Live at the RSA Conference: an industry view March 2, 2010Posted by jonathanpenn in news.
Update – Friday March 5 – Wrap-Up
The session was on how CISOs should be adapting to IT changes, and included Steve Munford, CEO of Sophos, and Sam Ghelfi, the Chief information Security and Privacy Officer of Raymond James. The main topics of discussion were:
- Given staffing and budget pressures, and the heightened threat climate, we need to actively seek a way to spend less effort managing security technology, to allow us to devote more time to managing IT risk
- How compliance has helped IT Security practices gain visibility, but the business views IT compliance as a check-box with little value beyond avoidance of fines. As Sam eloquently stated “Every time we’re talking with the business about compliance, we’re not talking about risk management.”
- Consumerization and the loss of control within IT and IT Security over the technologies and devices that businesses want to run.
Here’s a run-down of my meetings:
- Lieberman Software. The privileged user management (PUM) vendor announced product and partnerships that provide visibility and control of IT administration in virtualization and cloud environments. No one else I’m aware of in the PUM space has done this, to my knowledge. I pressed Phil Lieberman for references, even of beta customers. No one is yet willing to talk, he said, but I will keep trying. Even off-the-record validation of this could be a significant move forward.
- VeriSign. VeriSign just released some consumer data and findings around consumers’ trust in the Internet. Great stuff. More detailed than I’ve done in the past.
- Novell. Novell is another company striving for the revolutionary when it comes to cloud security, embodied in its Intelligent Workforce Management strategy. Things I enjoy most about talking with Nick Nikols: (a) he’s intelligent, (b) as a former analyst him, he really seeks to understand my perspective on the market – he doesn’t just look at me as a marketing tool, and (c) also because he’s a former analyst, I know I can’t get away with anything, so he really keeps me on my toes. Thanks, Nick!
- AVG. Meeting with AVG was a delight: I find them fascinating, given how freeware is such a completely disruptive force in the consumer antimalware market, with no incumbent vendor seeming to be able to develop a strategy to adapt (hint: read my report).
- Modulo. Modulo has had some impressive success, but remains under most people’s radar screen. Nonetheless, the whole GRC product market is one in dire need of evolution. Clearly, the message about more efficient controls management and insight is one that is not compelling enough. Hopefully, I’ll write more on that in a subsequent post.
Update – Thursday March 4, 10:40am – Where is everybody?
Just a quick note on the attendance and activity. The first day was actually quite busy and everyone was congratulating themselves on how robust and resilient the security industry is, and how important security must be the business for so many security practitioners to show up. The sessions were nearly packed, and the exhibit floor was bustling – here’s what the show floor looked like even at 5pm on Tuesday.
Since that first day, however, there’s been a steady drop-off in attendance and activity on the show floor and outside the conference rooms. Maybe everyone is just meeting at hospitality suites, or conducting business at the W Hotel’s XYZ Bar. Yesterday’s sessions were pretty thin, and the floor activity was quite slow. Today, it’s looking like a conference that’s ready to wrap up.
Did everyone just come for the security swag? We’re they expecting the beautiful San Francisco spring and were so disappointed by the rains that they just packed up and went home early (RSA: please go back to running this in April)? Whatever the reason, and whatever attendance numbers RSA may put out in the end, this conference is less active than last years in many respects. Attendees are also saying that they’re not really seeing or hearing anything new, either. The value and impact of the conference seems to have dipped again. I think many people limited their attendance to a day or day and half. I also think some of the activity is shifting to the social networking (the physical kind) that exists around the shows periphery.
Update – Thursday March 4, 8:00am – Key conference themes
Major themes or topics of the show:
- Cloud security. Thankfully, must of this conversation is shifting to what security is offered in the cloud (vendors’ delivery model), and people are now discussing how to secure the broader set of IT services that are moving to the cloud (ie, IaaS, PaaS, and SaaS).
- Web 2.0 threats. These are both external (everything from Koobface to malware links showing up in blogs & Twitter streams to ) and internal (malicious or inadvertent disclosure of sensitive information in blogs, Twitter, LinkedIn, etc).
- Consumerization. A lot of talk about “Moving from IT security professionals saying ‘No’ to saying ‘Yes, but…’ when it comes to whether/how to allow devices and technologies that end users are bringing in or adopting on their own. Frankly, most CISOs I know aren’t in a position to say Yes or No…they aren’t asked; they are told that this stuff is coming in (or, more likley, they discover it by happenstance) and they just have to adapt.
Update – Wednesday March 3,10:00am – AT&T breakfast session
The conference started early for me today, with an AT&T breakfast seesion led AT&T VP Bill O’Hern, who didn’t discuss security, but instead focused on mobility and the growing capabilities of the smart phone. I expect AT&T to position more around what Bill referred to as “smart mobile computing”. The concept itself simply takes the mobility conversation a step further than we see at present: as smartphones become reach functionality parity with PCs, instead of trying to work in a world where we use both and need to synchronize seamlessly between the two, we can just work on the mobile platform and have a world without desktops and laptops. Naturally, we’d need better interfaces that we could plug our smartphones into (for a full keyboard and a big screen, eg.), but that’s not much of an issue. And of course, Bill presented the notion of the entire data center moving to the cloud. The vision was interesting. Unlike Bill, I see this playing out our in the 5-15 year timeframe, rather than the 2-5 year timeframe he placed it at.
