Q&A: Ed Bellis on Web-based Business and Software Security

Dennis Fisher: Okay, welcome back to this CSO series podcast, also known
as Real World Security.  My guest today is
Ed Bellis, the CISO of Orbitz Worldwide, one the top travel sites in the
world.  Ed’s got a pretty broad range of
experience in the technology industry, having worked as a web architect at Ford
Motor Company, and a manager at Ernst & Young before getting into the
security world as a V.P.

Dennis Fisher: Okay, welcome back to this CSO series podcast, also known
as Real World Security.  My guest today is
Ed Bellis, the CISO of Orbitz Worldwide, one the top travel sites in the
world.  Ed’s got a pretty broad range of
experience in the technology industry, having worked as a web architect at Ford
Motor Company, and a manager at Ernst & Young before getting into the
security world as a V.P. in Bank of America’s information security
organization.  He’s been the CISO at
Orbitz for a little more than five years now, so we’re going to talk a lot
about the way that the CISO job has evolved in Ed’s time in the industry, and
the challenges associated with that job these days.

Before we
get started, Ed wanted to make sure that everybody knew that the opinions he
expresses in this podcast are his, and not those of his employer, Orbitz
Worldwide.  So keep that in mind. 

So Ed,
thanks for joining me on the podcast. 
I’m glad we finally found a time that works for both of us. 

Ed Bellis: Yeah, likewise, Dennis.  Thanks for having me.

Dennis Fisher: Alright, so let’s sort of start off at the
beginning.  How did you get into
security?  You were in the technology
industry.  Did you just think you know,
technology’s kind of fun, but what it really needs is, you know, some more
stress and hurdles?  And people calling
me at 4:00 in the morning with emergencies. 

Ed Bellis: Absolutely. 
I sat around one night thinking how – I was pondering on how I could
make my job more painful.  [Laughter]  No, so what I like most probably in this
field, it was somewhat by choice, somewhat I just kind of fell into it.  I’ve kind of been, as you said briefly in the
bio, I hit on a number of different areas within technology. 

I started
off my career like a lot of folks in the system admin role.  Specifically Unix system administration.  As the web came around, I started doing a lot
more on application developments – specifically web application developments,
and that led me – you mentioned my experience at Ford.  I was doing some web work within their W3
group there, and we ended up doing a number of different initiatives there, but
one of them was actually building some authentication and authorization
applications and infrastructure for all of their internet and external sites
around the world, and that’s where I really started dabbling quite a bit with
security doing some things with old app infrastructures and single sign-on and
things like that.  And then it progressed
from there, and I just kind of – I think by the time I reached Ernst &
Young, I was doing it fulltime. 

Dennis Fisher: Okay.  Yeah, it’s
interesting.  I covered the auto industry
back in the ‘90s, too, so I remember watching the automakers, especially the
big three, try and figure out what they were going to do with the
internet.  You know, whether they were
going to let like every dealer build their own website, whether they were going
to try and build it for the dealers.  How
all their authentication stuff was going to work in terms of like, you know –
because there’s a lot of communication that goes on between the dealers and the
factory in terms of like inventory and financing and all of that.  It must have been kind of a mess to deal
with.

Ed Bellis: Yeah. 
That’s probably an understatement, but yeah.  We were totally – I mean, it was all brand
new to us, so we didn’t even realize what we were getting into.  But I mean certainly after I ended up leaving
Ford, they actually ended up building a whole separate business out of just
their B-to-B exchange network where they
combined everything they were doing at Ford along with G.M. and Chrysler, and
created a separate company which was spun off that managed a lot of that for
them.  So it turned out to be a mess yes,
but a big business for somebody. 

Dennis Fisher: Oh, that’s right. 
They did.  And it was sort of an
online exchange for them and their suppliers and their partners and everybody.  Right? 

Ed Bellis: Absolutely. 

Dennis Fisher: Okay, so back in the ‘90s when you were first getting
into security, at that point it was kind of just network security.  You know, keeping people off your
network.  Things have obviously changed a
lot since then, but it’s – you know, the basic goal is kind of the same.  Which is, you know, keeping the sensitive data
safe.  How’s the practice of information
security changed in the time since you started til now? 

