Hard security

zoom

Keeping the digital nasties away from the enterprise network is a never-ending task that can be a significant drain on resources. ACN sits down with Thorsten Stremlau, principal security consultant for Lenovo EMEA, to explain further.

Are you mainly interacting with clients on an implementation level or with CIOs on a strategy level?

From a strategy level all the way through to an implementation level. Today the presentation I held was mainly on strategy at a very high level. On the other hand, I also get involved with projects - for example implementing biometric solutions in schools or developing methodology for safely encrypting hard drives once data has migrated across.

Do you believe we will see more research and development into hardware-based security measures?

Yes, absolutely, the trend - and it's been going that way for a number of years - is to go with hardware security. What we have seen from our perspective is the integration of the trusted platform module (TPM). If you research my name you will see that I'm both positively and negatively associated with the TPM.

[Negative] ones from the privacy groups - who obviously launched a huge campaign against the TPM because they primarily thought that Microsoft was going to use it for digital rights management and application protection. Then positively because I have worked with the TCG in many areas to integrate the TPM, the security chip, into a host of different applications.

I was actually one of the guys that helped integrate the TPM into Thinkpads and Thinkcentres in 1999. I guess from that perspective, embedding the TPM was the first step towards a hardware-based type of security environment.

In your interactions with Middle Eastern CIOs, do you find  they have the same concerns and levels of understanding as those you deal with in Europe?

In the Middle East it is actually a higher one. I haven't been able to find out exactly why it is yet, but in Europe as a whole it seems as if security is a cosmetic mechanism. Something that is really prevalent is ‘I'm going to implement something that somebody told me is security, then I can put a check in a box that says I have implemented security.'

In the Middle East, one of the things I am finding when I come down here is that people poke into the technology - they query: "Why does that make any sense?"  They query the loopholes that they'll find. They just have the perception that I'm down here and there's more interest in the actual security than just putting a tick in the box.

There are constantly reports about how botnets, spam and viruses are all getting worse - is there any actual good news in security?

Actually I think so; all of the bad news is leading to one thing - user awareness. I can throw as much technology at security, [but] it is never going to improve if that one person carries a document out the door in paper form.

The positive news that I see from a security perspective is that all of this bad news is increasing the general user awareness of security problems. A couple of years ago when a popup would appear in Internet Explorer that would say: Do you want to install this free software? They would immediately click ‘yes' before thinking about it. Users now are aware of phishing and malicious code and won't do it and will simply click ‘no' twice before they click ‘yes' once.

With the amount of threats and security risks, how do enterprise buyers prevent themselves from spending too much on security?

You should never implement security without doing a proper return on investment (ROI) analysis. There is a very clear ROI on security and you always need to know the value of your data. If that piece of paper is worth US$2,000 then you should never spend more than $2,000 protecting it - very simple. My goal as a security consultant is to make it $2,001 expensive to try and hack and get that piece of paper.

I'm never going to sell a customer a solution that is going to cost $10,000 to protect data that is only worth $2,000. It's one of the bad features of the security industry - that of selling by fear. You shouldn't sell by fear, you should sell by ROI.

Are you encountering CIOs that are still spending in the region?

Yes, especially in the region. There was a bit of a time I guess where it slowed, but at the moment, talking to all the guys here, they need all the help they can get.

Print | Email | Discuss this article

| Share |

READERS' COMMENTS

Click here to post a comment

Add your Comment All posts are sent to the administrator for review and are published only after approval. ArabianBusiness.com reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Arabian Business would like to point out that only comments relevant to the story will be published. Any containing personal insults or inappropriate language will not be approved.
Name *
Remember me on this computer
Email *	(Your email address will not be published)
City
Country
Subject *
Comment *
Notify me of further comments
Enter the words above *
Please click post only once - your comment will not be published immediately.

MORE FROM ARABIANBUSINESS.COM