I attended the RSA Security conference last month and came away with an enhanced appreciation for what IT managers, CIOs (and CISOs) face on a daily basis. Any IT security strategy is all about risk mitigation, the process of implementing the most effective security possible with the finite resources at your disposal. After talking to a few dozen vendors and security professionals at the show, it was clear that security for mobile devices, cloud computing and social media were front and center. The increasing sophistication of cybercriminals and cyber-espionage programs funded by foreign governments were also topics of concern.
Another important trend? The security market seems to have rebounded significantly from last year's rather anemic RSA, with Comodo Founder and CEO Melih Abdulhayoglu (@Melih_Comodo) telling me that "RSA this year was great. People had budgets [for purchasing security products and services] this year, which was a big contrast with last year's RSA."
Most of the security vendors I spoke with were already readying some sort of mobile device security solution, ranging from services and platforms on the management side to new security apps for smartphones. Android-based devices seemed to be getting the most attention, partly from having the largest smartphone market share and from news concerning recent (and high-profile) security incidents involving android devices.
"There is a need for better mobile device security, but people aren't shouting from the rooftops yet," Comodo's Abdulhayoglu told me. "Before they get to that shouting stage there will be solutions available for them." Abdulhayoglu also seconded the idea that Android devices were leading candidates for security solutions, while Apple's iPhone seemed to benefit -- from a security standpoint -- by having: a comparatively closed development environment; a single vendor in charge of both the software and handset development (Apple); and a fully-gated application delivery ecosystem (via the App Store).Cloud Security and Federation
While some progress has been made towards improving cloud security, many security obstacles remain. Lieberman Software President and CEO Philip Lieberman echoed that sentiment, saying that "Customers have a real reason to be concerned. There's a lack of transparency and consistency when it comes to logs and auditing, to reveal what is truly happening in a cloud environment," Lieberman said. "Standards are being developed, but some CIOs are rushing to the cloud to get the greatest possible cost savings, not neccesarily the best security. That's why we signed up for the cloud security alliance in an attempt to move [cloud] vendors forward."
I spoke with a number of other vendors who were trying to address cloud security and federation issues with new products and services, such as Credant Technologies new cloud-based security platform, designed to help enterprises address some security concerns about cloud computing by encrypting data in private clouds. RSA unveiled a new cloud-based federation service called the RSA Cloud Trust Authority, while Verizon rolled out a new enterprise identity service. Qualys updated many of it's cloud-based security solutions, including updates to QualysGuard Policy Compliance and QualysGuard Web Application Scanning (WAS).
Securing Social Media (or, "Loose Tweets Sink Fleets")
The exploding use of social media was also a big topic at RSA, with many experts cautioning IT and HR departments to back off from more draconian responses to social media use in the workplace, which can range from banning use of Facebook and Twitter to limiting access to those services to a limited number of PCs. Ben Rothke (@BenRothke) -- a Senior Security consultant at BT Global Services -- believes that organizations have to "get in front of the social media wave" and be more supportive of the use of social networks in the workplace.
In his session entitled "Security and Social Networks", Rothke urged organizations to take a more forward-looking, proactive approach to social media use, and encourage their employees to use the services to connect with their customers, clients, and co-workers. "Excessive personal Facebook use is an HR issue, not one for IT or security," Rothke said. "Organizations should use social media in a way that meets their needs, goals, and objectives. For example, Facebook is very appropriate for Starbucks employees to connect with colleagues and customers, but shouldn't be something that the U.S. Marine Corp should support, for obvious reasons."The Rise of Professional Cyber Criminals
Another security trend deals with the changing nature of security threats. While hackers used to break into corporate and government networks for more personal reasons, organized crime has now taken hold in the world of information security threats. So-called script-kiddies used to be more of a nuisance than a real problem, but they've now been replaced by organized networks of cyber-criminals that traffic in passwords, personal identities, and confidential corporate data.
Tom Murphy, Chief Strategy Officer of Bit9, told me that several foreign governments now have large and well-financed cyber-espionage programs. "We came across a problem with an unnamed US agency that had developed an application to track defense assets that was built on top of Google Earth," Murphy said. "Our security tools were flagging Google Earth as an unsafe application -- upon further research we discovered that one of the app developers had downloaded files from a site that had been comprimised, and the Google Earth application had a number of backdoors and other malware installed."
Leaving the Ivory Tower
When asked to give some final advice to CIOs about how to approach the pressing IT and security issues of the day, Lieberman urged CIOs to "get out of their ivory towers" and take a hands-on approach to security and managing their IT departments. "CIOs need to be involved in root cause analysis. They need to take direct responsibility for their security posture, and not delegate that to an analyst. They need to get their hands dirty. If their IT department isn't seeing the big picture or understanding business needs, it's up to IT management to help IT get better, not to punish them. We need CIOs to get involved on both the operational and technical levels. Many CIOs have outsourced work, and protect themselves with contracts. CIOs are often compensated by how low they can drive down IT costs, not how they can transform IT into something good for the business."
Conversely, Liberman also had some advice for IT professionals about how they can be more effective. "The biggest problem some IT pros have is not understanding the business case for the technology or products they're advocating. IT needs to step away from the dialog of tech when dealing with business stakeholders...only the IT department cares that much about technical details."
Are security topics top of mind for you and your IT staff for 2011? Let me know what you think by commenting on this blog post or following me on Twitter.