Ed Bellis: Sure.  For
one, I would say that it’s certainly received a lot more attention in the past
oh, five to ten years, than it did in the ‘90s. 
But I would say probably the biggest challenge and the biggest change
that I’ve been dealing with from a security standpoint over the last ten years,
it’s just that the pure size and complexity of everything.  We didn’t even – just taking my past 5 ½ or
so years at Orbitz and the amount of growth that we’ve gone through both
organically and by acquisition, we have ended up with a hodgepodge of different
brands and systems and applications and everything around the world.  And the complexity has increased, you know,
tenfold at least. 

And yes,
we’ve grown in terms of the number of resources that we have manning that, but
it doesn’t compare to the amount of complexity that you end up dealing
with.  So some of the things that we’ve
been working towards getting a better handle on is building in – I know a lot
of folks in my position are given the same things, where they’re looking at
their – you know, their development life cycle and how they can put security
into it, and we’ve moved from a traditional waterfall model – you know, several
years back, which most folks are not using agile.  We’re certainly no exception to that rule.  And how do we keep up with not only the
complexity, but the speed of which we push things out to production.

So you know,
if we’re pushing out different iterations and different builds on different
brands on different systems all across the world every single week, and we as
an information security team certainly don’t scale that well to keep up with
all that, how do we go about doing that? 

There’s been
a few initiatives.  One obviously just
some of the areas that we can inject security into the agile process through
the different iterations and stories, but also pushing those security tests up
further into the life cycle, trying to reach all the way up to the developers
rather than – I would say, you know, six, seven years ago you were talking
about testing well after something meets the productions to now hopefully
catching it so that, at the very least, within the QA environments. 

Dennis Fisher: Right. 

Ed Bellis: So I’ve been pushing.  In fact, the talk that I gave at _____ D.C.
recently was talking about using SCAP, which is the Security Content Automation
Protocol.

Dennis Fisher: Right.

Ed Bellis: And the whole point about that is it’s a
collection of standards that help you automate a lot of the – I don’t want to
say the mundane tasks, but the ones that are certainly automatable if that’s a
word.  I’m sure it’s not.  [Laughter]  So that you can focus and scale your team on
the more strategic initiatives within your company.  And that’s really the only way a business
like ours can continue to grow and keep up with the demands of a security
team. 

Dennis Fisher: I mean obviously your business is pretty much entirely
web-based, and you know, if things go wrong for your web applications, it’s an
enormous problem.  So how much – not
authority, but how much input do you as a security guy have with the
application developers?  You know,
because traditionally in a lot of organizations those two groups of people
don’t always get along all that well.  

Ed Bellis: Yeah. 
I’ve got to say that we’ve made an absolute ton of progress here.  One of the things I’ve talked about in the
past is actually developing a security satellite type team where you are –
you’re almost cherry picking individuals within development and within QA, and
within operations to kind of be your eyes and ears on the ground for
security.  And we brought in, you know, a
series of several development teams, and conducted secure code training on site
where we’re going through and showing them you know, not only all the issues,
but how to actually prevent these issues. 
How to fix the ones that are currently there.

Dennis Fisher: Yep. 

Ed Bellis: And it’s been really helpful.  I think you have to maintain a good
relationship.  As far as the amount of influence
we have, I’m not sure that we have any more or less than any other area of the
business, but that’s actually an improvement I would say over the past ten years
in security where you’re right, ten years ago you talk about security, more
than likely you’re talking about systems and network security and not much on
the application side. 

Dennis Fisher: Right, and it seems like you know, maybe at the beginning
of this decade, you know, eight or nine years ago before you started hearing a
lot about software security, it just – you know, most developers didn’t have
any kind of security background.  They
didn’t see it as part of their job. 
Maybe they figured that was – you know, security was something that you
addressed after the application was you know, developed and probably
deployed.  So that obviously made things
a lot more difficult, and it sounds like getting things started as early in the
process as possible has helped you guys out a lot.  

Ed Bellis: Oh, most definitely.  I would say it certainly – it’s an uphill
battle.  Right?  And it’s not just – I mean, you’ve got to get
everyone in the same mindset that yes, security is not only everyone’s job
because that’s quite the cliché, but it’s a piece, specifically when developing
web applications – it’s a piece of your job as much as a piece of it is of
performance.  Right?  You wouldn’t design or develop an application
that just performs so unbearably bad that no one’s going to be able to use the
sites or, you know.  The security bugs,
the tracking system, certainly gets as much if not more attention than a
function bug, or a performance bug or anything else.  So I think we’ve made a lot of progress in that
area.  Obviously we’re still working on
it.

