Cloud computing is the main focus of discussion when Infosecurity sits down with the Webroot CTO in their Silicon Valley office. “It’s the right time to embark on cloud computing”, Eschelbeck insists. “If you don’t engage in cloud computing now, you’ll miss out on cost savings – and by that I refer to both vendors and customers.”
“The future is in centralising IT functions, yet giving customers flexibility”, explains Eschelbeck. “While IT functions become more centralised, the work force is becoming more de-centralised. I was recruited into Webroot in 2004 to bring the cloud into security, and to bring malware protection to the cloud. It’s time to look at offloading processing back into the cloud”.
In fact, the Webroot CTO goes as far as to say that his decision to move to Webroot from his previous position as co-founder of Qualys, was made due to the challenge of moving Webroot into the cloud space. “I like to build companies and build teams”, he says.
When asked about the security concerns that are so often associated with cloud computing, Webroot’s Eschelbeck confidently assures Infosecurity that “The technology has matured so that it is as secure, if not more secure, than traditional ways of doing computing. Why? Because if you build it from the ground up with security in mind, it will be more secure”, he argues.
Eschelbeck also draws on the lack of dedicated IT and security staff in SMBs working with servers. “There’s often not a great sense of internal security, leaving plenty of vulnerabilities”, he describes, whereas “in cloud computing models, there are dedicated security teams working 24/7. The cloud can never go down”, Eschelbeck says confidently.
When asked whether there is room for improvement, the Webroot CTO answers “Of course”. Eschelbeck acknowledges the need for standardisation in the cloud. “It’s the next biggest step. We need to make sure the vendors are talking to each other”, he says. “There’s a sense of urgency around securing data in the cloud. Data breaches are happening every day, but they are not as visible”, Eschelbeck says regretfully.
Security in motion
Interestingly, Eschelbeck argues that cloud computing will help boost the security of the mobile worker. “The security goes through the connection – the cloud – not the machine itself, so there is strong enforcement in the cloud”, Webroot’s CTO explains. “I’d rather have the data in the cloud rather than on a worker’s laptop or smartphone. That way the data is stored centrally, so even if the device was lost or stolen, potential for damage is limited”. Application security for smartphones, therefore, becomes less of a concern under Eschelbeck’s theory.
Social networking challenges
While Eschelbeck is a firm believer in the importance of social networking sites in both a professional and non-professional sense, he acknowledges the two main challenges with social networking use. “Security is one, and time spent on them is another”, he says.
“How do you solve the challenges? You need the ability to be able to enforce security policies. Last year was an intense year for social networking security – it became very apparent that there is a lot of content that you don’t want going in or out via these means”, continues Eschelbeck.
“If a web filtering service is in place, this takes care of inbound protection. As for the outbound threat, that’s where DLP comes into place.” So, technology is the answer to the social networking security problem? “Well, it’s the safety belt, but education is very important too”, insists Webroot’s CTO.
The 2010 threat landscape
While Eschelbeck may be insistent that 2010 is the year of the cloud, he also offers some more worrying predictions. “We’ll continue to see an explosion of malware samples, which will be a big challenge for corporations and the industry”.
“More worrying still, the threats are becoming smarter, as malware writers aim to infiltrate organisations and target employees to reach as wide an audience as possible”.
“The brain of the attack”, Eschelbeck insists, will remain on the web. Although he believes malware writers will continue to use email as a vehicle for seeding the web attack. “For this reason, companies need to continue to take strong action on email protection. Email attacks are very targeted and very clever. They look plausible and appear to come from someone the victim trusts”. It’s therefore hard for users to differentiate between good emails and bad.
Finally, Webroot’s Eschelbeck confirms what we already know: “The web will continue to offer tremendous opportunities for cybercrime”, he concludes.