Establishing Digital Trust: Don't Sacrifice Security for Convenience
If 2009 was a lackluster year for security product sales, you certainly wouldnt know it from some of the vendors on the floor this year at the RSA® Conference in San Francisco. In contrast to last years show, attendance appears up both from delegates and vendors alike. However, things arent all rosy. A number of vendors opted not to rent space on the show floor citing economic concerns. Though RSA is not quite back to heyday levels from a few years ago, if this years show is any indication, the security industry is showing signs of life despite global economic setbacks.
So what is everyone here to learn about? Surprisingly, much of the attention of show attendees is not on completely new themes, but in re-examination of an existing topic that has been with us for some time now. Cloud computing, a logical conclusion of the increasing move to both off-premises and virtualized environments is of primary interest to both vendors and delegates here at the show. RSA President Art Coviello set the direction and tone of the official program with his well-attended cloud-focused keynote and its clear that interest in these topics has not waned in fact, if anything, its increased. And vendors are pushing this agenda pointedly as the cloud meme dominates the show floor.
For security practitioners, this is the opportunity to share security strategies with their peers and learn from others what they have found successful. For vendors, this move of customers to address security challenges related to the ever-expanding commoditization of computing resources, means they need to continue to refine their strategies (or adjust existing messages) to appeal to these potential customers. And clearly theres plenty of room for innovation as evidenced by announcements from the vendor community. So lets get to the news from the big vendors:
Send in the clouds
In a joint announcement, RSA, VMware, and Intel unveiled a proof of concept for a control framework designed to expand security in a cloud-centric world; by establishing a secure root of trust using Intel® Trusted Execution Technology (TXT), controls are applied at the lowest levels of the platform from boot time and propagate all the way up to allow protection of higher level services. VMware and RSA software leverage this initial trusted context to establish finer-grained control of services, increased assurance in software being run on the device, and greater visibility into security systems. Recently acquired by RSA, the Archer compliance suite completes the picture by monitoring the status of security controls and providing a management-level, compliance-centric view to put those controls in context. The vision is intriguing, though it does require use of the latest Intel chips. Many companies are on a three- to four-year hardware refresh cycle, so it may be years before they can take advantage of this functionality. On the other hand, since this is just a vision announcement, it remains to be seen how much of it will ever reach the light of day. Well be watching this one as it develops over the next few months and years.
In line with customer focus on the cloud, Cisco announced their Security Without Borders (Cisco® Secure Borderless Network) that provides a framework for mobile workforce personnel to securely connect to services distributed across the globe, such as video conferencing, high-bandwidth collaboration, or other services to facilitate mobility using endpoint, network, and cloud security. The big news here is that the Cisco AnyConnect Secure Mobility Client can manage secure stateful sessions across device and network. In other words, you can start a WebEx conference on your iPhone over 3G and transfer, without interruption and with the same security policies, the call to your Windows laptop using a local Wi-Fi connection. To enforce and deliver the policy management, Cisco is leveraging the Cisco IronPort S-Series Web Security Appliance and the Cisco Adaptive Security Appliance firewall. Looking forward, Cisco plans to integrate cloud security by leveraging newer additions to the portfolio (e.g. ScanSafe) to facilitate increasingly complex mobile usage scenarios. Availability for the AnyConnect Secure Mobility Client was announced for Q2 2010.
Secure e-medicine and telehealth
Symantec announced a platform for medical image archiving and storage, a healthcare-targeted service that allows healthcare providers to securely host, archive, and share image data; the large data sizes in question, the duration for which the data must be maintained, coupled with the inherent sensitivity of the data can be quite challenging for organizations, such as hospitals that may be operating on a careful budget. Symantec also announced Symantec Data Insight allowing customers to get a better handle on data within their organizations and how its used of critical import when data might be shared outside the organization, potentially exchanged with partners, or re-homed to a shared storage infrastructure.
Big blue clouds
IBM had their own input to cloud security they announced a suite of products that are all designed to move focus from securing assets to securing critical services. IBM is betting that organizations will increasingly move from an asset-centric view of their environment to a service-oriented view (such as occurs in, you guessed it, cloud computing) and has used a service-oriented metaphor for describing those products and services.
Talking to delegates here, the cloud message is resonating with attendees. And solutions that help secure the data no matter where it resides (be it smartphone, netbook, or on a server in the private cloud) are of interest to the security community. The announcements from the vendors reflect solutions that meet that interest. However, some folks might find the discussion old hat, trite, or losing appeal. For the administrators and security practitioners on the front lines, however, data is on the move and headed into the cloud so theyre squarely focused on this problem in response to the needs of their business. Where customer focus is, thats where the focus of the vendors is, as well. And this year, for the big guys, its all about the cloud.
What are the smaller and up and coming vendors unveiling here at RSA? Read the second part of the show report here.
Diana Kelley is Founder, Security Curve and Ed Moyle is Manager, CTG Security. They filed their report from the floor of the RSA Conference in San Francisco, CA.