Thirty eight years after it was founded, RSA Security is embarking on what may be its most challenging journey yet: cybersecurity startup. In this Spotlight Podcast, sponsored by RSA, we’re joined by Chief Digital Officer Dr. Zulfikar Ramzan about the company’s path forward as an independent company. | [Read the full transcript]
The company which was acquired by storage giant EMC back in 2006 and then became a part of Dell when that company acquired EMC in 2015 re-emerges as an independent company this week, more than six months after it was acquired by a group of investors led by Symphony Technology Group.
What does independence looks like? What will RSA do with its newfound freedoms? And how does the challenging business environment created the ongoing COVID pandemic figure into the company’s plans?
To find out, we invited Dr. Zulfikar Ramzan, RSA’s CTO into the Security Ledger studio. In this conversation, Zulli talks about how RSA’s path forward is informed by the company’s pioneering past, starting all the way in 1977, when three MIT researchers Ron Rivest Adi Shamir and Len Adleman published research on a novel public key cryptosystem that took their name.
The Past Informing the Future
As Ramzan sees it: the daring and persistence of the founders – whose work helped create the modern Internet, but who initially had to contend with the limitations of contemporary hardware and software, not to mention Cold War era restrictions on the sale of cryptography technology outside the US. That perseverance will serve as an inspiration to RSA as it looks to re-establish its leadership in vastly altered technology and security landscape.
To start off I asked Zulli to talk about RSA’s earliest days and what messages he and other company executives take from the company’s origins almost 4 decades ago.
(*) Disclosure: This podcast and blog post were sponsored by RSA Security for more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Spotlight Podcast Transcript
[START OF RECORDING]
PAUL: This Spotlight edition of The Security Ledger Podcast is brought to you by RSA Security. RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights, and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access control, and reduce business risk, fraud, and cyber-crime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information, visit rsa.com.
INTRO: [MUSIC] This is The Security Ledger Podcast and I’m Paul Roberts, Editor in Chief at The Security Ledger. In this Spotlight episode of the podcast…
ZULFIKAR: The beginning of RSA, it started off with three people, right? Rivest, Shamir, and Adelman. The one thing that’s remained constant despite all the trials and tribulations, the acquisitions, the growth, is that RSA continues to be eponymous with the three founders who really saw possibilities where others didn’t, and who kept persevering in the face of tremendous odds when others would have quit long ago. That, to me, for our future, is gonna be the hallmark of the new RSA.
PAUL: Thirty-eight years after it was founded, RSA Security is embarking on what may be its most challenging journey yet as the world’s oldest and maybe largest cyber-security startup. The company, which was acquired by the storage giant EMC back in 2006 and then became part of Dell when that company acquired EMC in 2015, is re-emerging this week as an independent company for the first time in fourteen years. This, more than six months after it was acquired by a group of investors led by Symphony Technology Group. So, what does independence look like for one of the information security industry’s most storied firms, and what will RSA do with its newfound freedoms?
To find out, we invited Zulfikar Ramzan, RSA’s Chief Technology Officer, into The Security Ledger studio. In this conversation, I speak with Zuli about how RSA’s path forward is informed by the company’s pioneering past going all the way back to 1977 when three MIT researchers, Ron Rivest, Adi Shamir, and Leonard Adelman, published research on a novel, Public Key Cryptosystem, that took their name, RSA. To start off our conversation, I asked Zulfikar to talk about RSA’s earliest days and what messages he and other company executives take from the company’s origins almost four decades ago.
ZULFIKAR: Zulfikar Ramzan, Chief Technology Officer, RSA. We couldn’t be more excited about the opportunity to be an independent company again. As you know, for many years, RSA was independent really from its founding until it was acquired by EMC. Then for many years, we were part of a bigger entity. I think one thing that’s really exciting is the idea that we can now take control of our destiny. We can focus on the key areas that we think are important for the security industry and reclaim our spot as the premier vendor in that space. It’s something RSA has held onto for many years. The strength of the brand on its own is phenomenal. Not just the company but the algorithm, the history, all the pieces behind it.
