 Kurt Romer who's the chief security strategist at Citrix and sometimes the chief security officer depending on which day it is. So my first question, Kurt, is actually an answer. And the answer is everything. And the question is, what's different about cloud security? For double jeopardy, go. So what is different about cloud security? What's interesting, there's a lot of definitions of cloud out there and I really go back to the NIST definition and think about delivering computing as a service. And it's really different than how computing has been delivered in the past. Because of that, you really have to take a look at a new architecture, especially when you're looking at security. Traditionally, we had the luxury of end-to-end ownership. IT owned the machines, they owned the network, they owned the data center. With cloud computing, none of that's true anymore. Obviously, security's got to evolve. Yeah, so they're talking about the definition of cloud security specifically, right? So it was not that long ago, right? It was, let's see, we did an analysis of it I think last February. And basically, the call was, we got a mature of the security standards and where are we? We like to use sports analogies in terms of the cube, we've been called the ESPN of tech. What inning are we in with regard to cloud security? Has the game started yet? Are we in the bottom of the first? Yeah, game's definitely started. I'd say we're somewhere in the second right now. There have been many organizations that have been leveraging the cloud for years, just really never called it that. Softwares, a service app, salesforce.com, go-to-meeting, Gmail, there's a lot of great examples out there of people who have been using cloud-based applications. Moving forward with some of the infrastructure and platform as a service, not everybody's leveraged those yet or really understood how to leverage those in many cases. They're looking for strong guidance, they're looking for best practices and examples and there's not a lot of prior art. On a positive note, you do see NIST, you see the federal government with FedRAMP, with the cloud-first initiative, with some of the things going on with the Tech America Cloud 2 commission. But then also you see the cloud security alliance. You see the PCI security standards council who formally is recognizing cloud computing in a virtualization information supplement that's being released in the first half of June. These are organizations that are very well respected and tracked and they're actually telling us how to use virtualization, how to use the cloud securely. Is security in the cloud, I mean is security in general, is it a do-over because of cloud or is it more of an evolution? In IT we always talk about no rip and replace, getting from point A to point B without disruption. Security in some respects feels like it's different, that we really have to rethink it. It does and in some ways it does feel like a do-over and really should be for some organizations. There are organizations that have approached security in the right way. They've thought about what their goals are, what they're really trying to achieve with their security objectives and really the best ones have thought about security last. They've thought about security as a result. What they've done is they've gone in with their business goals and with risk management and have said, you know, what's our risk posture? What's acceptable risk? What's unacceptable? People are bringing iPads into the organization saying, connect them up. Let me get on to these cloud apps. Who accepts that risk? You know, the iPads are consumer grade device. You typically never allowed those into the enterprise. But now with the cloud we're seeing a lot more of those. There's consumer grade devices, consumer grade micro applications on those devices, consumer grade cloud applications. It begs a different security model to support those. You know, a lot of people talk about security in the cloud can actually be better. Now, as a small business, I actually kind of agree with that. Me too. My service provider's got way better security practices and policies than I ever had. At the same time, a lot of large organizations, financial services, institutions, pretty good security. But that notion of security in the cloud being actually more secure, forgetting for a moment the small business aspect, where I just don't have the resources. But do you see that vision coming to fruition in the near to midterm? I do. And you really hit on a key point. For small and medium business who never could really afford to have the talent, the resources, the equipment, the applications on site, moving to the cloud in a very professionally managed environment automatically gives them a better security posture than they would have had across their enterprise, regardless of how big it is. Now, for larger organizations, there are some very large organizations who have done security incredibly well. There are others that maybe don't do it incredibly well across the board. And there are pockets within those organizations that as they move to the cloud would automatically get better security. Another key point to this is any organization who still thinks that they have end-to-end ownership of everything and are still trying to manage their networks and all of their end users from that perspective, those organizations are delusional. And if you step back and say, hey, we're moving to the cloud, we've got