One of nature’s great migrations will take place once again next week as the IT security world makes its annual pilgrimage to the RSA Conference in San Francisco. (And yes, dear, it means Valentine’s Day spent with a buncha geeks and suits rather than you…go figure.) Herewith a glimpse of some of the main things I expect to see there – along with some of what I don’t:
All cloud, all the time: It will come as a surprise only to the dead that RSA will provide yet another opportunity for hype surfers to try and stay gnarly atop the crest of the cloud wave. No matter how relevant (or irrelevant) a given product may be to a service-based model or securing IT-as-a-service, you can expect that RSA, like any other major industry conference of late, will be your #1 source of the moment for a heapin’ helpin’ of pure, unadulterated cloud buzz.
But don’t let the hype factor make you forget that RSA remains one of the primary gathering spots for those focused on the real challenges of security in and for cloud computing. So caveat emptor and keep your bull sifter handy to improve the signal-to-noise ratio when you can.
Closing the threat gap…or at least trying to: (Though a better approach to management itself ought to be right up there, it doesn’t have the sex appeal of terms like “advanced” and “persistent.”) I expect to see a continued acknowledgement this year of what doesn’t work, and what we (or at least, vendors) think we could do better. Among other things, I expect to hear a lot more about service-based approaches to make the most of centralized expertise and large-scale analysis – in part to lighten burdens the security industry itself has created. This is the sort of thing I had in mind when I considered the rise of data-driven security tactics.
The continued advance of hosted security technology and security services: As the previous paragraph might suggest, I expect to hear more about both this year, thanks to the challenges of trying to keep up with more successful threats and the ongoing burdens of maintaining the security investment.
Although they have their intersections with cloud computing (not least in the liberal use of the C-word for branding purposes), hosted security technologies leverage what is typically a SaaS model to deliver a supplement, alternative or replacement for traditional security tools – regardless (in principle, anyway) whether those tools protect on-premises IT or resources hosted by a third party.
It’s that latter aspect – third-party protection for another third party’s offering – where things are starting to get interesting. Security vendors are beginning to play their part in shaping a notion of “the intercloud” (or at this point anyway, mostly “inter-SaaS”) in hosted services that protect other hosted services. Identity and access management offers some interesting examples. New entrants (example: Okta) suggest that investors see this area as one of the more tangible – and achievable – objectives of security for “cloud” environments. More recently still, established vendors such as Blue Coat have introduced service-based offerings to protect Web resources no matter how or where hosted.
Managed and professional security services continue to gain ground as well, with recent moves such as Dell’s acquisition of SecureWorks extending the push of IT leaders into this market. I expect to see a lot more messaging around both hosted security technology and the expertise aspect of security services at RSA, irrespective (and to some extent, independent) of cloud buzz.
Security product convergence, particularly in the network: I commented on this recently here, so won’t go long on it now (except to say that “converged network” and “converged network security” are not necessarily exclusive of each other, as some have asked). Palo Alto Networks is a disruptor in this game, but so too is the Web-ifying of seemingly everything, and how that enables convergence between, e.g., message filtering and client-side Web security (see Websense’s announcement for a recent, RSA-priming example).
Mobility and “Smart” Endpoints (or What Should We Worry About?): The proliferation of smarter and/or cooler endpoints continues to be a concern for the enterprise. The big question is, what should we be worrying about when it comes to mobile systems and embedded intelligence?
Most of the ominous predictions regarding mobile device security in the past failed to materialize, in part because a uniform and consistent mobile attack surface that provides direct entrée to sensitive enterprise information had not yet arisen to reiterate the Windows phenomenon. Today, personal devices are a lot more capable than those of the past and – supported by the ubiquity of Web technologies – are becoming a primary focus of applications generally. The endpoint, meanwhile, is undergoing something of a re-definition, as everyday things such as cars become “smart” systems, and physical infrastructure sees a greater integration of intelligence in non-traditional (from the IT point of view) endpoints.
Next week, I expect to hear a number of vendors talking about security priorities for mobile devices. What I do not yet expect to hear is any sort of consistent consensus about what those priorities should be. Nor do I yet expect to hear a great deal about the increased penetration of intelligence embedded in the fabric of our everyday existence, and what that means for security management – with a couple of significant exceptions. (If you’re familiar with the IT security market, you won’t have to think very hard about who those exceptions would be – particularly if you picked up on the hints already dropped in this section like a pair of size 24 shoes. Likely more on this anon.)
Betting the Spread: Hoff does a great job of characterizing the “hamster sine wave of pain” (inspired by Andrew Jaquith’s sardonic insight into the “hamster wheel of pain”), which describes the phenomenon of IT security constantly moving, as Hoff describes it, “between host, application, information, user, and network-centric solutions to problems that adapt at a pace that far exceeds our ability to adjust to them let alone align to true business impact.” I’ll defer a larger discussion of this issue for the moment, since Hoff and others have expounded on it so well in just the last few days. I mention it, however, because every year I wonder which of any of the above segments we’ll see or hear more of at RSA, and what, if anything, it means for industry trends.
With the increased visibility of data breaches, for example, the industry responded with a DLP boomlet. Do the management limitations of cloud computing and mobility mean the industry will continue to move more toward security for information? Or more importantly, to the sort of transformation of our profession that seminal moments like the rise of cloud computing could precipitate, if we could but only seize the day? Or will we fail to take on the more challenging issues of security management beyond infrastructure, just because, like the shoeless man in a pile of fresh organic fertilizer, where we’re standing is warm, comfortable and familiar?
The Non-Cons: I’m encouraged by the rise of alternative cons in parallel with major events for those seeking another voice or another way to hear voices not always heard under the Big Top. I’m looking forward to BSidesSF this year, as well as what’s next from the security metrics community at Mini-Metricon 5.5, just to name two.
Two Decades of the RSA Conference: I also look forward to the 20th anniversary of an event that has come a long way from a smallish geekfest for the mathematically gifted to become the IT security industry’s primary vendor con. People make a conference, and nowhere is this more true than with the long-serving Sandra Toms LaPedis and her devoted crew of colleagues and volunteers that make this thing happen, every year.
Happy Anniversary Alice & Bob! I wish you a more romantic Valentine’s Day than I, for one, anticipate…