PAUL: It is a pretty amazing history; three academics at MIT who invented the RSA encryption algorithm. I know, obviously, that’s kind of your area of expertise. Talk about what the impact of that was, and some people might point to that as really the birth of the modern cyber-security, information security, industry.
ZULFIKAR: Yeah, I would wholeheartedly agree, Paul. If you go back, the algorithm was invented in ’77. Actually, April ’77 is when the initial technical report was written. It was Ron Rivest, Adi Shamir, Len Adelman; R, S, and A. At the time, if you go back and think about what the world was like in 1977, at that time the idea of the academic community even working on cryptography was outlandish. It was almost a fool’s mission in multiple levels. Number one, you were competing against the federal government which had a head start at R&D, and way more resources. Number two, there was a real question of whether the research we did would see the light of day or whether it was gonna be forced to be classified.
Remember, all this stuff has significant national security implications. There was a real risk that the government wouldn’t allow a private company to work on these areas and advance it further. Then finally, there were technical limitations. Today, I can run the RSA algorithm on a split second on my smart phone and it wouldn’t be an issue, but if you go back to ’77, Ron, I remember, had to actually build or design custom hardware, VLSI chips, to actually [00:05:00] be able to implement the RSA algorithm correctly. Even their first version didn’t work. They tried to spend all this time optimizing this VLSI layout, and they sent it off for fabrication and it came back and didn’t work. They had to do a lot of work on all these very basic issues that today we take for granted, but I think at that time were pretty profound.
PAUL: Yeah, I mean, ’77, obviously the height of the Cold War. Encryption was all tied up with spycraft and the competition between the Soviet Union and the Soviet Union and the United States and other nations around protecting classified information, signals intelligence, that type of thing.
ZULFIKAR: Right, and for many years, cryptography was classified the same way that physical arms were. A machine gun and a cryptographic algorithm were considered the same thing from a certain legal perspective. There were a lot of issues around how you could even explore cryptography. If you actually worked on cryptography in the US and came up with an algorithm in the US, you weren’t allowed to export that code or export that capability outside the US if it failed to meet certain criteria. Just think about that for a moment. That was not long ago. Every now and then, I think these issues do resurface but there were, again, some major fundamental hurdles. But I think when you look at what this technology enabled, it’s just pretty remarkable.
You go back and think of the early days of the Internet, right? So, ’77, the Internet was ñ existed, but people weren’t using it the way we do it ñ the way we do today. I would say in the 90s, we began to see this pivotal movement of the Internet into the mainstream. I think what drove that movement was the idea of electronic commerce. All of a sudden you could enable people to buy and sell goods online, and that created entirely new business models. What really enabled electronic commerce at a fundamental level was the ability to conduct secure and trustworthy transactions. If I can’t trust you over the Internet, there’s no way I’m gonna transact with you. Trust is a foundation of modern commerce.
It’s the foundation of society and moving. What R, S, and A did is effectively with their algorithm enabled trust on the Internet. They essentially were able to usher in a brand-new era of digital transformation and that’s just an amazing accomplishment. It’s easy to lose sight of that fact when you’re making a purchase on Amazon every day. We’re not really thinking about the dizzying array of mathematical computations that make that transaction a reality. If we take a moment to step back and think about that element, it is quite profound.
PAUL: You’re listening to a Spotlight edition of The Security Ledger Podcast. This Spotlight podcast is sponsored by RSA Security. I think one of the things that you see a lot in the information security space, Zulfikar, I’m sure you’d agree, is that companies and technologies emerged to solve discreet problems, right? Whether that’s fraud or identity or intrusions or data leak or what have you. That’s just been the pattern forever, but of course, companies don’t need lots of different products. They need a few products that kind of talk to each other and integrate well. Talk just a little bit ñ I mean, so, RSA looked at one way has some discreet products and identity and fraud and threat detection and information management and so on, but talk about how these products fit together and the sort of holistic view of RSA’s solution.
