Security technology isn't new for CA, but this year at its 12th CA World user conference in Las Vegas the company identified security as one of three focal areas (the others are governance and management). Denise Dubie sat down with Bilhar Mann, senior vice president and general manager of CA security management, to learn more.
How do you see security fitting into CA's strategy to provide tools to govern, manage and secure IT for its customers?
If you look at the way we are talking about our Enterprise IT Management (EITM) strategy at the moment, we talk about this thing called the Unified Service Model, which includes all the relationships. I use the analogy with a house and a blueprint that everybody looks at, the electrician and plumbers and so on. Everybody looks at that blueprint to understand all the relationships between all the entities. Security now needs to leverage that same blueprint. It's not that security has not leveraged the blueprint before, but if you want to be able to connect security to the business and everything else connected to the business, then security needs to leverage the blueprint.
Could you give me an example of how this Unified Service Model would work in practice?
Let's take identity and access management, which is all about making sure you are secure in access on the Web with a product like SiteMinder and a product called Access Control for hosts and operating systems. If you look at an audit report, it tells you that this system administrator has access to a particular Unix box. That is a certain amount of information on which you can make only a certain amount of intelligent decisions. It doesn't really tell you the importance of that Unix system. If you take it up one more level and take that audit information and correlate it to the information that is held in the service model, now you will learn that that particular machine is part of your trading application.
How does that differ from the integration among CA products announced at the last CA World in 2005?
Now the level of information you have got about this particular event has been elevated from the infrastructure level, or the server, to a level that you actually understand within your business -- which is somebody is doing something they should not be doing within my mortgage application. These products will be leveraging that service model going forward to provide the business context. We will go into that dictionary and see how a security event relates to other things. There is a lot of information sharing that you are going to see -- specifically, with our security products -- that allows us to deliver on our EITM strategy. Where we are headed with this service model will give us the ability for an organization to become much more agile.
How does this deeper level of integration enable agility for businesses?
None of us know what is going to happen in 10 years' time in terms of new technology. Companies need to become much more agile in terms of how quickly can we set up a base in China, for instance. They need to be able to duplicate the outfit they have somewhere else. If they haven't been able to work out the relationships among all these components, how are they going to be able to react to that change? They won't be able to because they will have to rebuild everything. If the company gets itself lined up, it will be ready for such changes.
Companies are adding more layers of security, and at the same time, CA is talking about simplifying the management of IT? How do you balance this layered approach to security with simplicity in management?
Security has to have a layered approach, tiers of security. You are going to have antivirus, access controls on the application and then add more tools to harden access to the application. We're tackling the simplification this way. If you look at all these layers, the only thing that is different is what we call the enforcement of policy. The difference is the enforcement, how you do the nuts and bolts. At the operating system you work at the kernel to enforce policy and at the Web you have to work at the application server. We have centralized user interfaces, consistent policy and one place where you define policy and push the policy out. You don't have to go to the individual areas and use whatever they offer to get this done. We simplify things by having that consistency across our products.
Virtualization technologies increase complexity in environments, at least in terms of management. What does virtualization mean for security and how is CA addressing that emerging technology?
At the moment form a virtualization security perspective we don't have any offerings. There are needs with the advent of virtualization, and we are certainly looking into a lot of areas.