In this podcast we have a company spotlight on Axway. John Thielens, Chief Security Officer for Axway speaks to us from Phoenix, Arizona to tell us more about what they provide and how they integrate their solutions into organisations.
For more related podcasts click here.
To subscribe to receive new podcast episodes for free click here.
Give us a bit of background on what services Axway has been founded on?
Axway started in the business process integration space. We help companies address not really how to build applications but how to connect applications to their business partners and communities. Over the years we have grown by acquisitions, which gives us a very wide suite of products that enable these sorts of integration. In particular, we focus on governing the data flow that binds an organization to another organization, and that gives us a real focus on what it means to be at the edge of the enterprise and to help companies take ownership of that edge. Naturally there has been a lot of pressure as the technology landscape has evolved that has really made it an exciting time for us to look at new styles of integration and to do quite a few innovative things around redefining the edge of enterprise and adding security to it. In my own background I have been with the company for 17 years. I started with one of the companies that we acquired some years ago and my original background was as a developer and I have worked my way through product management. I have always had a focus on security and I have worked on some of our PKI infrastructure products. So now as Chief Security Officer I look after the security aspects of our product suite, in particular the way they get deployed to our customers in a secure fashion, which is a bit different from a security officer within one of our customer companies who looks after customers internal aspect of the enterprise.
What are some of the main security threats or challenges that you have identified as needing particular focus amongst your clients?
When we talk of the edge of the enterprise I think what these trends are doing is redefining the edge or in some cases even erasing the edge. I think we have in some way had to stop thinking about the classical enterprise boundary model where there is an inside and an outside. We have all these different approaches which have opened data flow channels into places where they didn’t exist before. So instead I think organisations need to focus on management domains or safe zone compliant areas where particular steps of policy apply, and then try to enforce some kind a filtering management visibility when they cross those administrative boundaries. A great example would be payment card industry security standard PCI. Any merchant that handles credit card transactions had to be compliant with the security practices related to the data around those payments, and they can be fairly strict and onerous but you wouldn’t want to necessarily make your entire infrastructure comply with those requirements.
What are the tools for dealing with these controls that you recommend at Axway?
I think two main areas go beyond traditional network control. The first is taking a deeper look at what identity means of course security cannot really be divorced from identity because the whole concept is “who” is doing what to “whom,” so we have to get a better grip on this “who”. There is no real push away from passwords to try to do more with maybe stronger potential technologies and so we have products that fit into that strong credentialing space, but also a lot more with identity brokerage and federation. I know personally I have hundreds and hundreds of passwords and it is very difficult to keep track of those and in an enterprise business contacts companies try to do more and more by leveraging their existing identity repository and they can make those practices around managing those repositories stronger if they can get more leveraging out of them. There are some new technologies that are emerging and also driven by some of the open API mobile world that change the way we manage identity in applications where you remove the identity management from the application itself. I should point that the mobile world and also the cloud world is very heavily API driven.
Are businesses taking the sort of risks that you advise on seriously or have some been slower to adopt?
The way companies respond to security channels is based very much by their industry and some types of businesses are heavily regulated and strongly influenced by security position. You can think of financial institutions maybe are the leaders of that charge, there is also a curious inversion principle so what I have seen is that while financial institutions are very focused on security it makes them not fast movers in terms of adoption of new technology. We see more innovation and rapid adoption of the new stuff with some of the younger smaller companies may be in the retail or super space, maybe they have less regulated infrastructure so they feel that they can move more quickly but I also think that they don’t have the burden of such a large entrenched infrastructure and they are already are naturally hybrid or ‘cloudy’ in their approach and therefore that makes them to easier to wire into new technology. Whereas, if you have a large existing infrastructure you have to proceed a bit more carefully. Basically I think the awareness is there. Discussions around security are in the papers, in the news, in our face every day with the militarization of cyber warfare and attacks on corporates around the globe. Security really is part of everyday discussion.
What message or words of advice would you offer to businesses that may feel that they have security issues still to tackle?
I think the main message in security is of course is that you are never finished, it is a topless mountain that you keep climbing so you should never feel complacent which is what makes you vulnerable. I think that specific trends to focus on today, I would look at two things, one is to focus on the data, try to understand where the data is moving and where and how. Don’t focus on the components of the infrastructure, the firewall, the network interfaces but if we can understand where the data comes from, why it is there, where it is going, how long does it stay around, does it need to be archived does it need to be rejected. That is the kind of inventory focus that will help you make the appropriate investment decision during that data. The second is to look at the evolution of technologies in the API mobile cloud state.
How do you focus on keeping security measures cost and resource efficient?
One of the tools for having a cost efficient approach to security is to really focus on your data because not all data needs to be secured and treated the same. So if we can begin to apply appropriate security measures to where they are needed then I think that allows a lot more cost efficiency. Security is almost always a trade off and there is a balance between usability and access which may be part of driving your business forward and the level of security and control that you have over that information and so the real coast may not be the cost of acquiring security software, security devices or even the ongoing labour cost of maintaining and operating that investment. The business opportunity cost if you close down a channel that is really meant to be open. It is absolutely not a one size fits all technology.