ZULFIKAR: Right. When I think about security in the broadest terms, it starts off with the idea of risk, right? It’s really about starting off and saying how am I gonna mitigate and manage my risk? Obviously, that’s an area where RSA Archer plays a strong role. When you think about it at a more fundamental level though, if you want to really understand risk, if you want to be able to measure and assess risk, you need visibility because you cannot measure or assess what you cannot see. There, we have essentially RSA NetWitness really playing a strong role in providing some of the visibility that can help fuel RSA Archer. Now, visibility on its own is necessary but not sufficient. To be able to do anything meaningful, you have to start off with being able to glean meaningful insights from that visibility that you’ve gathered. That’s really where some of our analytical capabilities comes in.
The NetWitness we have, user behavior analytics, we have a whole bunch of capability that we’ve implemented over the years, and being able to glean insights from data in that ñ by the way, that’s a challenge on its own. It’s not just about collecting a bunch of data then trying to analyze it; you’ve got to collect the data with the idea of being able to analyze it in the right time later on. We’ve seen a lot of companies make that mistake where they’ve gathered data and then they’ve tried to analyze it later, but they struggled because they didn’t think about analytics as part of their overall data pipeline, initially. Then finally, you have to think about what actions am I gonna take against the insights I’ve gleaned? That’s where, again, we have with the NetWitness, these capabilities that enable our customers to do security orchestration, automation and response. We have also the capability within RSA Archer being able to do, again, workflow management across key incidents and really be able to tie that back to your overall security and risk posture.
Until the pieces of the puzzle really fit together nicely ñ because if I can take actions against the insights [00:10:00] that I’ve gleaned from the visibility I have, those actions come back in turn and allow me to reduce my risk. Now, one key piece of the puzzle in all that, and I think it’s a core piece, is run identity management. That’s really where you look at SecurID. It provides a critical component to how I think not just about risk, because initially you’ve got to think about who can access what, and that’s part of your risk posture. That’s where some of our governance and life cycle capabilities come into play. But more importantly, how do I take that data and feed it into the Security Operations Center? We have this nice integration between NetWitness and SecurID that’s called Threat Aware Authentication that enables the Security Operations Center to see what’s happening with respect to different identities.
Then finally, you have the NetWitness and Archer, the capability of being able to look at incidents, being able to analyze them, and take that risk-driven view from the onset. The nice thing is that each of these pieces fits together very nicely with the others. But I think more importantly, the way I look at RSA and our unique value proposition is that no matter what company you are, no matter what you do, you are at some point on your security journey. You’re at some stage of your security journey. I like to think that RSA is the one company you can always come to that will help you get to the next step of that journey, whatever that next step happens to be for you, and what’s right for you at that moment in time.
We’ve continued to build a legacy in the post-covid-19 era. I think one area that’s enabled us to be successful, and I think it’s something I would tell to every customer out there and really, every prospect, is that when you think about your vendors, think about the ones who you want to form a trusted relationship, a trusted partnership with. Don’t think about it in terms of transactional capabilities. Don’t just think about it in terms of ‘I want to buy this and be done’ because we’ve seen more than ever this ñ the idea of a partnership becomes even more critical when the times get tough. Who’s gonna be there by your side? Who’s the only one that’s been there by your side for forty years? That answer is RSA.
PAUL: It’s interesting; you said that businesses in general need to disrupt themselves and be prepared to identify and orient themselves and take advantage of changes in markets and changes in demand. I don’t know if you could find a market where that’s more true than information security over the last thirty years. I know you’ve been in a number of different companies and so you’ve seen this as well. It’s just that continually that the rate of flux and change in information security is just breathtaking. That said, RSA is in this area of ñ I mean, if we were to boil it down, kind of secure identity that has only become more important, I’d say, in the last thirty years. Particularly now, we really talk about with Cloud and as ñ in the past few months, the shift to work from home, identity is kind of the new perimeter, right? Your corporate perimeter is thousands of home offices, potentially. Talk just a little bit, if you could, how the challenge of securing identity has changed even just in the past decade and how you see that story evolving going forward.
