In-Depth

An Interview With CA’s Ron Moritz

Head of eTrust security products discusses Security Command Center, threat management, and mainframe security

• By Stephen Swoyer
• 01/22/2003

In September 2002, Computer Associates Int’l Inc. (CA) tapped veteran independent security consultant Ron Moritz to head up its reorganized eTrust security products brand. Prior to joining CA as vice president of eTrust security solutions, Mr. Moritz managed his own security consulting company, Moritz Technology Corp., and also served as a vice-president and CTO with Symantec Corp. Before that, he worked with Finjan, an Israeli security software vendor.

Security Strategies spoke with Mr. Moritz about CA’s eTrust product reorganization and its forthcoming eTrust Security Command Center, as well as about key focus areas of CA’s security practice.

SWOYER: You announced a major product reorganization in September 2002.

MORITZ: Yes. One of the things that we’ve found somewhat difficult is that if you have to sit there and list 18 different products for customers, it gets confusing. So instead, we draw them a picture with three different overlapping circles, and we group all of our products in one [circle] or another. So now we say that we play in the identity management space, in the access management space or in the threat management space.

SWOYER: As you’ve mentioned, you market a lot of security products, for a lot of different platforms—from anti-virus software on the desktop to Top Secret in the mainframe back-end. How do you tie all of them together?

MORITZ: We’re actually building a Security Command Center [eTrust Security Command Center] so that we can provide management infrastructure around security, in effect, doing what we did 10 years ago for systems management, and providing a unified command center for security management.

SWOYER: Tell us about Security Command Center. Is it a standalone product or does it exploit CA’s existing point products?

MORITZ: [Command Center] is designed to manage our own products, to collect and manage and isolate data from our own products, but also to collect and manage and isolate data from other products as well. [When it ships, Command Center will boast integration with CheckPoint Software’s VPN and firewall software.] We do not make the assumption that the enterprises that we service use CA products exclusively, so we work aggressively with customers … to give them the tools that they need to manage what they have in their environments. So there’s the possibility that we could even support products that compete with our own.

SWOYER: Will it require Unicenter?

MORITZ: No.

SWOYER: When will Command Center ship?

MORITZ: We released a [Command Center beta] in [early] December, and we expect to ship it sometime this quarter.

SWOYER: Security management aside, what’s another big security focus area for CA?

MORITZ: The threat bubble. We tend to invest in threat management not because we can derive value or there’s a real ROI that we can show, but we invest in threat because it’s the right thing to do. We have to take steps to protect our users.

SWOYER: What do you mean when you talk about threat management? What products or technologies are involved?

MORITZ: We typically think of threat in terms of anti-virus, auditing, and policy management [software]. The threat family at CA includes a very strong anti-virus capability—we have two distinct anti-virus engines or technologies inside of the product—and we’re the only company that provides virus signatures for the life of the product, so as long as you own the product, you’ll receive updates.

We also have a very strong product called eTrust Audit, which is in effect a forensics tool, it helps you to understand what events are happening across your enterprise, so you can look at system logs, firewall logs. That audit component is a core part of our Security Command Center, too, because you’ve got to have data aggregated in a single place in order to derive intelligence from that data. Again, we can’t assume that enterprises are using CA products exclusively, so we have to work aggressively with customers to develop audit reporters that draw data out of the various applications and OSes.

The last piece is Policy Compliance Manager (PCM), because when you’re thinking about enterprise security, you’re really thinking about policy management, about defining a good practice and then making sure that that policy is being adhered to, is in compliance.

SWOYER: You’ve described solutions that collect lots of data, and often enterprises are trying to collect as much data as possible. And this, of course, introduces the problem of managing all of that data. How can a security vendor such as CA help an IT organization make sense of all of the data that an intrusion detection system (IDS), for example, collects?

MORITZ: It’s funny, because a smart organization will actually deploy multiple IDS sensors, and then the challenge becomes what do they do with all of this data? IDS today is something that people feel they need, but they’re struggling when it comes to actually leveraging the investment in IDS, because—like you used to try to do when you were in school—IDS delivers the heaviest report possible to the teacher, so to speak, and that is the challenge that corporations are finding when they deploy IDS.

I think that it’s a proponent [sic] of something that will be broader in the future, which is the whole secure content management space, which will include technologies like IDS, and vulnerability assessment, and anti-virus, and Spam-filtering, rather than seeing all of the point solutions and all of the individual approaches. So we are moving toward the next-generation product that encapsulates all of these in a single place. That’s what we’re aiming for with Security Command Center.

SWOYER: A question about mainframes and security: One rarely, for example, reads about exploits that successfully affect S/390, zSeries or other mainframe operating environments. Does this mean that mainframes simply aren’t as vulnerable as their Windows, Unix or Linux brethren?

MORITZ: Well, when you look at the way large enterprises actually deploy solutions, it is usually tiered. We’re almost to an n-tiered structure, so if you can visualize on the one side your Web services, front-ends to various applications and data, and then you have a set of firewalls and access control ports and barriers between those services. And then the next level, which could be MQSeries, and then another set of firewalls or services. And then at the tail end, these big IMS databases and applications, you’ve got a very complicated distribution environment. So security has to occur at multiple levels, and not just where the user touches the system, because it’s protecting the application servers, protecting MQSeries, protecting the back-end databases. But if you’re thinking about the problem of intrusions, one way to think about intrusions is who or what has access to services running on a given system? So it doesn’t matter how inherently secure the mainframe is, because if anything else in the environment is vulnerable, the information on your mainframe could be exposed.

CA in legacy security has been a very strong and dominant player. We obviously have the Top Secret and ACF2 technologies that run on mainframe, and we have a very strong distributed access control and access management solutions that really help you to lock down systems.