On Wednesday, we mentioned that Cloud Computing security is the front-and-center focus of RSA 2010 and we took a look at the announcements from some of the biggest players. In this part of our RSA coverage, we’re bringing you announcements from some of the other innovative vendors.

First up, the company that won the “Innovation Sandbox” award, beating out 10 other finalists is Altor Networks for their VF3.0 virtual firewall.[1]  The VF3.0 virtual firewall brings traditional security services – such as policy enforcement, intrusion detection, and high-performance stateful inspection – to the virtual world and in the cloud.  It’s an interesting product and the tie-in to virtualization is top-of-mind for attendees; however, let’s not forget that the Innovation Sandbox focuses on entrepreneurial ventures, so post-acquisition players that are also developing and shipping firewalling solutions in the virtualization space (e.g. ThirdBrigade, recently acquired by Trend Micro) are de facto out of the running. 

Web application firewalls are also moving into the cloud. Regensburg, Germany based art of defence has a distributed web application firewall (hyperguard dWAF) that is architected in a modular fashion by separating the policy enforcement points and policy decision points. Back in November 2009, the company announced that hyperguard™ SaaS was available, via Amazon Machine Image (AMI), to the Amazon Web Services (AWS) Solution Providers Program.  At RSA, the company announced continued expansion into the cloud with GoGrid, a global provider of hybrid cloud infrastructure. Web application security is by no means a solved problem and having properly configured application-aware firewall protection in front of Web applications provides an often needed layer of additional protection. It’s good to see providers like Amazon and GoGrid offering their customers cloud options for application protection. What will be interesting to watch is whether or not customers use these services and find them to be value adds.

Small business solutions

Patch management company Shavlik announced the beta availability of their IT.shavlik.com service offering. The service, targeted primarily at the SMB, extends the Software as a Service model to enterprise systems management by allowing IT administrators at smaller shops to collect asset inventory data, collect and centralize configuration and patch data for both physical and virtual devices, and itemize software deployed on hosts within their infrastructure.  While these might seem like pretty familiar goals, Shavlik promises to accomplish this all without the use of a system agent, a significant limiting factor for deployment in traditional enterprise system management tools.  Shavlik also announced SCUPdates™ - a methodology to publish application updates (e.g. Adobe, Apple) via the Microsoft SCCM (System Center Configuration Manager), allowing non-Microsoft applications to follow the same update workflow as Microsoft applications. 

Agiliance announced RiskVision 5.0, an update to their GRC platform.  Included in the release are improved correlation and normalization for data from available security sources (scanners, patch management systems, control validation suites, etc.) , updated response capability for prioritization and mitigation of threats and incidents, better reporting, and better risk assessment/scoring. 

Wireless security

Motorola announced the Motorola AirDefense Infrastructure Management solution, a management tool designed to provide better management and visibility into existing WLAN deployments.  The solution allows management of heterogeneous network devices via a single interface.  The solution promises to be device-agnostic, allowing firms to gather compliance reports, generate trend data, and gather statistics in a normalized way.  Given just how complex wireless infrastructures are in field – due both to a history of rapidly-evolving wireless standards, as well as “commoditization” of wireless infrastructure components - we’ll be very interested to see whether this product will deliver on the promise.  Better management on the wireless side of the house is something desperately needed. 

Tokenization player nuBridges had two announcements – both about interoperability.  First, they announced a tokenization standards group.  End users who wish to “tokenize” data to control distribution of potentially sensitive data (e.g. credit card numbers, social security numbers, etc.) and potentially reduce the scope of compliance efforts find themselves “locked in” to particular technology due to lack of interoperability between tokenization providers.  NuBridges’ move to create an industry standard might ultimately pay off in better usage for customers by allowing interchange of tokenized data.  In addition, nuBridges announced a partner program to allow software and services providers that don’t currently offer tokenization functionality to their customers to integrate tokenization into their offerings through the use of nuBridges technology instead of building their own from scratch.  This program is aimed at smaller service providers (for example, small and mid-tier acquirers and payment gateways) not currently offering tokenization services.  Given the relatively large number of processors that currently offer tokenization (with no interoperability between them), we’re optimistic that these programs will help bring a level of transparency and interoperability.

Diana Kelley is Founder, Security Curve and Ed Moyle is Manager, CTG Security. They filed their report from the floor of the RSA Conference in San Francisco, CA.