ZULFIKAR: At a fundamental level in the digital world, your digital identity is everything. It’s really ultimately how you interact with everybody around you in a virtual setting. We see the stakes go up tremendously. I think at the same time we’ve also seen a world where people are recognizing that hey, passwords are really annoying, right? It’s one thing if I had a few to memorize, and all of a sudden now people have hundreds and hundreds of passwords. I think I did the last check ñ I can’t remember now the last time I checked, but even a couple of years ago when I did the last count, it was over a few hundred passwords that I had to keep track of. Already, we’re seeing this traditional approach to authentication break down. A lot of our focus has been on how do we reduce the friction in the user experience? We make identity something seamless. How do we make it so that it resembles what’s going on in the real world?
When I see you in the real world, Paul, I ñ the first thing I say is not ‘can you give me your driver’s license and your code?’ I recognize you, right? I may apply certain attributes and say, that’s Paul and we’re supposed to meet at this time, and that’s how I know it’s really you. Yet, in the digital world, we don’t apply those same principles. In the digital world, we have this whole complicated ceremony of credential exchange and key exchange and so on to establish identities. I think there’s a lot of interesting opportunity for us to take what we’ve learned in the physical world and make it apply more readily to the digital world. We’ve invested in thinking about things like a risk engine for authentication which has been a big area for RSA over the last few years. But I actually see this changing in many ways.
Today, people have devices like smart phones which can store credentials and can store a soft token application or they can store a cryptographic key. Again, you go back twenty to thirty years ago and there was no easy way for people to do that sort of thing. All of a sudden, smart phones have enabled us to do authentication and identity management in an entirely new way. I think what the future is is really starting with the identity ñ and you recognize it perfectly ñ it is in many ways and although it’s, honestly, a cliché: the identity is effectively the perimeter in the future world. In fact, even in today’s world I would [00:15:00] argue it’s already the perimeter.
Therefore, if it’s so important, if it’s the tip of the spear, we’ve got to make sure identity’s integrated into the overall security ecosystems. What we’ve been very focused on and invested heavily in is the idea of the identity-aware Security Operations Center. Can you bring in identity data into the Security Operations Center? This kind of goes with a broader notion that’s been called a XDR which is Extended Detection and Response. In my mind, the real goal of XDR is that you want to have visibility across all your key assets. That X could stand for anything; it could be network, it could be endpoint, Cloud, IoT, edge. But one thing that X should also be is identity because that’s really where everything ultimately falls down. That’s the common denominator across all these different areas.
PAUL: It’s another area where we’ve seen tremendous expansion, growth, and diversification within the information security space in recent years, threat intelligence companies. If you were to say kind of what is RSA’s unique value proposition around fraud and threat intelligence, and what role is that gonna play going forward given that it is very central to what security teams are interested in and investing in? How does RSA build on what it’s already…
ZULFIKAR: If you look in the current era with everybody going online, right, and you pointed out earlier that we are supplanting many of our physical interactions with digital ones; we’re doing a lot more online shopping, we are buying our groceries online and having them delivered, we’re doing telemedicine. As people go more and more online, we are absolutely seeing an increase in attempted fraud. It’s one of the sad realities of our industry is that we see a lot of the world’s most negative elements and some of the negative undercurrents that exist around us. It’s a sobering idea that there are threat actors out there that will look to exploit what’s going on. Where we’ve really tried to shine is in a few areas; number one I think is in building out probably the most comprehensive fraud and risk intelligence capability in the world in terms of understanding what fraud is happening, how it’s being conducted, who the actors are involved in that fraud, and then so on and so forth. We definitely have a lot of very deep intelligence in those spaces.
I can’t comment too much on the level of that intelligence, but I can assure you it’s probably beyond what anybody else has in the world at this point. Even beyond that, I think a lot of that intelligence is not something you can just kind of ñ that’s not a field you can just jump into and suddenly have that insight. You have to have years of establishing yourself in underground communities and understanding where to look and what data to find. It’s in our software, that in-depth fraud and risk intelligence. We also were early adopters of using machine learning technology. People talk about machine learning like it’s this new thing and every startup is claiming like they’ve done it for the first time. RSA has had machine learning systems in production environments deployed successfully, providing value to customers for, I would say, a decade and a half at least. That’s quite a statement.
