Canadian Information Processing Society (CIPS)
 
 

CIPS CONNECTIONS

INTERVIEWS by STEPHEN IBARAKI, FCIPS, I.S.P., MVP, DF/NPA, CNP

Bruce Cowper, Top International Security Authority, Chief Security Advisor Microsoft Part 3

This week, Stephen Ibaraki has the third of his exclusive interview series with Bruce Cowper.

Bruce CowperAs the Chief Security Advisor for Microsoft Canada, Bruce is responsible for the overall security strategy, working closely with the Public Sector, large enterprises, Industry Associations and the Community across Canada. He comes from a security background in secure system design, forensics and security risk management and as the Chief Security Advisor leverages his real life hands-on experience to relate to the challenges faced today. Bruce is a prolific speaker and can frequently be found in the media and at conferences across Canada and beyond.

Bruce is a founding member of the Toronto Area Security Klatch (TASK) and an active member of numerous organizations across Canada. Before moving to Toronto and joining Microsoft, Bruce held positions on the board of directors of several IT companies, championing the development of technical excellence and the customer experience.

Bruce holds a degree in Computer Systems Engineering as well as industry standard qualifications.

To listen to the interview, click on this MP3 file link

The latest blog on the interview can be found in the IT Managers Connection (IMC) forum where you can provide your comments in an interactive dialogue.
http://blogs.technet.com/cdnitmanagers/

DISCUSSION:

Interview Time Index (MM:SS) and Topic

:00:52: The industry is changing. What advice would you give to IT professionals to stay on top of what is happening in the industry in order to position them and their organization to benefit from these trends?
"....Part of it comes down to how people get information and exchange ideas....One of the biggest things is to get people to participate in their local and other security communities....The second thing is to get them to share their ideas....The challenge is that security is still seen as a black art in many cases. What I'm seeing is that a lot of people are adding security as another skill set to their existing portfolio and being able to understand how security applies to the bigger picture...."

:04:26: Do you have any recommendations as to the kinds of linkages, either through relationships or different kinds of resources, to help enhance their careers?
"....Security is still as much about who you know as what you know. Part of who you know is making sure that you get the right information at the right time to help you deal with security challenges or being in the right place at the right time to further your career....Another big part is that there are an amazing amount of free or relatively inexpensive training courses that are being offered by vendors like Microsoft or organizations like IEEE...."

:06:01: What are the some important broader IT and business challenges and solutions in 2009?
"....(1) the convergence of technologies....(2) we are going to see a lot more sophisticated attacks....(3) virtualization security....(4) stopping and taking a more holistic approach....(5) a big shift in the compliancy field toward implementing the right security management and other solutions with the end goal of solving those challenges...."

:12:43: Take the prior question and apply it to the next 3 to 5 years. What do you see in the broader picture looking into the future?
"......I think the shift over the next few years is really going to be around the integration, the management and the whole holistic view...."

:17:51:  Can you profile the key lessons and experiences from each of the topics below?

:18:08: Understanding the classic Orange Book approach to security and its limitations
"....One of the things I always look at when using the Orange Book or any of the other guidelines that are out there is understanding that they are exactly that....they are guidelines....The Orange Book is a classic example whereby it was put together with some very specific criteria and purposes in mind and in real terms a lot of what may apply to one organization may not apply to another...."

:19:49: Using operating system security tools and structures--with examples from Windows, Linux, BSD, and Solaris
"....The great thing that has happened over the past few years because of the greater emphasis on security is that all of the vendors or groups have started to put an emphasis on making sure that the platform is fundamentally secure.....And in many cases the bar having been raised that much higher by the demands of the customer....."

:24:10: Learning how networking, the Web, and wireless technologies affect security
"....What a lot of organizations are doing is leveraging that layered approach where the Holy Grail becomes being able to access the information and the resources from wherever you are, on any device, at any time. What we see is a lot of vendors and organizations looking at it and asking what are all the connection mechanisms and what are all the possible scenarios, and starting to bring all the technologies together....All of these come together to take a much more layered approach...."

