Businesses need air traffic control style security to protect their myriad systems in operation and meet regulatory demands, according to RSA Security president Art Coviello.
Speaking today at the RSA Conference in London, Coviello said the growing complexity of systems across physical, virtual and cloud infrastructures was presenting a real challenge to businesses, and they needed a single point where they could see security across their operations.
While the aviation industry uses air traffic control to reduce the danger across multiple aeroplanes, runways and airspaces, many IT departments have not yet managed to make their security match their own ever-changing technology setup, he said.
Coviello said he saw cloud as “an opportunity” to be embraced, but that businesses needed to take the right steps and ensure they had visibility across their hybrid environments.
RSA advocates a three pronged approach to security, in order to achieve more secure, compliant and manageable IT infrastructures. There needed to be a controls enforcement layer, a controls management layer and a security management layer, it says.
The controls enforcement layer needs to be the point of security detection and enforcement across the infrastructure, RSA says. It advocates many controls being embedded directly into infrastructure such as operating systems and networks, providing ubiquitous coverage without needing hundreds of point tools.
The controls management layer should be where firms can provide and monitor security controls, the company says. Establishing this layer offered the opportunity to consolidate numerous security consoles.
Finally, the security management layer would be where policies are defined, governing the business and the IT infrastructure based on compliance requirements, best practice and risk tolerance. It would also be the layer where events and alerts from controls across the infrastructure come together and are correlated to assess compliance.
“The security industry does not have a system that integrates people, process and individual security controls that can be managed with the same kind of correlated, contextual and comprehensive view used by the aviation industry to guarantee the safety of our airways,” said Coviello.
He added: “We need a system that enables us to close the gaps of protection and apply controls in a more holistic, systemic manner, centralising management not just for some vendor controls, but for all.”