The 20th annual RSA Conference, which took place Feb. 14-18 in San Francisco, was a huge success this year. Over 20,000 practitioners, corporate buyers, and security vendors gathered to smooze, sell their wares and talk security. This was definitely the most crowded and most upbeat RSA conference I’ve seen in the past several years. Dare I say it even feels like the security industry is bouncing back from the 2008-2009 economic debacle.
Okay, enough happy-talk. Several key trends emerged as I attended lectures and walked the show floor:
Securing virtual environments, as well as those entities referred to as “internal and external clouds” is a top priority for IT security management. The Cloud Security Alliance hosted a four hour summit on Monday to provide roughly 1,000 attendees with timely and relevant education for secure cloud computing. Listening to members of the audience, it became clear to me that many organizations are grappling with migrating physical systems to virtual environments and trying to understand the security ramifications of doing so. In many cases, security models need to be rethought rather than simply retooled for use in virtual environments.
Many vendors have come forward with partial virtualization security solutions, but no one company has yet to offer a comprehensive solution. Organizations need a clear security strategy that addresses the real risks of today and anticipates the developing risks of tomorrow. On solution that I like in particular is HyTrust Appliance by HyTrust (http://www.hytrust.com), a policy driven security management solution for virtual environments. I spoke with Eric Chiu, HyTrust’s President and Founder who explained that through the use of security policy metadata, the HyTrust solution can become a single point of security management across public and private clouds.
Enabling mobility through better mobile device, application and data management. Mobile security is becoming more and more important. (Incidentally, I have to give this one a big “It’s about time!” as I’ve been urging for more complete mobile security measures for about 10 years now)
This trend is being driven by a number of factors including faster mobile data networks and better devices. In particular, many organizations are currently grappling with the extension of consumer smartphones into the enterprise. Management platforms for devices, data, and applications are beginning to flood the market. Key elements to look for are monitoring and control, data loss prevention, encryption, VPN, anti-malware, and anti-spam. The big players in this space are the traditional AV guys like Trend Micro and Symantec; the mobile device management guys like Sybase and MobileIron; and the network security guys like Juniper and Cisco.
Encrypting data is becoming a standard practice. This one gets a big “Woo-hoo!” from those of us who have been urging organizations to encrypt sensitive, if not all, data both inside and outside of the corporate environment. Compliance is driving much of these implementations as companies need to demonstrate protection of data and chain-of-custody.
More and more encryption solutions are coming on the market for mobile devices as more and more data ends up on mobile devices. I spoke with Imation who makes a line of encrypted external hard drives and USB flash drives that can use up to three-factor authentication. Of interest is their line of encrypted optical media — all of the software the client needs to access the encrypted data is saved on the media for easy distribution. Device control and DLP are beginning to converge with more extensive management platforms coming to market.
Identity based security controls are growing in popularity. One reason for this trend: As more and more compute resources are offered through virtual machines on virtual networks, traditional physical security measures don’t work. Linking security policy to MAC or IP address isn’t quite the point anymore. Security policy needs to take place within a complete context of who wants access, what they want to access, when they want to access it, where they are, and which device they’re using. Virtualization, compliance, and mobility are driving the need for increased identity based security policy and controls.
There was one thing that I failed to understand at RSA 2011: the press was barred from Bill Clinton’s final keynote speech on the last day of the conference. No explanation was given. There were rumors going around that denying media coverage was part of Clinton’s deal with the conference. Personally, I found it pretty strange that a former president (especially one as well liked as Bill Clinton) would be camera shy. Who knows maybe it was a security issue?!? How ironic would that be!
Matt Sarrel is executive director of Sarrel Group, a technology product test lab, editorial services and consulting practice specializing in gathering and leveraging competitive intelligence. He has over 20 years of experience in IT and focuses on high-speed large scale networking, information security, and enterprise storage. E-mail [email protected], Twitter: @msarrel.