QandA: EMC Exec Lays Out Security Strategy

Fresh from a new push into security professional services, EMC's chief development officer Mark Lewis sheds light on the Hopkinton, Mass.-based storage giant's security strategy and explains how the company plans to integrate solution providers into its evolving storage security efforts in an interview with News Editor Steve Burke and Senior Editor Joseph F. Kovar.

CRN: A lot of small vendors are coming out with point solutions, such as encryption. Then you have Network Appliance acquiring Decru and Symantec merging with Veritas. Is part of EMC's push on security a reaction to what's happening in the market?

LEWIS: A lot of our motivation around security has been driven by large-company CIOs coming to us and saying, ‘We have more regulations coming our way around data security and information rights protections. We have more compliance needs than ever before.’ And the vulnerabilities are getting pointed out. So this is a very customer-driven thing.

In terms of response to competitors, I think we're going our own route. I think [NetApp's acquisition of] Decru is interesting. Encryption will be a part of our portfolio. But we didn't consider that particular technology as strategic. I mean, you need it, but we're going to have encryption in lots of places. An appliance is a great place to put it early on.

But our core strategy is around secure information management. And the key word is management--how we manage security levels, how we protect the data end to end, how we protect the data at rest or the data in flight. So you'll see us invest much more in the management side, putting in AES or DES encryption.

CRN: How quickly will VARs be able to play with EMC in services, such as ILM, storage services or new security assessment services?

LEWIS: For existing capabilities, as a managed services-type of offering, that can be done today. [The] security assessment services are something that very early on will be a small practice for EMC to go out and help customers assess their security needs. In those types of areas, first, we want to build the capability and practice ourselves and make sure we are doing a good job delivering it, and then over time extend that as a credible practice to a wider set of partners.

CRN: How long will that take?LEWIS: It's probably more like 18 months out, in terms of the channel. The dates are flexible. But that's more than rough thinking.

CRN: How does EMC's security focus and the technology drive synchronize with EMC's channel strategy? How are you going to approach partners?

LEWIS: In everything we do, we seek to start out with investing in core technology to help customers. And then as we evolve that technology, we want to deliver it in a way that provides as simple a solution and as integratable a solution across as wide of a variety of markets as possible.

For EMC, or anybody at our size or scale, we have to do big things. We're a big company. We can't do little things. We need to do big things. But in doing big things, there are lots of individual customer needs, individual market needs. So as we look at the VAR community, this is the chance to take the big things that we do and go and provide that last mile of capability to deliver the right solution to the customer.

CRN: Has Symantec gotten any storage security synergy from Veritas?

LEWIS: Through talking to customers and research, we see this need for information-centric security. The things those customers are asking for are, how do you help manage and protect my information? And [the answer] is, provide rights management, key management, compliance, auditing, all the core things that surround the information. And that's what we're going to work to enable around the data itself.

Now if you [say] the existing foundation of products from Symantec and Veritas come together to form that capability, we would disagree. The principal product for Symantec has been antivirus and providing that wall of protection. The principal product for Veritas has been around backup. That's not the storage and security capability we're talking about.

CRN: How is it going differ? Is it a race where you think EMC can get there first?

LEWIS: I think that we have a core advantage because of the efforts we have with information life-cycle management [ILM]. We're already chartered by more companies than anybody else with protecting their information. We're already chartered with management of that information. We're already chartered very much with archiving and the business continuity of that information. I believe that building security on top of that framework is very important and valuable to customers. But it's not about antivirus. It's not about building firewalls. It's about surrounding the information with secure protection.

CRN: Is that an area where you see some acquisitions coming?LEWIS: Clearly, our security strategy involves developing in-house, partnering and acquisitions. That's as far as I'm going to go on the "a" word.

CRN: Do you think Veritas VARs under the Symantec umbrella will go down a different path than the way [EMC] approaches this problem? From the outside-in vs. inside-out perspective? From the firewall vs. vault perspective? Are they going to be out in the cold in terms of a good, solid storage infrastructure?

LEWIS: I think we have the ability to marry everything we're doing in data protection and storage in our arrays with security to provide better value. I would never say you don't need antivirus. But I would just say it's not as relevant to information security through securing the assets.

CRN: You look at what everybody's doing with security, particularly the VARs in the small- and midsize-business space. You've got guys who have grown up in the storage world and guys who have grown up in the security world. What's your advice to these guys?

LEWIS: Our message is that we believe that there's a whole new capability in security. It doesn't necessarily replace firewalls and VPNs and the outside-in protection people have looked to so far. But it is important and different. I believe customers are going to flip over and start looking at the inside-out idea of data protection. That is, how do I surround and protect the information first and in the best way? And then provide successive layers of protection.

I'll use a bank analogy. You're going to have cameras in the parking lot, but you can't stop people from parking. Or you're going to have big doors on the front, but you have to open the doors during the business day. You're going to have some security guards and what not. But you're going to put the money in a vault and rely on the vault to protect the money. The vault is the core thing that protects the asset.

For data right now, we've got good cameras in the parking lot and locks on the bank doors. But there's a pile of money sitting in the middle of the room. All we're saying is, don't get rid of the cameras, don't get rid of the doors. You need all that. Build a vault.

So, to the storage folks and storage VARs, we’d say, brush up on your understanding of security because it's going to be an important attribute. And to the security players, we'd say, here’s a great opportunity that's different from what's traditionally done today. And I think it's going to be very important.