Blog posts tagged with 'rsa'


15 May 2008 07:49 PM EDT

Looking back at the 2008 US RSA Security Conference, there was a tremendous amount of interaction, but not a readily apparent amount of innovation.

I spent the bulk of my time in meetings with customers, partners, press, and analysts. All seemed to echo the same sentiment - there's not any single "wow factor" at this year's RSA. But, that's not to say that there weren't hot topics, the two most obvious being DLP and Virtualization Security.

DLP

DLP, or Data Loss Prevention (also sometimes known as Data Leakage Prevention) is the capability to keep sensitive data from inadvertently leaving the organization. The concept and message around DLP is rather simple, but the architecture and management of DLP is where the difficulty comes into play.

When you consider all the sensitive data in most organizations, where it exists, and how it's used, you get a feel for just how big of a problem DLP needs to address. In most organizations, data isn't even regularly classified and labeled as public or non-public information. And, data has been over-distributed onto any media that can hold it (e.g. laptops, USB keys, iPods), often without any control. DLP technologies purport to get a handle around this problem and manage the access to and distribution of sensitive data.

On the surface, DLP seems like it's facing a really tough problem. And it is - if you're just trying to add controls to the existing model of data access and over-distribution. Looking at the problem with virtualization in your toolbox, though, can change our basic assumptions and bring us closer to the elusive goal of DLP.

Combining application virtualization and DLP allows authorized users to access a view of sensitive data, while providing additional context-sensitive controls around access to the data. As an example, a user in the office might be given the ability to use a data housing sensitive application on their corporate managed device only after submitting strong credentials and passing necessary security checks. A policy would prohibit them from using the application in ways that violate policy, such as printing sensitive info. Because the DLP software is integrated with the application virtualization environment in the data center, the DLP software has full control over usage of sensitive components data, and the data never leaves the datacenter. DLP can be much more effective when managed from the datacenter and the management of sensitive data on endpoints is eliminated from the equation. The same concept holds true for both application virtualization and desktop virtualization.

Virtualization Security

As the above DLP example shows, virtualization is stimulating innovative thoughts and challenging the status quo. There were many questions posed at RSA about upcoming client and desktop virtualization opportunities, in addition to current server virtualization security challenges.

On the server front, most of the discussions were around how network-level security objectives can be achieved in a virtual server environment. Organizations that have implemented server virtualization have watched as the proliferation of these environments have reduced security visibility for legacy network controls. The network folks want to know how to "see" into the virtual server environment, and how to control VM-VM communications. This is being accomplished for the most part through "security virtual appliances" or "security virtual machines" that duplicate physical network controls in the virtual realm. There appeared to be many vendors touting capabilities for scanning, IDS/IPS, and virtual firewalls with techniques borrowed from the physical realm.

The real breakthroughs appear to be just in front of us and will involve how we utilize virtual applications and desktops. The capability to virtualize and abstract for security isolation, as well as usability appear to be driving real change. These changes promise to allow user functionality to follow them anywhere, without cumbersome user configuration and management. And, with security policies built in, maintained and verified, we should see the trust models change for the better. Microsoft introduced some very interesting concepts and considerations around End-to-End Trust at the beginning of the show that extend well into virtualized client capabilities.

As the security industry matures, we'll probably witness less of a "wow" factor with each conference. But we'll all sleep a little better knowing we're getting closer to the goals of true security.

18 Apr 2008 05:18 PM EDT
posted by Kate Brew

Several striking aspects:

  • All presentations about security in a virtualized environment were mobbed.  People were pretty angry when turned away at the doors of the presentation rooms, but fire marshall regulations prevented people from standing at the back.  It appears this is the "next interesting thing" in security, and there is great curiosity.  On the reality side, there were very few products / technology for sale to address the potential issues.  I believe there are a great many startup companies currently in stealth mode in this area.
  • The days of radical and revolutionary change in security from the late '90's and early '00's are way over.   The big vendors seem to be just pulling together "fix it all" suites as best they can through acquisitions.
  • Michael Chertoff's presentation was a tad scary: he mentioned that government agency computers are all interconnected, and that security is not consistent across all agencies (some have 24/7 monitoring for security and some don't).  This is bad for the obvious reason - just like in the movies, the bad guys can find an innocuous-looking, under-protected entrance and get to the agencies of interest.  The other scary part was that Mr. Chertoff seemed to think 24/7 monitoring was the main thing.  I'd tend to focus on preventative measures, vulnerability assessment, intrusion detection, user training, Identity and Access Management, strong authentication and other areas as well, but they were not mentioned.
  • Bruce Shneier's presentation on security rationalization was provocative.  He focused on the separation between reality, feelings and models by "experts" when it comes to assessing security risks.  One example was the Tylenol scare, and it was successfully addressed from a commercial standpoint by adding hermetic seals to bottles.  It made people feel better.  The reality is that a syringe could inject poison pretty easily, but people feel better.  He also introduced the notion of "security theatrics", where the media and security vendors exaggerate risks and cause people to feel bad when the reality just doesn't match.  Interesting concept.

RSA Conference is growing: attendance was estimated at 17,000