this any-to-any model, how do we architect security to really protect what's important to us, take our crown jewels, and make sure that they're protected at all times? Those are the organizations that are really going to do cloud security the right way and will innovate and will wind up with a better security posture because the cloud forced them to recognize issues that they've already been facing. Kurt, you talked to a lot of customers and that's a good way to put it, say, hey, you're going to figure out what you want to do for your business. If you had to go do a do-over and you were the chief security officer for Sony PlayStation, what would you tell them? I mean, honestly, a very public, visible hack, disruptive to their business, we were talking about earlier with one of your partners was saying the trust is an issue, the fence was broken and no one knows what data was stolen, at least nobody even knows what the tracks were, so obviously the disruption to their business was significant. If you had to go back, I mean, at a high level, I mean, oversimplifying things, I mean, Monday morning quarterback kind of thing, I mean, what would you do? I mean, how would you prevent that from happening? Yeah, first of all, sorry Sony, that's a very difficult issue and it's affected everybody, it affected my son Kevin, who's on PlayStation Network. Hi Kevin. You got an Xbox? Well, one of the many millions flocking to Xbox. Yeah, he's sticking with it, he really loves it. Billions of dollars of damage, obviously, and it's huge. I mean, it's tremendous and it really shows that as organizations grow up and mature and are out on the internet, you have to have process. You have to have process to make sure that your patch, that you have active defenses in place, it's no longer sufficient to just try to keep up on the internet, you actually have to consider the internet as a very hostile environment and you have to consider that information warfare is targeted at corporate America these days and at enterprises across the globe. Sony's learned that and many other organizations have learned that. You need to have processes in place to keep your organization up to date. You have to be able to react quickly and most importantly, you have to partition off these networks, these applications, sensitive data so that it's not just get into the perimeter and anything goes. You need to have multiple partitions so that it's very difficult for somebody, even if they do break in and hack into an organization, it's difficult for that attacker to go from point A all the way through to point Z as they did in Sony. One other key point with that, though, these attacks came in through the web, a web app firewall definitely would have helped. Explain that further because that's a good point, let's drill down on that, so take us through the web app firewall. Yeah, when you've got critical web apps and web services out there, obviously you need to have professional development with those, you need to be scanning and assessing them, constantly testing them to make sure that they're sufficient and that they're protecting the company's interests. Web app firewall is a piece of technology that's focused on the needs of layer seven web applications, HTTP, HTTPS-based, and looks for signs of common attacks, things like cross-site scripting, SQL injection, parameter manipulation, any session tampering. It's a piece of active defense that you can put out in front of any type of web app or any type of web service and ensure that those are protected. It's a necessity for today's critical web. I'm sure the PlayStation put that in center stage for all the clients. I mean, is it a net new infrastructure or is it patching to their old legacy? Because that's the big question that always comes up is, it's always great to have a clean sheet of paper, but not everyone has a clean sheet of paper, they've got a lot of legacy, so going to a net new architecture or infrastructure and apps, you can't just do that overnight. No, you can't do that overnight at all, and it's one of the nice aspects of a web app firewall is you can put it in front of the latest web apps and web servers, you can also put it in front of very old mainframe-based web apps and web servers. The protection applies regardless of what you're running. Is the PSN fail a reflection of architecture choices or bad security practices? I won't pretend to know everything about that particular set of attacks, but I'd say it's more bad security practices and a lack of process. I mean, that's usually the case, isn't it? It's either, you know, bad processes. It's hard to keep up. Bad user behavior. Acceleration of bad guys is just too fast. It really is. What's the strategy? Simon Crosby, and we talked about that on the first night, the Tuesday night, and he was like, he agreed. What do you need to do? Security do over. Meaning, you know, rethink beyond semantic and McAfee and go, you know, thinking about it. Simon's answer is open source. Oh, even tokens, right? We saw our second hack. Yes. Yeah, absolutely. It's the same thing. You can work in open source. So take us through the open source view. I mean, obviously you guys are big on open source. There is a contingency of people who want to rally around open source. What's your view there and any momentum updates that you can share with us from your field? Yeah. Open source with community involvement and development and review really make sure that you've got visibility