A $500,000 bet on Internet security
The vulnerabilities of cloud computing stem from the threats lurking within the public Internet itself
By Colin Neagle | Network World US | Published: 17:00, 06 March 2012
Longtime cloud security advocate Philippe Courtot believes he has identified the Achilles' heel of cloud security, and he wants to protect it.
So, rather than look for a new way to profit off of these vulnerabilities, Courtot wrote a personal check for $500,000 to help fund the 100 percent nonprofit Trustworthy Internet Movement (TIM) as a way to change a dynamic in Internet security.
Formally announced during last week's RSA Conference, the Trustworthy Internet Movement is the result of Courtot's passion for the Internet and his perceived need for an independent approach to securing it. Currently the CEO and chairman of security software firm Qualys, which specialises in cloud security and may soon go public, Courtot founded the TIM as a separate, vendor-neutral innovation initiative.
Related Articles on Techworld
In the past, the 67-year-old Courtot has also acted as a founding partner of the Cloud Security Alliance, worked on the board of nonprofit anti-malware group StopBadware, and held a seat on TechAmerica's CxO Council. In describing his past work, he freely drops names like Vint Cerf and Marc Benioff as colleagues, while explaining that the Internet is "very dear to my heart" and is even "in my DNA."
Courtot admitted to pursuing funding from other sources, but concluded that resisting corporate sponsorship would allow the TIM to pursue its goals without the influence or pressure from outsiders looking for a return on investment.
When asked whether he will receive a return on his investment, Courtot replied with an emphatic "not at all," confirming that any revenue will go back into the organisation.
The main objective of the TIM is a broad one: improve cloud security by changing the dynamics that make the Internet unsafe. Courtot cited research he has conducted with Qualys that found 3,000 pages from "the most reputable websites in the world" were carrying malware, 52 percent of which came through advertisements.
Compounding the problem are the gaps in current prevention efforts, as Courtot says his research showed that Google's Safe Browsing API missed 82 percent of the malware involved in the study. At the Web development level, Courtot says the research showed that 54 percent of 1.4 million scanned websites still supported the SSL 2.0 protocol that was hacked 17 years ago.
These issues, among others, made it clear to Courtot that the vulnerabilities of cloud computing stem from the threats lurking within the public Internet itself.
"Everybody is becoming nervous, and you don't need to be extremely smart to just say, 'Where are these attacks coming from?'" Courtot says. "Like in the good old days of piracy, when the goods were coming through the ocean, guess where the pirates were - on the ocean. So today you find absolutely that most of this activity is on the Internet. So the Internet itself needs to be made significantly safer and trustworthy."
With quite the task ahead of him, Courtot takes refuge in his experience working with technology that is shrouded in doubt. Citing his work with Qualys in the early days of the cloud, Courtot likened his discourse with the enterprise IT community to Galileo trying to convince the Catholic Church that the earth revolves around the sun.
"In the early days, no one believed us. They'd say, 'How could I have my security outside of my company?' It was like heresy," he says.
Now that Qualys has reached a point at which Courtot can begin to take on other projects, he is looking to offset the widespread criticism of cloud security that has "personally offended" him. To do so, Courtot calls for transparency between cloud vendors and their customers, which he believes will lead to a better understanding of the shift from purchasing a product to paying for a service. Once more customers understand that the risk involved in the delivery of cloud services stems from Internet security problems, more will be willing to deploy the cloud, Courtot says.
"I've always looked at what I call the resistance of deployment," he says. "So you need to identify [the barriers to deployment] and then have a strategy to go around them."
Courtot was hardly the only one at RSA who called for a fundamental shift in Internet security. During his keynote speech at the event, Symantec CEO Enrique Salem called the younger generation the "sledgehammer of change" to endpoint security in the enterprise. Citing the inherent familiarity with technology among those born in the 1990s, Salem predicted a more productive workforce that will also require an entirely new approach to authentication and security.
In this regard, Salem did not stand unsupported. Avecto COO Paul Kenyon agreed and used the comparison as a call for seamless integration of security and productivity applications.
"Just as consumer security vendors are increasingly making their security applications capable of working constantly in the background - and with minimal involvement on the part of the computer user - so the security industry on the business side also needs to streamline the endpoint security that the employee sees," Kenyon says.
Courtot, however, is careful not to let the TIM get ahead of itself. If the organisation is going to bring about any significant change, it will be by gaining leverage on the pertinent issues and targeting them until they have been resolved, he says.
"We are not looking to be a huge organization which is going to solve every problem on the planet," Courtot says. "It's all about being very pragmatic, picking the balance, finding a leverage point and going about doing it."