But it did get me thinking that we have two different sides of the same trend around cloud. The first is that applications and IT infrastructure are moving out of the data center: in effect, pushing server environments into the cloud. This is slowly happening with IaaS, PaaS, and SaaS, etc. The other side of the coin is that user mobility is moving workers outside the LAN and WAN – in effect coming into the organization through the cloud. So we’re getting pulling into the cloud from two angles. I don’t see either as happening rapidly, but looked at in combination it points to disruption and opportunity.
Update – Tuesday March 2, 6:30pm: Briefings, and a quick run of the floor
My afternoon was spend in back to back briefings with EMC/RSA and Cisco. Cisco was a deeper dive into the Secure Borderless Network strategy, which I discussed yesterday (below in this post). With EMC/RSA, we delved into security consulting — which I’ve mentioned before is a critical capability for any vendor wishing to be a strategic security partner to its customers. What I didn’t know was how well-developed EMC’s consulting practice is (not all security-related by any means): EMC reports having 2,200 consultants. I haven’t done the math yet to make a revenue guess, but that’s certainly a significant advantage in having such relationships with so many customers, resulting in a deep understanding of their customers’ business strategy, IT strategy, and security strategy.
Update – Tuesday March 2, 2:30pm: Industry Analyst Roundtable
We just wrapped up our Industry Analyst panel with John Pescatore of Gartner and Chris Christiansen of IDC, hosted by Asheem Chandna of Greylock Partners. and covered a lot of ground. For 3 analysts from 3 different firms, there was a surprising (perhaps disappointing, to some in the audience) amount of agreement. Among the topics we discussed:
1. The move to cloud/SaaS-based security is far stronger than just a reaction to budget and staffing pressures. There’s a significant shift happening as organizations outsource operational or discrete security functions. This mirrors our Forrester data, which shows strong enterprise interest across the board for managed security services.
2. The Aurora cyberattacks do not represent any significant new threat. But they do present an opportunity to educate executives on the existence, sophistication, and prevalence of cyber espionage.
3. Adoption of cloud services — the most talked about topic at the conference so far — represents some new considerations from a security perspective. However, the overall framework of security doesn’t need modification: simply apply what you already do to your own security environment and put requirements into the contracts. It’s not quite that simple, but cloud (IaaS and PaaS specifically) doesnt’ require a complete rethinking of security…just more diligence. We all stated that solutions which secure the cloud are far more likely to be sold to cloud provider (who in turn offer them as classes of service) than to end user organizations directly. This will fundamentally shift the dynamic between security vendors and organizations: security solutions will be part of the cloud and adopted by providers, not something bolted on left to end user organizations to integrate.
4. Compliance has been a double-edged sword for security. It’s helped fund projects that in general have improved our security postures. However, they haven’t really elevated the value of security (at the end of the day, compliance is a check-box, after all) and it can often siphon funds away from other projects that provide more security value.
5. Consumerization is just one trend representing how IT is losing control of the corporate environment, and how that challenges IT Security to adapt.
There were some good questions from the audience delving deeper on managed security services (why do it? how do you measure the benefits?).Update – Tuesday March 2, 9:00am: Art Coviello’s keynote
Just saw the keynote by Art Coviello, President, RSA. The focus was on securing the cloud. His main points were:
- Migration of IT to the cloud is inevitable. I totally agree with this, and see security merely as a temporary hurdle.
- That adoption of virtualization and cloud has implications on the relationship between IT Security and IT Ops, as the former focuses on governance and the latter on quality of service.
Both of these observations are spot on. The Keynote wasn’t a place to announce how to secure the cloud, or what RSA is doing here to further the effort, but this is obviously where RSA (and VMware and EMC) are in a great position to develop leadership.Monday March 1, 3:30pm: Cisco’s Secure Borderless Network strategy
I spent the first half of the afternoon with Cisco, which detailed elements of its Secure Borderless Network strategy. This looks like a very significant move, and a compelling direction, for Cisco. It attempts to make network connectivity and access far more seamless than it is today. However, one way the demonstration delivered seamlessness was to hide all aspects of security. Specifically, how Cisco handles identity issues. If Cisco relies solely on device-based identity and NAC, this is potentially troubling or at least limiting. How Cisco incorporates other forms of authentication – a promising area for partnership with authentication and credential management companies – is key to this being successful in the enterprise.
And corporate workers aren’t the only people using multiple devices from multiple locations to access data and services: there are some powerful opportunities for AnyConnect in the consumer space that Cisco doesn’t seem to have fully explored yet.
With this announcement, Cisco is also relying first on the Ironport appliance but also moving more towards reliance on cloud services (enabled by its acquisition of ScanSafe. This also marks a significant shift in Cisco security strategy away from a reliance purely on product to offer its own managed/SaaS solution rather than providing products to service providers. Expect ScanSafe assets to serve as the foundation for more security policy enforcement moving forward.