into the project that's being developed and the code. And also, if you have an attack that is noticed or new vulnerability, you have the community jump in, determine what needs to be done, and typically patches and fixes are available much, much faster in an open source world because you have many, many more developers focusing on it and people are using it to protect their interests. We love crowd source. I mean, this has been a conversation for several years now is how you can use the crowd to improve security. Yeah, I mean, you look at the security market, I mean, obviously Citrix is not that perceived as a security company or a hardware company. Obviously, given the legacy of the business, you know, Cisco, even F5 for that matter, might be considered, you know, in that realm as a security company, for folks out there who have that perception, I mean, you're obviously the chief security officer, just share with us and them, you know, what's going on with Citrix and security and just give them data dump on kind of where it's at in your perspective and why it's so focused obviously with virtualization. You can do a lot of cool new things, you can spin up stuff and have a different approach. Can you share with us and the folks out there? Yeah, it's interesting. When you look at traditional security companies, you typically think about installing products and getting those in front of everything and getting products installed on work stations and that provides security, but ultimately, we don't believe that to be the case. You might not see Citrix as a security company and we don't either, but our customers rely on us for security every day. So we have to make sure that we're secure by design, that we have the features in the products, we have the interfaces in the products that let our customers and partners build very strong security solutions. The ISSA, the Information Systems Security Association awarded Citrix as Security Organization of the Year 2011. That was just announced last week. It's really cool. I'm very proud of that. You should be. I mean, that's a design in mentality, as you said. It's not magic bullet there. And it's a big thanks to our partners and our customers out there for taking a look at Citrix and looking differently at what it really means to have security. You know, you mentioned some of these breaches before the breaches were allowed to perpetuate because there was no partitioning within the network. Once you logged in, and we've always had it as an industry, made it really tough for somebody to log in. But once you log in, you can copy, paste, print, save, email, and otherwise exfiltrate data to your heart's content, right? You're in, you're in, you're in. Wouldn't it be better to partition off each application, each network, each different area of the organization so that you have automatic little walls in there that help the partition and control the spread of data. Even within a particular workstation, you can partition off a browser with virtualization and make sure that even if that browser gets hacked, even if you open up that really bad PDF document and it's got a script in it, nothing else is impacted. Your registry's fine. Your file system's fine. Your network's fine. That's kind of cool. Server versusization complicates this, you know, immensely, right? John and I were talking about, I always use the, you know, it's a cliche, but the castle in the mode and the queen was a lever castle and you know, I mean, but the point is, when we talked to security practitioners in the Wikibon community, they, you know, that concept of putting a moat around a physical infrastructure kind of goes away in the server virtualization world and that makes it hard, right? Because you don't know what's connected to what. Yeah, it can. And so a lot of the practitioners we talked to are struggling, but the other point that you made, which is really important, I think, and I'd like your comments on this is, you said this really, that notion of end to end, you know, it's kind of illusory. There is no one vendor, one outcome, you know, one out of the box solution, right? No, there's not a one size fits all model to security either. And that's why it's very helpful to have open standards and to be able to allow customers to build the right solution to meet their security needs based on those open standards. But you also made a key point. You have to have visibility and you have to have control at every step of the game. And so we have things like application tabs and virtual tabs into the environment. We've got visibility in there so you can see what's going on. And you can also have firewalls, DLP and other controlling technologies that our partners bring to bear that integrate with these environments. If you want to have a extremely strong set of controls similar to what you would have had in the physical world, they're there, they're available. They work. One of the things that we've been, we're on theCUBE, this is theCUBE, by the way, our flagship telecast, we go out to events, we cover the news, the analysis and the opinions. Of course, we supply a lot of opinions that Dave Vellante and I, and with SiliconANGLE.com, the leading tech coverage of emerging tech. We go around and talk to the smartest people, we get their knowledge, we share that with you. We're excited to have Kurt here, Chief Security Officer of Citrix. A philosophical question because we were on the summer tour, 2011. What about security