Dennis Fisher: Sure.  Yeah, I
think everybody is.  You know, including
the big guys, too, who we all know.  So
in the last, you know, maybe three or four years, there’s been this huge
epidemic of data breeches.  There’s been
a lot of press attention about it, you know, both in the tech press and the
general press as well.  How’s that focus
changed the way that you have to do your job? 
Because I think that you guys had a laptop stolen about a year ago or
so, which isn’t – you know, the end of the world.  It didn’t turn out to be a gigantic incident
the way that some of these others have, but you know, were you able to use that
as sort of an object lesson, and say listen, you know, here’s why we really
need to be careful with this sensitive data. 
Take all these precautions.  You
know, all of that kind of thing.

Ed Bellis: Oh, absolutely. 
I will say that that particular incident turned out to be certainly
painful on my team, but also it was almost ironic about the timing, as we were
in the middle of deploying encryption on all of our laptops at the time, and
that particular laptop had not yet been hit. 
So that was – you know, had us all crying for several nights.

Dennis Fisher: Of course. 

Ed Bellis: The old adage that you know, an incident is
worth – I don’t even know what the old adage is, but the incident certainly
garners a lot of attention, both good and bad. 
But that is a lot – that does a lot to help the CSO in terms of
leveraging some of those projects to push some through.  That said, I mean, is laptop encryption –
should that be the number one priority for information security at Orbitz?  I would always argue no.  Right? 

In fact, you
could look at the number of incidents that happened, if you go through any of
the open databases and say, you know, there’s a whole lot associated with
laptop theft or laptop loss, or you know, a tape fell off the back of a truck
or something like that.  And yes, those
are definitely things that need to be considered.  We should do as much as possible to scope down
where data flows, and obviously you don’t want it to be on those types of
portable media devices.  But that doesn’t
necessarily mean that because that data was lost that that data was
compromised.  Right?  Whereas things like we’re talking about
unlike the web applications – you said it before.  That’s a business.  Right? 
That is our cash register, and if something goes wrong in the web
application, more than likely that is going to be a direct compromise of our
data. 

So yes, in a
very long-winded answer, it does help you promote that – those methods and
those remediation activities within your organization, but it’s not necessarily
focusing or prioritizing the right ones all the time. 

Dennis Fisher: That’s a good point. 
Yeah, because the stories you always see, you know, I’ve written them
myself –you always see, you know, there’s these paragraphs saying, you know,
had this data been encrypted you know, it wouldn’t have been such a big
problem.  And there’s some state laws
that make exceptions for encrypted data as well in these incidents.  But you’re right.  It’s not always the right focus.  But do you guys do any sort of security
awareness, user education type training for your user population around this
kind of stuff?

Ed Bellis: We do. 
Absolutely.  We do a couple of different
things.  We certainly provide some
general security awareness training, whether that be online or through
customized courses here.  And then we
actually go through and give more detailed in-depth security training for
specific areas of the business. 
Right?  So you may have something
much more general that’s training on information security policies, or proper
data handling, what to do with PII, et cetera, but then you’ll have specific
training for developers, specific training for QA staff, or for you know,
systems engineers that are much more geared towards how to go about doing their
particular tasks.  They tend to be a
little bit more technical in nature. 

Dennis Fisher: And do you feel like that has an effect?  I mean, for the people who maybe aren’t, you
know – security isn’t really a part of their job.  They’re just, you know, in marketing or
something, but they might have customer data on their laptop when they fly off to
San Francisco, or Dallas. 

Ed Bellis: Marketing means lots of training.  [Laughter]  Yeah, I think it has a – it does have some effects.  I think that those relying on security
awareness as their security controls are probably in for a harsh awakening if
there is such an organization out there. 
I think it prevents – how do I say this? 
It prevents the stupid?  [Laughter]  But it doesn’t by any means prevent the
accidents, and it certainly is not going to prevent the malicious. 

Dennis Fisher: That’s an excellent point.  Yeah, and so I mentioned compliance a little
bit earlier.  How much of your time these
days is spent on compliance as opposed to security?  Are they kind of one and the same for you
now? 

Ed Bellis: I wouldn’t say they’re one in the same, but we
have worked really hard to map out essentially – we’ve got a catalog of our own
security controls right within the organization, and we’ve created this catalog
based on what’s the right thing to do and how’s the best way to protect that
data.  And then mapping that back to the
compliance requirements.  Right? 

