The 2011 RSA Security Conference took place in San Francisco on Feb 14-18. It was a week filled with highly informative sessions, keynotes, townhalls, one-on-one meetings w/ vendors, the annual IDC Breakfast Panel, and multiple evening receptions. Here are my observations for those who were unable to attend this year's annual security geekfest. I won't be highlighting key vendor announcements in this blog, focusing instead on emerging themes and the attendees' sentiments.
RSA Conference 2011 focused on the following key themes:
(1) cloud computing,
(2) enterprise mobility and the consumerisation of IT,
Getting Smart About "The Cloud"
I have participated in and listened to discussions on how organisations can best address the security and compliance challenges posed by cloud computing. These are the data points that influenced my observations on the attendees' attitudes:
Although the overall tone of this year's conference is decidedly more optimistic, the attendees remain highly aware of the still fragile economic recovery.
I attended LegalTech NY 2011 two weeks ago; and at that event, the enthusiasm for cloud computing was decidedly more restrained. There appeared to be more cloud detractors than cloud enthusiasts in that audience.
In a 2009 IDC survey of IT executives, concerns over security and compliance were often cited as major impediments to cloud computing adoption.
This year's RSA attendees recognise that the economics of cloud computing are too compelling to ignore. Instead of slowing down the deployment of cloud services within their organisations, attendees appear to be looking for smart strategies. RSA attendees recognise that they could not stop businesses from employing relatively new technologies like cloud computing. So they are focusing their energies on enabling the secure and compliant adoption and deployment of these technologies. RSA attendees discussed strategies, tools, and solutions that would allow them to drill down and better understand the changes to the risk and compliance profile of data, processes, and applications "in the cloud". They also discussed strategies for defining and managing policies, control objectives, technical controls, certifications, and audit activities for cloud computing.
In session after session on cloud security, data security, hot topics, GRC, policy and government, strategy and architecture, strategy and technology architecture attendees had ample opportunities to explore the multiple facets of risk and compliance issues around cloud computing. Overall, the sessions at RSA provided a venue for early adopters to share the lessons and practical tips from their initial forays into the cloud.
The following are examples of practical tips from early adopters of cloud computing:
- Cloud consumers should demand to see the actual audit checklist and controls that the cloud service provider uses.
- Cloud consumers should understand what was checked, how it was checked, as well as the auditors' report and findings.
- Cloud consumers should evaluate how and when segmentation (data, application, network, storage and compute) is executed, paying special attention to the provisioning/deprovisioning of accounts, as well as user and application authentication.
- Issues around portability and the cloud consumer's exit strategy were also of great interest to this audience.
Cloud computing is also driving more organisations to recognise the dependencies and tradeoffs between storage operations and IT security.
First of all, I am happy to report that IT Security and operations and the legal/compliance functions finally found a topic that they could agree on. I was pleasantly surprised to hear several IT security practitioners state this: "Pay attention to data retention. Don't keep data for far longer than what is mandated by law, legal obligations, and business requirements." Privacy, data protection directives, and confidentiality issues appear to be driving this shift.
Second, organisations that have made early forays into cloud-based services are cognizant of the tradeoffs between availability versus data segregation and geo-location parameters. Availability is typically addressed by data protection (such as backup and replication), capacity and resource planning, and provisioning services; while data segregation and geo-location constraints are driven primarily by privacy and data protection directives. Several consumers of cloud services have stated that in order to comply with regulatory-mandated privacy and data segregation requirements, there have been instances where they tolerated lower application uptime service assurance levels. For example, compute and storage capacity provisioning services are provided by two instead of four facilities, when two of the facilities are located in "restricted regions". The interplay between the economics of cloud services and its associated risk and compliance challenges is a complex exercise; But it is heartening to see organisations tackling these issues and sharing their lessons with the greater community.
IDC will explore the lessons learned and the evolving best practices for addressing governance, risk, and compliance in the cloud through the IDC Multiclient: Governance, Risk, and Compliance in the Cloud.
Enterprise mobility and the consumerisation of IT
It was pretty obvious that the days of centralised procurement of smart devices and productivity applications and services are quickly disappearing. As I strolled though the Expo Hall and session rooms in Moscone Center, I was not at all surprised by the number of tablet-toting attendees. It also seemed like every other exhibitor was giving away an iPad as a raffle prize. RSA attendees had strong opinions about the latest Android Trojan, tips for extracting passwords from lost or stolen iphones, and on mobile security solutions such as sandboxing and virtual desktops.
A handful of RSA attendees mentioned that they need to start planning for security and compliance beyond the traditional endpoints (laptops, desktops, servers), smart phones, and tablets. This small group notes that, increasingly, TVs, cars, industrial machinery and equipment are equipped with sensors and are internet- or wifi-enabled. These non-traditional devices and equipment offer up new vectors for malicious attacks. A handful of RSA attendees note that, at some point, their organisation would need to start planning the security and compliance protocols for wifi- and internet enabled non-traditional devices and equipment that will be introduced in their corporate networks. This group views cloud computing as a potential tool for delivering these capabilities.
New technologies such as smart grids, smart mobile devices, and increasingly interconnected networks are compelling private industry and governments to seek out new ways to collaborate in addressing emerging cybersecurity threats.
There were some pretty serious heavyweights in this year's keynotes. William J Lynn III, U.S. Deputy Secretary of Defense presented on the evolution of cyberthreats and the US government's Cyber 3.0 strategy. Senior officials from the DHS, White House, and key federal agencies participated in several panels to discuss, in-depth, ways for the government and private industry to address cybersecurity threats to critical infrastructure. I found it interesting that although attendees discussed privacy and fourth amendment rights (against unreasonable searches and seizure) in the context of cloud computing and mobile security; a discussion on privacy, civil liberties, and fourth amendment rights were notably absent during the cybersecurity keynotes and townhalls. It would have been useful to include a discussion on what technology vendors and organisations can do to ensure that existing privacy laws (such as the Electronic Communications Privacy Act and other pending privacy legislation) are able to keep up with technology developments.
Are technology vendors ready to help meet these challenges?
In reviewing my notes on the sessions, keynotes and townhalls, it is pretty obvious that tackling the security and compliance challenges from emerging technologies in increasingly porous and virtual data center infrastructures will require organisations to have a better understanding of the dependencies across processes, data, users and system owners, applications, and the underlying compute, database, storage, and information management resources. "Situational awareness" and "context" were some of the more frequently mentioned buzzwords at this year's event.
Today, there are a handful of solutions (primarily on-premise) that are positioned to address IT continuous controls and enhance "situational awareness". These solutions focus primarily on the integration of a subset of point solutions (examples are: SIEM+ log management, change audit + log management + SIEM, IAM+SIEM, DLP+ SIEM, IAM +DLP combos). However, automating and orchestrating risk management and security compliance activities across increasingly dynamic, porous, virtual, and mobile networks will require a deep understanding of the dependencies across multiple activities logs, events, and configuration across multiple systems. To achieve this, organisations need to:
- Break down existing functional siloes, which we all know is easier said than done for many organisations.
- Normalise compliant data from multiple applications and systems to facilitate cross-functional analysis. It is important to keep in mind that a single application alone can easily generate terabytes of activities and event logs, for example. Real-time data normalisation and analysis across multiple applications, and using the information to drive close to real time risk management enters the realm of "big data" and "streaming". To date, only a handful of vendors (EMC, IBM, and most recently HP via the Vertica acquisition) have "big data" analytics capabilities in their product portfolio.
Overall, RSA Conference was very productive and highly educational.