:25:54: Identifying software security defects, from buffer overflows to development process flaws
"....Over the last couple of years the industry has gotten a lot better in both finding its own security bugs (and producing updates) and also working with the security industry and the researchers out there who are also finding some of the same challenges......."

:28:25: Using best practice techniques for authenticating people and computer systems in diverse settings
"....One of the things to consider whenever you are authenticating people is really around things like credentials that they are using. One of conversations we having right now within the industry is looking at the number of digital identities and the validity of those digital identities. A lot of that comes down to people who are issuing digital identities or traceability....essentially trust...."

:34:44: Using validation, standards, and testing to enhance confidence in a system's security
"....We get asked when we are dealing with organizations especially those with heightened level of security requirements is what are the standards that are complied with. That's a very positive thing. It shows due diligence from the vendors or individual's perspective that they have gone through the testing and the due diligence and passed the accreditation process. Part of the challenge is we feel a lot of the security breaches out there are being generated through things like misconfiguration...."

:36:37: Discovering the security, privacy, and trust issues arising from desktop productivity tools
"....As the productivity tools become ubiquitous, what we need to make sure is that they are managed and maintained in the most appropriate way...."

:40:21: Understanding digital rights management, watermarking, information hiding, and policy expression
"....As things like movies, TV in general and other media become based on the Internet there is a lot more use of things like embedding of watermarks and digital identities into that information. But also more use of things like standards to help people use those things in a very portable fashion...."

:43:29: Learning principles of human-computer interaction (HCI) design, the user experience. What are some principles there that we should be mindful of in terms of security?
"....We have certainly seen over the years that if we use draconian security practices, people will often find a way around them...."

:46:57: Understanding the potential of emerging work in hardware-based security and trusted computing
"....If we think about using the embedded hardware encryption and making it completely seamless for the user it suddenly becomes a lot easier to take the decision out of the hands of the user and really focus on mitigating a particular security risk. So with the emerging work in the hardware-based security and trusted computing, what we are seeing is a lot of mechanisms to try to put mitigations in place especially from the user perspective that are seamless, but more importantly are manageable and trusted by the organizations that are implementing them...."

:49:27: In your current role, what are the biggest challenges, and their solutions? How does this relate to business?
"....In my current role I spend a lot of time looking at the security decision making processes within organizations....What I try to do is to get people to go away from what is the feature functionality of the technology and to really understand what the business drivers are and the security changes associated with those business drivers...."

:53:20: Do you have any additional predictions of future IT/Business trends and their implications/opportunities?
"....One of the areas of growth from a security perspective that we are starting to see is around things like gaming....The gaming industry has really tried to broaden the types and numbers of people who are involved in gaming....What they added to it is the online connection and collaboration....The challenge for individuals and organizations is that the games, gaming consoles and other types of devices aren't managed and maintained in the same way that we would do a physical computer. We are starting to see malicious software and other malware coming out that are targeting games specifically ..."

:55:35: Which are your top recommended resources and why?
"....The biggest resource that I use are the people around me....I spend a lot of time reading newspapers from around the world....Keep abreast of some of the US media....another resource that I have available are the blogs...."

:01:00:32: Provide commentary on topics of your choosing. Or, if you were doing this interview, what questions would you ask and then what would be your answers?
"....What is it that you do to try and make the community around you a better place?...."

:01:03:25: :01:03:25: The UN-founded International Federation for Information Processing or IFIP has their Professional Practice Partnership Program which received full ratification at the world general assembly in August 2007 with their first implementation meeting in Montreal hosted by CIPS in October. This marks an historical inflection point and speaks to IT as a recognized profession with global standards, profession-based code of ethics, and widely adopted professional certification-all happening in 2009. Can you comment on the benefits of this global initiative?
"....One of the biggest things that this type of approach really helps us with is being able to understand on a global stage exactly what the qualifications and the expertise and experience actually means. The other part? It really helps Canada to be able to look at the international stage as an opportunity for things like revenue and employment. One of the things that Canada has to offer is to get out there as a trusted partner on the international stage and to really speak the same language when it comes to technology. From my perspective that is exactly what the program is trying to achieve...."