A Week at the RSA Conference
Last week was the biggest week of the year for players in the information security industry; the week of the RSA Security Conference. Twenty years ago, back when the World Wide Web was largely unheard of, email programs ran on the command line and internet access was a rarity outside academia and a few corners of the US government, RSA Data Security hosted a gathering of a handful of cryptographers and business people interested in cryptography to discuss the latest advances in computer security.
Since then that handful has grown into thousands of people attending the full conference events and tens of thousands more visiting the huge expo that fills the Moscone Convention Center in San Francisco. The conference has more than a dozen tracks that cover everything from practical talks on secure application development to the theory of cryptography, from the latest hacking threats to the governance, risk and compliance, from panels of industry experts to talks about professional development in the field of security. It is without a doubt the number one IT security event of the year.
Since the RSA Conference is such an influential event and such a draw for people in the security business it also offers a unique insight into what is going on in the security industry. The content of the expo represents a weathervane for which way the industry is blowing and the content of the talks can be a barometers the the changes ahead. It is always interesting to see emerging trends in the business showing themselves at first at the RSA Conference.
Trends
This year the most obvious trend was the maturation of Cloud Security. Two years ago “The Cloud” was only just starting to be discussed in the security business; at the RSA Conference in 2009 this manifested itself by the fact that almost every stand seemed to have had “CLOUD” hastily pasted onto the posters and presentations without much regard for what was it meant for security. Last year the conference was filled with talk of how impossible the challenges of cloud security looked. This year we seem to have reached a turning point. The talks on cloud security were more calm and considered. The vendors, rather than just using “cloud” as a marketing label, are starting to offer solutions that may still be incomplete but do offer tangible benefits to end users. Multiple vendors are offering useful security services both in the cloud and for the cloud. Cloud security is coming of age.
Another major trend that was visible both in the conference program and at the expo is the rise in Mobile Security. We’ve been talking about the need to secure mobile devices for a while but in the last year or so there seems to have been a sea change in companies attitudes towards accepting end-user-owned devices into the corporate IT infrastructure. A few years ago many organisations would meet a request to allow a smartphone onto the network with a flat “No”. As Tunisia and Egypt have realised recently, you might get away with ignoring a handful of voices but when thousands are demanding change it becomes hard to resist; once that happens you then have to work out just how you will handle that change. These days many, perhaps most, companies allow users to access their corporate email on their own devices but it is clear that allowing this represents a bunch of new security risks. Several talks discussed the problems raise by these changes and a few vendors are starting to offer some solutions in this space.
The last major trend that emerged among the talks at the conference was the rise of “Advanced Persistent Threats”, or “Advanced Targeted Attacks” as they increasingly seem to be called. Last year saw both the “Aurora” attacks against high-tech firms such as Google and Juniper and the “Stuxnet” worm that appears to have been targeting control systems for Iranian utility companies. These attacks differed from much of what had gone before in several respects but the combination of the highly targeted code, the use of multiple “zero-day” attacks and (especially in Stuxnet) the relatively high quality of the attack implementations really set them apart. They show every sign of having been created by well-organised teams with a mission in mind. Several talks and panels discussed how, in the face of such attacks, the key to defence was visibility and behavioural analysis. If you don’t know what the attack looks like in advance then it’s hard to detect through traditional traffic inspection. On the other hand if you can spot anomalous patterns of behaviour, either in your network or in the endpoints, then you can start to get a handle on what is going on. The key is to be able to correlate and analyse the huge amount of information that pours out of all of the systems that might be relevant. Down on the Expo floor many vendors were showing off their Security Information and Event Management systems, to help corporate security teams do exactly this.
A bit of Crypto history
As well as having literally hundreds of talks about topics on the leading edge of IT security, two talks and a panel session celebrated the 35th anniversary of the publication of the original Data Encryption Standard (DES). DES was created as a Federal Information Processing Standard in order to secure unclassified but sensitive government information. The cipher that was eventually chosen is based on one submitted for standardisation by IBM. The National Security Agency reviewed the cipher and made some subtle changes before it was released as FIPS Publication 46. These changes lead to years of speculation that the NSA had put in a back-door to allow access to this information. Subsequently it transpired that the NSA had in fact made the cipher stronger against Differential Cryptanalysis, which was at the time unknown outside the secret government agencies. Dickie George, the Technical Director for Information Assurance at the NSA gave an invited talk about the NSA’s role in the process while Adi Shamir (the ‘A’ of the RSA algorithm) delivered a talk on academia’s role. Interestingly, Whitfield Diffie stated during the Cryptographers Panel that it was the idea that the NSA might have put in a back-door that got him thinking about how one might build a cipher with a back door; this line of research eventually lead to his seminal paper with Marty Hellman called New Directions in Cryptography, introducing Public Key Cryptography, and that of course lead to the invention of the RSA algorithm!
Over all, the event had a very positive feel. While the past couple of years; events have felt very subdued there was clearly a great deal more excitement this year. Customers seem interested in spending again and vendors are offering things that the customers want and need. The RSA Conference is often a bellwether for the security industry as a whole and on that basis 2011 looks like it’s going to be a great year.
(source: Juniper)