RSA Guide 2011: Key ThemesBy Mike Rothman
OMG, it’s 6 days and counting to the 2011 RSA Conference. Yes, they moved the schedule up a few months, so you now can look forward to spending Valentine’s Day with cretins like us, as opposed to your loved ones. Send thank-you notes to…
But on to more serious business. Last year we produced a pretty detailed Guide to the Conference and it was well received, so – gluttons for punishment that we are – we’re doing it again. This week we’ll be posting the Guide in pieces, and we will distribute the final assembled version on Friday so you can download it and get ready for the show. Without further ado, here is the key themes part of our Guide to RSA Conference 2011.
RSA Conference 2011: Key Themes
How many times have you shown up at the RSA Conference to see the hype machine fully engaged on a topic or two? Remember how 1999 was going to be the Year of PKI? And 2000. And 2001. And 2002. So what’s going to be news of the show this year? Here is a quick list of some key topics that will likely be top of mind at RSA, and why you should care.
Cloud Security – From Pre-K to Kindergarten
Last year you could count real cloud security experts on one hand… with a few fingers left over. This year you’ll see some real, practical solutions, but even more marketing abuse than last year. Cloud computing is clearly one of the major trends in enterprise technology, and woe unto the vendor that misses that boat. But we are only on the earliest edge of a change that will reshape our data centers, operations, and application design over the next 10 years. The number of people who truly understand cloud computing is small. And folks who really understand cloud computing security are almost as common as unicorns. Even fewer of them have actually implemented anything in production environments (something only one of our Securosis Contributors has done).
The big focus in cloud security these days is public Infrastructure as a Service offerings such as Amazon EC2 and Rackspace, due to increasing enterprise interest and the complexity of the models. But don’t think everyone is deploying all their sensitive applications in the cloud. Most of the bigger enterprises we talk with are only at the earliest stages of public Infrastructure as a Service (IaaS) projects, while a lot more use of “private clouds”. Medium-size and small organizations are actually more likely to jump into public cloud because they have less legacy infrastructure and complexity to deal with, and can realize the benefits more immediately (we’re sure glad we don’t need our own data center). It’s important to separate a trend from its current position on the maturity curve – cloud computing is far from being all hype, but we’re still early in the process.
Before hitting the show, we suggest you get a sense of what cloud projects your organization is looking at. We also recommend taking a look at the architectural section of the Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing and the Editorial Note on Risk on pages 9-11 (yes, Rich wrote this, and we still recommend you read it). On the security front, remember that design and architecture are your friends, and no tool can simply “make you secure” in the cloud, no matter what anyone claims.
For picking cloud sessions, we suggest you filter out the FUD from the meat. Skip over session descriptions that say things like, “will identify the risks of cloud computing” and look for those advertising reference architectures, case studies, and practical techniques (don’t worry, despite the weird titles, Rich includes those in his cloud presentation with Chris Hoff). With the lack of standardization among cloud providers, and even conflicting definitions among organizations as to what constitutes “the cloud”, it’s all too easy to avoid specifics and stick to generalities on stage and in marketing materials.
Cloud security is one of our technology areas, so we’ll cover specific things we think you’ll see later in this guide. We are also running the (sold-out) inaugural Cloud Security Alliance training class the Sunday before RSA, and Rich is moderating a panel on government cloud and speaking with the always-entertaining Chris Hoff on cloud security Friday.
The Economy Sucks Less – What now?
The last few years have been challenging. For one, success has involved keeping yourself and your team employed. It’s not like you had a lot of extra funds lying around, so many projects kept falling off the list. So you tried your best to do the minimum and sometimes didn’t even reach that low bar. Nice-to-have became not-gonna-happen.
But now it looks like things are starting to recover a bit. Global stock markets, which tend to look 6 months ahead, are expecting strong growth, and many of our conversations with end users (both large and small) tend to indicate a general optimism we haven’t seen in quite a while. To be clear, no one (certainly not us) expects the go-go days of the Internet bubble to return any time soon – unless you run a mobile games company. But we do think the economy will suck less in 2011, and that means you’ll need to start thinking about projects that have fallen off the plate. Such as:
- Perimeter renewal: Many organizations let the perimeter go a bit. So it’s overgrown, suboptimal, and not well positioned to do much against the next wave of application and targeted attacks. One project to consider might be an overhaul of your perimeter. Or at minimum, start moving to a different, more application-aware architecture to more effectively defend your networks. At RSAC, you’ll hear a lot about next generation firewalls, which really involve building rules based on application behavior rather than just ports and protocols. At the show, your job will be to determine what is real and what is marketing hyperbole. So challenge the vendors on the floor to actually show you how their policy engines work in the age of application awareness. Also chat with other users during the hallway track, to discern how many folks are deploying these boxes and what their experiences have been.
- Operationalization: When times are tough, the last thing you look to do is write a big check to automate a process that works well enough. Sure, you can always make the point that investing in tools and automation will save money in the long run. How’d that work out for you? So now that things are loosening up a bit, it may be time to restructure some management and operational processes that can be resource intensive. That means looking at vulnerability and configuration management tools. Look for those which leverage your existing processes, and pay attention to those offering ‘cloud’ hooks – laying down yet another heavy, hierarchical set of tools is no longer interesting.
- Secure applications: Given time to market constraints and budget realities, messing around with your application development process and embracing more secure practices fell off the table. Now may be the time to start checking out the integration the big companies (such as HP, IBM, and Oracle) have been working on since acquiring many of the innovative start-ups. Again, this is where the hallway track is critical, as many folks have had lots of fits and starts with secure development and should be more than willing to share war stories. In terms of sessions, target the examples (especially within the Peer2Peer program) which focus on practical case studies. Theory isn’t interesting – it’s time to get things done.
