Embed Size (px)
Citation preview
q&
a9
Info
security To
day
September/O
ctober 2006
Former White House CIO Carlos Solari recently joined Lucent Technologies. Hehas 25 years experience in American government and private industry positions,including 13 years as an officer in the US Army, and more than six years as asenior executive with the FBI.
Brian [email protected]
Security technologyfundamentallyflawed, says exWhite House CIO
From 2002 to 2005 he was the ChiefInformation Officer for the Executive
Office of the US President.There he wasresponsible for the implementation of acomplete computing modernization,withIT security a central part of the work.
He took time out on a recent trip toLondon to talk to Brian McKenna forInfosecurity Today.
You spoke at the recent Gartner IT se-curity summit in Washington abouttrust based security, in the context ofthe convergence of IT, telecoms anddigital media. What were you puttingacross at that event?Essentially a critique of the current ap-proach of bolting on security after thefact.This also entails not dealing withthe security of highly complex net-works.The idea is born from the no-tion that in order to really apply secu-rity to the systems we have today youneed to build it in from the inside.
And how do you apply that withoutthe use of a standard that you can useto be consistent across the industry?Trust based solutions have to be builton standards, such as the X.805 stan-dard that Bell Labs and Lucent profes-sional services advocate.
The point here is to ensure that anydevice in a network has been de-signed to a reference-able measure ofsecurity.You also have to have the abil-ity to determine its state of health bysome mechanism by which it can‘check to its good mirror’.
If you do that in a comprehensiveway, and pass the information on to acentral management console, youcan provide an ability to adjudicatewhether a device has been modifiedfrom its authorized state.
All that sounds great, but, at least ata certain level of abstraction, itsounds like, say, a Cisco story on NAC(Network Admission Control).It is similar to the NAC andMicrosoft’s NAP. But those approach-es are resident more at the configura-tion level, where somebody builds animage and deploys a device in con-formance with that image. Our mod-el goes down deeper – how do weknow that the device, the OS and soon are built to some level of securityif you don’t have standards?
Today there are just too manythings to try to manage securely.The basic messages should be: build
secure and stay secure through device attestation.
Are there lessons from your experience at the White House thatyou think are of more general applicability?Well, that experience illustrated wellthe core problem. Despite applyingthe best security tools we could atthe White House, I never really feltthat we were actually in front of theproblem, but were instead alwayschasing the problem.We were notconstrained by budgets, but, you see,no amount of spending money onthe current approach is really goingto solve the problem. Fundamentally,we cannot say that we can defendnetworks today.And I felt that I hadto go back out into private industryto figure out how to solve the prob-lem in a more fundamental way.
There are three legs to it: we needto prevent, detect, and respond.We aredealing with the problem at the endpoints — the LAN or the devices. Butwe need to bring into play the abilityto apply preventive measures insidethe cloud.
At Bell Labs we are working onhow to resolve DoS attacks in thecloud, for example.And there issome work being done in detectingthe propagation of a worm in thecloud through traffic analysis. Soyou will see research emerging fromour labs that tackles security in thismore basic kind of way. •
Lucent’s Carlos Solari: build securityfrom the inside