So I’ve had
this discussion with Mike Don and others before, but I mean I think it’s pretty
well known at this point that security – or compliance is not equal to
security, but security can usually equal compliance.  Now I say usually because there are certainly
some – we have seen especially on a global basis and talking specifically
within the European Union, there are areas where there’s conflicting compliance
requirements.  Right?  

Dennis Fisher: Yeah.

Ed Bellis: And you choose the less – either the lesser of
evils, or the risk that you’re willing to take, because at some point – SOX is
a great example of that.  Right?  Where Sarbanes-Oxley actually conflicts with
many of the privacy controls within the EU, or you know, if you’re doing
security and data monitoring, that affects some of the EU standards.  In fact, I know that they’re working on this
in the European Union where they’re talking about making it mandatory opt-in
for the use of any type of cookies on any websites I guess with EU residents.  So obviously that would have a huge impact.

Dennis Fisher: Yeah. 

Ed Bellis: I think they’re far from doing that now, but you
know, not terribly far. 

Dennis Fisher: That would be a huge change.  [Laughter]  I mean, I’m not sure how I’d feel about
that.  I mean, it seems like a great
idea, but at the same time, the challenges involved that seem large and hard to
get your head around it at first. 

Ed Bellis: Oh, absolutely. 
It’s a huge not only challenge, but it’s a huge change to the way almost
all the sites out on the internet are working today.  And not only that.  They could indirectly cause security
issues.  Right?  It could – I mean, I would certainly not
advocate this, but you could see a site going out there and saying okay, well
if you can’t use cookies, then we’re going to check things like session tokens
within the URL to get _____.  Well now
you’ve got a much bigger security problem all in the name of compliance. 

Dennis Fisher: Excellent point. 
Yeah, that’s – so it’s that sort of cascading effect that maybe isn’t
taken into account, especially by legislators who may not have a technical background. 

Ed Bellis: That’s a nice way of putting it.  Yes.  [Laughter] 

Dennis Fisher: We’ve seen a little bit of that in our country, too. 

Ed Bellis: Yes, indeed. 

Dennis Fisher: So just to kind of wrap things up, how are you feeling
about the general state of web security these days?  We’ve seen a lot of – you know, in the last
year or two these kind of really large scale sequel injection attacks against,
you know, legitimate websites.  It’s
happened to – it happened in the New York Times.  Theirs is a little different.  There was a malicious ad, but there’s been
some on Business Week, and other you know, legitimate very popular sites that
get, you know, compromised, and then their users get attacked.  And you know, the site owners may not know
about it for hours or days after it happens. 
So how are you – you know, what’s your general feeling on how things are
going these days?  Are we getting
better?  Are we on the right track?

Ed Bellis: Yes. 
We’re definitely getting better. 
I would say that’s another – we were talking how things have shifted
over the past five to ten years.  That is
one of the big shifts.  Not only a shift
to application security, but a shift from you know, attackers going after the
sites to attackers going after users of the sites or the application.  Right? 

Dennis Fisher: Yeah.

Ed Bellis: So where sequel injection was a problem before
because people were, you know, downloading the contents of your database,
they’re now using it to upload contents into your database so you can serve
that up to your users.  So that’s been a
big change, a big focus.  Just
referencing the Verizon data breach report, though, I would say if you just
looked at the stats in there, you would say if you were covering a lot of the
basics, that eliminates almost everybody that’s in that report. 

Dennis Fisher: Yeah.

Ed Bellis: So if you’re doing all of the basic things at
least through applications security, right? 
If you’re covering all the input and output validations and some of
that, you probably have eliminated, I don’t know, just rough guess 80-85% of
the attacks that ended up in breaches in that report. 

Dennis Fisher: Yeah, and I think somebody just said that in a – I think
it was somebody from the NSA that said that last week. 

Ed Bellis: Oh, I did not steal that from them.  [Laughter] 

Dennis Fisher: No.  We can take
that part out.  [Laughter] 

Ed Bellis: I’m sure they will.  They read Orbitz.  Right? 

Dennis Fisher: Right. 
Exactly.  Yes.  Yeah, it’s all on Echelon.  You don’t have to worry about any of
that.  [Laughter]  Alright.  Well Ed, thanks a lot for your time.  I appreciate it.  And hopefully we can do this again as things
go along, and there’s more.  There’s
always interesting stuff to talk about, there’s no question about that. 

Ed Bellis: Absolutely. 
Thanks for having me on, Dennis.

Dennis Fisher: Alright.  Take
care.

Ed Bellis: You, too. 
Bye. 

Dennis Fisher: Bye. 

Suggested articles