and privacy? We talked to all the leading executives at EMC and SAP Sapphire. Same question comes up. We always thought we left on security because it's always like, what side of the street are you on? Kind of get a good answer there. So the question was, can you have security and privacy if you take care of one way, take care of the other? I mean, you guys are, so that's a question, but overlay that on the key theme here that you guys are talking about, follow me data. Yes. Okay, so data is data, that's privacy, security, data. So there's kind of this security privacy meme that we've been fleshing out and talking about. So can you just elaborate your philosophy on privacy and security? You fix one, does the other one go away? Are they hand in hand? Are they mutually exclusive? How they play together? You're just your thoughts and religion on those too. That's a great question. Security and privacy are deeply interrelated and they're also very much separate entities. Most people, when they think about a privacy breach, it's because of bad security. Somebody hacked into a server, was able to get a list of credit cards, list of customers, was able to breach personally identifiable information, protected healthcare information, or PCI information. Well, it's not always a security breach. Sometimes it's bad practices. Sometimes it's just not knowing the connectors between the applications and the data and passing more information than you need to. We need to take a look at protecting privacy beyond just maintaining strong security, but really look at what it means to protect the privacy of this data that's subject to legislation increasingly a concern for each of us. You get your credit card breached. It's a big deal. You have to go through and call a company and they re-issue a card and you're back up and running pretty quickly, right? What happens if your medical information gets breached? Your electronic medical records are out there. If that gets breached, there's no pulling it back. We have to make sure that as this data gets out there, it's protected appropriately and we can't rely on the mechanisms of the past. So that is a great area for the industry to come together, to make sure that we're satisfying privacy, but also having the policy in place so that you can approve for the things that are most sensitive to you, whether they're shared or not and under what circumstances. But you mentioned medical industry and healthcare and that's actually conceptually easier to understand, right? Yes. Because there's HIPAA laws and adjudicate privacy. There's a lot of gray area in the wild world of things like social media, right? And mobile and consumer devices. I mean, it's very unclear where to draw those lines. Yes. Organizations really need to start thinking about their objectives as a business. Do you see IT organizations, CIOs, CSOs, starting to have those business conversations yet or is it still really a security discussion today? We see the more progressive organizations starting to understand that. They're having social media policies put in place. They're helping their employees and their contractors to understand what privacy related data they maintain and are responsible for. And they're also helping educate their employees and contractors on their personal privacy as well and how that would affect them at work. You know, each of us has a view into our privacy that we perpetuate out to the world. Some people will share their deepest, innermost secrets on Facebook. With others, it's just name rank and not even serial number. Invisible. And that's as far as they go. Some people want to be completely anonymous and be in the background. Well, great. We should be able to do that. Scott McNeely had to coin the phrase, no one has privacy anymore. That goes to legendary, well-documented. But it's interesting. The security privacy thing is interesting because the question, which one of you, can you solve one and does it solve the other? Is there a, is it the chicken and the egg or is it, I mean, they're definitely intertwined. It's a tough one. Yeah, security protects privacy. I guess that's the one way that I would take a look at it. But privacy trumps security. But there's a real business model issue there too, gentlemen, that I think needs to be discussed here. And that's the whole issue of incentives. I mean, as an individual, I might be incentive to provide my location to Google so I can find a restaurant. On the other hand, I might not want to do that for Facebook. And so the notion of putting out a carrot for users to actually participate and get some value out of the system, that's something that's new. The big data, John, we talk about the big data trend all the time. You know, it's providing information to the internet to big databases to get value as a consumer. That's new, that's different. And now Google announced their intentions for Google wallet today, that was a big announcement. So obviously Google going from the toolbar privacy issue of data collection to now transactional data beyond checkout. It's an interesting end-to-end trust issue. It really is, especially when you take a look at Google being deeply intertwined with advertising revenue. Having the data be private and determining what you share, we've dealt with this in the physical world for years with things like loyalty cards and programs. You go to the grocery store, they know what you buy, they can target you with advertisements. Once you're doing