RSA Conference Guide 2013: Data SecurityBy Rich
Between WikiLeaks imploding, the LulzSec crew going to jail, and APT becoming business as usual, you might think data security was just so 2011, but the war isn’t over yet.
Throughout 2012 we saw data security slowly moving deeper into the market, driven largely by mobile and cloud adoption. And slow is the name of the game – with two of our trends continuing from last year, and fewer major shifts than we have seen in some other years. You might mistake this for maturity, but it is more a factor of the longer buying cycles (9 to 18 months on average) we see for data security tools. Not counting the post-breach panic buys, of course.
Cloud. Again. ‘Nuff Said?
Yes, rumor is strong that enterprises are only using private cloud – but it’s wrong. And yes, cloud will be splattered on every booth like a henchman in the new Aaarnoold movies (he’s back). And yes, we wrote about this in last year’s guide. But some trends are here to stay, and we suspect securing cloud data will appear in this guide for at least another couple years.
The big push this year will be in three main areas – encrypting storage volumes for Infrastructure as a Service; a bit of encryption for Dropbox, Box.net, and similar cloud storage; and proxy encryption for Software as a Service. You will also see a few security vendors pop off their own versions of Dropbox/Box.net, touting their encryption features.
The products for IaaS (public and private) data protection are somewhat mature – many are extensions of existing encryption tools. The main thing to keep in mind is that, in a public cloud, you can’t really encrypt boot volumes yet so you need to dig in and understand your application architecture and where data is exposed before you can decide between options. And don’t get hung up on FIPS certification if you don’t need FIPS, or will you limit your options excessively.
As for file sharing, mobile is the name of the game. If you don’t have an iOS app, your Dropbox/Box/whatever solution/replacement is deader than Ishtar II: The Musical. We will get back to this one in a moment.
There are three key things to look for when evaluating cloud encryption. First, is it manageable? The cloud is a much more dynamic environment than old-school infrastructure, and even if you aren’t exercising these elastic on-demand capabilities today, your developers will tomorrow. Can it enable you keep track of thousands of keys (or more), changing constantly? Is everything logged for those pesky auditors? Second, will it keep up as you change? If you adopt a SaaS encryption proxy, will your encryption hamper upgrades from your SaaS provider? Will your Dropbox encryption enable or hamper employee workflows?
Finally, can it keep up with the elasticity of the cloud? If, for example, you have hundreds of instances connecting to a key manager, does it support enough network sockets to handle a distributed deployment?
If encryption gets in the way, you know what will happen.
Is that my data in your pocket?
BYOD is here to stay, as we discussed in the Key Themes post, which means all those mobile devices you hate to admit are totally awesome will be around for a while. The vendors are actually lagging a bit here – our research shows that no-one has really nailed what customers want from mobile data protection.
This has never stopped a marketing team in the history of the Universe. And we don’t expect it to start now.
Data security for BYOD will be all over the show floor. From network filters, to Enterprise DRM, with everything in between. Heck, we see some MDM tools marketed under the banner of data security. Since most organizations we talk to have some sort of mobile/BYOD/consumerization support project in play, this won’t all be hype. Just mostly. There are two things to look for. First, as we mentioned in Key Themes, it helps to know how people plan to use mobile and personal devices in your workplace. Ideally you can offer them a secure path to do what they need to solve their business problems, because if you merely block they they will find ways around you.
Second, pay close attention to how the technology works. Do you need a captive network? What platforms does it support? How does it hook into the mobile OS? For example, we very often see features that work differently on different platforms, which has a major impact on enterprise effectiveness. When it comes to data security, the main components that seem to be working well are container/sandboxed apps using corporate data, cloud-enhanced DRM for inter-enterprise document sharing, and containerized messaging (email/calendar) apps. Encryption for Dropbox/Box.net/whatever is getting better, but you really need to understand whether and how it will fit your workflows (e.g., does it allow personal and corporate use of Dropbox?).
And vendors? Enough of supporting iOS and Windows only. You do realize that if someone is supporting iOS, odds are they have to deal with Macs, don’t you?
Shhh. Size does matter
Last year we warned you not to get Ha-duped, and good advice never dies. There will be no shortage of Big Data hype this year, and we will warn you about it continually throughout the guide. Some of it will be powering security with Big Data (which is actually pretty nifty), some of it will be about securing Big Data itself, and the rest will confuse Big Data with a good deal on 4tb hard drives.
Powering security with Big Data falls into other sections of this Guide, and isn’t necessarily about data security, so we’ll skip it for now. But securing Big Data itself is a tougher problem. Big Data platforms aren’t architected for security, and some even lacking effective access controls. Additionally, Big Data is inherently about collecting massive sets of heterogenous data for advanced analytics – it’s not like you could just encrypt a single column.
Our very own Adrian Lane wrote a great paper on big data security, which can help you get started if you haven’t dug into the platforms and options yet. We highly suggest you know what kind of Big Data your organization is working with before talking to vendors, as many of them use different definitions and vernacular. Large data repositories can generally be handled with existing strategies and technologies, but real Big Data requires different approaches for security, and some companies on the floor will not understand the difference – as savvy users will detect from their product offerings.
Access control and entitlement management aren’t boring anymore
They aren’t high on the hype scale but managing users, access rights, and entitlements around data (especially files) is growing again. So much so that we are adding an identity management section to the RSA Guide this year, but one area falls squarely under data security: file access controls.
Knowing who has access to what is a big problem in most organizations. Products that help discover and manage this are growing like gangbusters, as unfettered access to files appears on more and more audit deficiency lists. Executives are also still a little gunshy from some of the bigger data disclosures of the past couple years.
We don’t expect to see too much hype, but if you are interested in data security we strongly suggest you keep an eye out for tools that help manage and control file access on a combined enterprise/cloud scale. Rich wrote a white paper on one of these categories (FAM), and general feedback from real folks in the field is that entitlement management tools in particular can really help clean up various internal messes.
Stuff we wish you cared about
Here’s what you won’t see much of on the show floor: DLP and database security. They are still extremely important, but the show floor is a weird representation of what vendors think you will spend on, and their efforts to establish thought leadership for future opportunities. DLP and database security are moving into the productivity phase and out of the hype phase, which means this is the stuff enterprises are actually spending money on. Yes, now you see the idiocy of tracking market trends based on trade-show hype.
These markets still aren’t as nearly as large as many other areas of security, but the sales cycles are slow enough to affect innovation. Products are updating more incrementally, with fewer big bang features designed to get your attention. Largely because few customers are using the old big bang features, so there is little drive for major innovation. We don’t regards this as bad – some of these products got ahead of the market needs in the feature/function wars common to earlier less mature markets. In some ways it’s nice to see the feature bidding wars stabilize out as the markets mature.
Of course folks will be talking about DLP and DB Security at the show. But these technologies tend to be part of a larger stack offered by large security vendors. And we all know the barkers outside the booths will be enticing you with dreams of cloud and mobile more than DLP and DB Security, until deployments start pushing the edges again. If they ever do.
**Don’t forget to register for the Disaster Recovery Breakfast if you’ll be at the show on Thursday morning. Where else can you kick your hangover, start a new one, and talk shop with good folks in a hype-free zone? Nowhere, so make sure you join us… **