I’m not just talking about hey, I did some simple ñ I mean, these are real scenarios where we can show tangible value, real ROI for our customers using these techniques. That scenario that we’ve certainly continued to improve upon is the fraud landscape changes. We’ve found new ways of improving our ability to detect fraud. We’ve also been focusing on the idea of Omnichannel fraud. Before, fraud was ñ hey, I went to my bank’s website or I made a transaction online. Nowadays, people may be interacting in various capacities. My phone could be one channel. An ATM could be another channel. You can have yet a different channel if you have an IoT device making a transaction on your behalf which we’re seeing more and more of like your smart fridge ordering milk for you which is a phenomenal example.
The world of transactions has changed at a fundamental level and we’ve been there alongside with the changes. I think to your point earlier around disrupting yourself, the reason about understanding where the world is going, recognizing there are moments of discontinuity and being able to ride those waves of discontinuity into the next era of that particular area, and we are absolutely seeing that in the context of online fraud detection. Some of that same intelligence can be applied more broadly into what’s going on internally for organizations. We do think that to a certain degree, we will see this convergence of identity between your external identity and your enterprise identity.
PAUL: [MUSIC] [00:20:00] Specifically related to RSA’s mission and technology and information security in general, what do you think the market’s gonna look like, and how’s RSA planning on turning lemons into lemonade as it were?
ZULFIKAR: I think the market is ripe for opportunities right now. Paul, to your point earlier, we are seeing a world in which spending on digital has gone up. As a fraction of that security spending has gone up, I think even more is a fraction of overall IT spent. I think we recognize today, more than ever, the stakes are incredibly high. One of the things I think that’s been inspiring to watch over the last few months is ñ RSA, as you know, it’s a well-known brand name. We’ve been around the industry for a long time and to see all of our customers come to us in their moment of need and say look, we need you to help us; we’ve got 5,000 people that we have to enable in our remote workforce. Actually, the biggest thing was 7,000 we got on a ñ we got a call on a Saturday saying can you enable 7,000 people to work remote by Monday? Talk about the challenge that that represents. But the fact that our customers trusted us to come to them in this time of need and that we were able to deliver in kind ñ and when we talk about these things, it’s not just an authenticator here or a SecurID token there.
You take a step further in and you look at the problems that our customers are trying to solve; many of these customers are solving incredibly important problems for society. They’re literally advancing human progress. They’re thinking about the future of the world. Some of them are working on vaccines, some of them are thinking about how to take care of patients in a covid-19 setting. Others are just working on these incredible areas. To be there and to help provide the trustworthiness, the capabilities they need to conduct their job most effectively allows us to effectively be a catalyst for human progress. There can be no deeper and more profound mission. Our ability to accelerate that mission in the new era where we can really focus on innovating key areas where we can be much more nimble, where we can respond to the needs of our customers, I mean, I can tell you that we are just ñ I can’t tell you how excited I am about that prospect.
I go back to the beginning and you talk ñ we started off this conversation around the beginning of RSA. It started off with three people, right; Rivest, Shamir, and Adelman. [MUSIC] The one thing that’s remained constant despite all the trials and tribulations, the acquisitions, the growth in different areas is that RSA continues to be eponymous with the three founders who really saw possibilities where others didn’t and who kept persevering in the face of tremendous odds when others would have quit long ago. That, to me, for our future, is gonna be the hallmark of the new RSA. It’s gonna be to continue that legacy of innovating in key areas, of finding key problems to solve, and to be relentless about trying to provide value for our customers in an era where it matters more than ever.
PAUL: Zulfikar Ramzan, Chief Technology Officer at RSA, thank you so much for coming on and speaking to us again on The Security Ledger Podcast.
ZULFIKAR: Absolutely a pleasure. Thank you so much, Paul.
PAUL: Zulfikar Ramzan is the Chief Technology Officer at RSA Security. He was here to talk to us this week about RSA’s re-emergence as an independent security technology company. You’ve been listening to a Spotlight edition of The Security Ledger Podcast, sponsored by RSA Security. RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights, and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access control, and reduce business risk, fraud, and cyber-crime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information, visit rsa.com.
[END OF RECORDING]
Transcription by: www.leahtranscribes.com