Leakage and Seepage – Breaches, Leaks, and APT
Between WikiLeaks, the Advanced Persistent Threat (China), Gawker, and all the post-WikiLeaks Distributed Denial of Service attacks, we can expect to see all too much FUD around breaches and the ever-nebulous “insider threat”. Some attacks are more sophisticated, but most of those were the result of plain old basic mistakes; and in the case of highly targeted situations like APT and WikiLeaks, all you can really do is try to contain and minimize, because you can’t eliminate the problem.
At RSA 2011 there won’t be any shortage of vendors claiming their tool would stop the latest fail-du-jour, or security pundits (yes, our somewhat-brethren) claiming you should have done it better (either the attack or the defense). And on the off chance you find a product brochure that doesn’t mention the insider threat, odds are you should buy whatever they are selling. We expect the Moscone cafes to be serving lots of hyperbole sandwiches.
Security failures are an unavoidable fact of life – especially in large organizations with complex infrastructures. Yes, blocking USB sticks and CD/DVD drives would have made it harder to swipe all those State Department cables. But that doesn’t mean you have to go buy the latest tool, or that the leaker wouldn’t have found some other way to leak sensitive information. Data Loss Prevention is a great security tool, but it can’t stop all data leaks. No matter what the vendors claim on the floor.
As for APT, the term is now being used to advance so many different personal and corporate agendas that it’s nearly impossible to understand the real threat. So count on the vendors to try to ‘educate’ you on the dangers of these attackers and their products’ abilities to stop them. And try not to laugh too hard as they pitch. But let’s keep it real here: many of you may be the targets of advanced attackers with the time and resources to slice through your security defenses. In some cases, these attackers track back to China, making them real APT. Anyone hawking a solution to yesterday’s attacks, APT or otherwise, is missing the point of a persistent, resource-rich, patient, and innovative attacker.
But as important as it is to slice through the hype, we also need to recognize that there really are some very serious directed attacks – including APT, advanced financial attacks, and others – as well as run-of-the mill security breaches. You can’t stop everything so you need the ability to detect and investigate attacks as quickly as possible – we call this “React Faster and Better”. Spend some time at the show checking out the folks doing full packet capture and forensic data collection, which won’t help stop the attack but will help understand what happened much more quickly.
Compliance – the World According to PCI
Compliance remains the cornerstone of vendor marketing and sales collateral. Why? Simply because most security products and services are funded with compliance dollars. Also enduring in 2011 is security professionals’ love/hate relationship with compliance. They still generally view security as the most important task, but being secure for its own sake must take a back seat to compliance. We know being compliant is not the same as being secure, but fortunately compliance and security are on parallel missions, and security tool vendors provide enough flexibility in their products to accomplish multiple goals – if you choose to leverage them in that way.
What’s different this year is the amount of hype surrounding compliance. There is no new shiny compliance object for all the vendors to tout this year. So you will not see 15 new regulations you are ‘mandated’ to address, nor hear about the billions of dollars you will save – as demonstrated in bogus use cases. Despite the rash of late 2010 data breaches, overall breaches are down, and the shrill hype is giving way to predictable business operations management. Most companies have been dealing with PCI, Sarbanes-Oxley and – for those selling into government – FISMA for a few years now. The maturity of the space has thankfully reduced the rhetoric, and now that customers have a handle on what they need to achieve compliance, they are looking for ways to do it cheaper, faster, and easier. So we expect many vendors to focus on how their tools and technologies integrate into compliance and operations management tools and streamline your daily work.
As far as trends in the compliance space, the Payment Card Industry Data Security Standard (PCI-DSS) remains the gorilla of mandates. Despite the glacially slow progression of this standard itself (codified in its new 3-year cycle), there is a steady increase in the number of merchants following the PCI Council’s guidance. Go figure. Some because they are forced to by their payment providers (who service thousands of other merchants), some required thanks to the number of transactions they process yearly, and others simply worried about associated risks. Sure, PCI isn’t perfect, but it has helped – regardless of what the haters say.
I Can Haz UR Mobile
There is no doubt you will hear a lot about mobile devices and your need to secure the iDevices at the show. There will be plenty of FUD and hyperbole bandied about because, well, as devices have become pervasive the risks have become real. Every vendor on the show floor will be happy to show you their cool iPad app, which allows you to manage their devices from a coffee shop. Like you’d do that. But the reality remains that there are precious few weaponized exploits you need to worry about – for now. And you won’t see groundbreaking research on new mobile attacks at RSA – but do check out BlackHat/DEFCON this summer for plenty.
So there is nothing to see here, right? Well, not quite. Your real focus at the show needs to be on how to manage these devices, and gain some leverage with your existing processes. With thousands of these smart phones and tablets permeating your environment, you need to figure out if a new management infrastructure is required, or if you can use some of your existing tools. And focus on the data protection aspects of mobile devices, because a 64gb iPad or iPod provides enough space to exfiltrate a significant portion of your intellectual property. Don’t forget to check into tactics for securing their network connections as well. See how your network security vendors are supporting smart phones with VPN clients and the like.
To be clear, you can’t stop these devices from connecting to your critical data. And you can’t control what your employees do with their own devices. But you can’t afford to stick your head in the sand and hope the problem goes away. It won’t. So spend some time at RSA figuring out who is doing what, and how those practices can be applied to your environment.