should not be slowing business,
If you want to do banking in Russia you should be able to do that safely. If you want to move to virtualization because that allows you to maximize your hardware, you should be able to do that safely.
If you want to accept credit card data and store it and but that is required to comply with PCI (Payment Card Industry Data Security Standard) you should be able to do that cost effectively and the only one that can help those customers is the security vendor that will be able to fit to their needs without slowing their business down. The most secure system is the one not connected to the Internet but it's useless.”
On security problems in government
In any governments in the world there is a lot of duplication in infrastructure, there are a lot of people doing the same thing. It becomes very costly. As any government is looking for ways to save money you want shared services, shared infrastructure. Virtualization allows you to do that but there are a lot of inhibitors. It could be control, visibility, compliance and some political reasons. Governments need to be able to share certain infrastructures network, storage, machines for processing power. Picture Agency A, that has mission critical applications, that it’s not resource intensive and sitting on its own dedicated machine. Another Agency, B, a non-mission-critical application, but it’s very high intensity when it comes to processing power. The cost is high. If you combine them together, you get a perfect match. You get two machines sitting beside each other but not even utilizing one common infrastructure. What is the fear about security? If you envision a wrapper around this application that can provide the security it needs, whether it’s actually sitting beside another application that has a different wrapper or not, and both of them are sharing the same hardware, the same resources, you would be able to save a lot of money. Unfortunately, because of security, because of the traditional way we do business, we are not maximizing this new phenomenon of sharing resources. But that’s the only way we will be able to provide services cost effectively.
On future versions of Deep Security
We have a major release once a year. We always have a major release in the fourth quarter and a minor release in the third quarter. Deep Security version 7.5 is coming out soon. In deep security 6 there was a strong emphasis on compliance. It allowed us to provide all the right controls for compliance. Some of the largest banks in the world are using it for compliance purposes. Deep Security 7 version 7 had a very very strong emphasis on virtualization. The world will collide. Virtualization will let you do a lot of things but you need to prove that compliance and integrity is still maintained when you move from a physical world to a virutal world. In deep security 8 we will move to the next big thing which will be maintaining compliance in other environments such as the cloud, where the machine could be sitting somewhere else, but you still have the ability to maintain compliance. As an example, in a PCI world, a compliance auditor has to come in and see that you are still compliant (with the Payment Card Industry Data Security Standard). Say you decide to put your payment system on Amazon because it’s cheaper. Then the auditor comes in. What is the auditor going to do? Go to Amazon and try to audit your machine? They won't allow him in. It’s a shared infrastructure. So how can the auditor give you your certification on a machine that they cannot even access and prove that it’s still in compliance? Those are difficult problems that we are working with our customers to resolve.