that online and that's shared much more, there may be certain information that you don't want to share, that you might want to be anonymous for. You know, what if you can see that you go to the grocery store and buy three bottles of Jack Daniels every week? Might somebody think differently about you because of that? Someone tagged you that you didn't want to be tagged. Exactly. Exactly. You're buying Jack Daniels again for the fifth time today. You know, it's like, oh boy, now there he is going again. We're here at silkenangle.com, is the place for coverage every day on our blog, wikibund.org, is where the research is, it's for free. This is theCUBE, our live telecast, flagship telecast, we go on the ground, talk to the smartest people here, Kurt Romer, the Chief Security Officer of Citrix. My final question, and then we got to get ready for the CEO of WISE is coming in, Dave, is you've been recently appointed April, this past April as the Chief Security Strategist, named to the US, United States, Federal Cloud Computing Commission. So just share with us quickly the government. This, you know, the side of us, we libertarians like less government, maybe Republicans don't want any government, Democrats want all government. It's not really a party of the internet. Is there a party of the internet? And there's movement now towards people seeing the trainwreck of the FCC in other areas that have kind of screwed things up recently around innovation. So talk about one, the role of, your role in this new cloud commission, describe it, what's this mandate, and then what's your vision for it? Because, you know, we like the government, they do good things for us, but we don't want to get them too much into our underwear, and technology innovation, it's not their game. So, share with us. Yeah, so the cloud two commission was pulled together by Tech America, and it's really taking a look at both public sector use of cloud computing, as well as enterprise use. And we're providing a 30 page recommendation, which will be released at the end of July. And that recommendation is also gonna be accompanied by a cloud buying guide to help people understand what aspects would be important when taking a look at various cloud services and how they can best choose this. It's not getting into the politics, it's not getting into, you know, big brother who's running the cloud. It's really the federal government looking at how to increase their agility, how to increase their responsiveness out to all of us as citizens and their constituents, increasing transparency of government and making sure that they understand the data sovereignty, the border issues, and most importantly the interoperability so that as the government is building out all of these clouds, and as enterprise builds out clouds, that we have the ability to take cloud environments from one provider to the next and not have lock-in. And in this way, you really have increased the ability for the government to serve us, lowered costs tremendously, and made it easier for them to innovate. It's really a great program. And the government 2.0 initiative that's been out by the Obama administration and kind of teased beforehand, but really Obama kind of kicked to the next level is to get more transparency. They've done their blogging, he's got a blackberry, not an iPhone, but $60 million blackberry in that from what I'm reporting on siliconangle.com. That was an exclusive story we ran, $60 million blackberry, NSA integration and everything. But you got the government, you got social media for the first time, we're living in this social village. So it's interesting that the government is getting involved because it's society. I mean, the cloud is an end user experience, consumerization means people and they govern the people. So it's interesting to see how that goes. Just wondering what you see as the key things that we can do as an industry to make sure that we don't get too big, too much regulation or no one knows yet what it is. What's your opinion on that? Yeah, my opinion is that I see these efforts as being something where we're not going to have more government regulation. The fact that we've had industry members from across the board and educational institutions that have been brought in to help form this opinion on what the government should be doing shows that the government is listening to best practices and wants to make sure that they're learning from industry. What that's going to do is help to make sure that the solutions that are out there are something that can be used across the government, across industry, and will be truly useful to us as citizens. Interacting with the government in the past, you had to get up and go somewhere. Now you'll be able to have government services available to you on your computer, on your iPad, on whatever, and you'll be able to keep track of what's going on. I mean, do you know how your senators are voting and how important issues are being decided? It's hard to keep track of these days. What if you had online experience that lets you get in there and actually influence the people who are representing us? I'd like to know about my senators because I know they're collecting a lot of big data about me. They're one of the biggest customers of big data, Hadoop. Kurt Romer, thank you very much for coming inside theCUBE's great Chief Security Officer for Citrix inside theCUBE here, our flagship telecast. Thank you so much. Great to have you. Thank you.