It's nearly time for that annual spring ritual: the RSA Conference at the Moscone Center in San Francisco. ESG data tells me that, despite the recession, global organizations continue to spend on security products. So I expect another good show, though I do anticipate that the $500 kegs of Heineken at vendor booths will be omitted or replaced with Bud Light.
With the show less than a week away, here is the buzz I am anticipating. For this year, I'm including my hyperbole-to-reality ratio in my assessment.
Server/desktop virtualization security. (High hyperbole/low-to-medium reality). Security professionals are frightened by the prospects of virtual server sprawl but most server virtualization implementations today are pretty elementary. It's important to anticipate--not hype--these security requirements.
Security virtual appliances. (High hyperbole/low reality). Instead of shipping a white box Intel server pre-loaded with software, many vendors now offer the same thing pre-configured to run as a Virtual Machine on VMware ESX. Good for IT operations but to me this is like taking pride in the fact that you distribute software over the Internet rather than shipping CDs.
Cloud security. (High hyperbole/low reality). I'm actually participating in an effort with other security folks to help define what's needed for cloud security. Since we are just figuring this out, I don't think the time is right for cloud security products.
Conficker. (High hyperbole/high reality). I'm actually very intrigued and somewhat frightened by the sophistication and evolution of Conficker. That said, Conficker is just the latest example of a "blended threat" that we've been talking about for years. Lots of vendors will claim that their product detects or prevents Conficker but those claims are kind of lame and represent what's still wrong with the security industry. Conficker demands, coordinated defense-in-depth, good security intelligence, and IT operations processes. No product that I know of offers all this.
Data-centric security. (High hyperbole/high reality). Yup, confidential data is leaking out of organizations like Niagara Falls but, again, no single product can stop it. Will any vendor talk about a confidential data security architecture, best practices, and training? I doubt it.
The merger of desktop security and desktop operations. (Low hyperbole/medium reality). These two disciplines live in separate IT silos but they are coming together like peanut butter and chocolate. McAfee, Microsoft, Symantec, and Trend Micro get this but users are still a bit behind so I don't expect to hear much.
The merger of identity management and security. (Low hyperbole/high reality). This is another union I fully expect, and users do get that identity and security management go hand-in-hand for business process enablement and compliance. The buzz around this will be subdued however since there are but a few strong identity management players like IBM, Microsoft, Novell, Oracle, and Sun.
Cybersecurity. (High hyperbole/high reality). The whole crowd in San Francisco next week is waiting to hear Melissa Hathaway's recommendations to President Obama regarding the review of federal cybersecurity programs. This will give us something good to talk about at all the cocktail parties.
In just two weeks, the annual RSA Conference takes place in San Francisco. What can we expect as the "hot topics" at this annual security love fest? I'm sure there will be plenty of buzz about securing virtual servers and cloud computing infrastructure, but this topic will likely focus on blue sky vision describing the safeguards we will need in 2012 or so. Rather than this hyperbole, I am looking forward to discussions focused on the marriage of identity and security.
Haven't these two areas been linked forever? Well, yes and no. Security folks think of identity in terms of authentication issues like password management, role-based access controls, or biometrics. But other aspects of identity like user provisioning, fine-grained entitlement management, and single sign-on usually live elsewhere in IT. When network access was restricted to internal employees, this division made sense, but identity and security can no longer remain apart. The marriage of these two IT disciplines will take place for a simple reason--identity and security must work together to enable modern business processes.
Identity is all about who gets access to applications and data so in theory, strong identity skills let organizations get users more productive sooner than the competition. Think of identity management as the magical formula to unleash Metcalf's Law. More users come with a cost, however--a greater number of security threats from hackers, malicious code attacks, and data breaches. Thus IT executives must balance their ability to let users into the network with proportional safeguards to keep bad things from happening.
Call it social networking, the consumerization of IT, Web 2.0, or any other market-speak term you want. To me, it is all about information sharing, collaboration, and business process improvement. IT must create an environment where users can access what they need and come and go as they please as long as they add business value while they are around. Public and private sector organizations headed down this path had better have their identity yin and security yang working together in harmony or they will either hold back the business or greatly increase security risk.
- prev
- 1
- next
