This blog comments on a variety of technology news, trends, and products and how they connect. I'm in Red Hat's cloud product strategy group in my day job although I cover a broader set of topics here. This is a personal blog; the opinions are mine alone.
The RSA Conference is the biggest security conference in the world and it's growing fast. Red Hat identity management product manager Ellen Newlands was there. She sat down with me to share what was hot out in San Francisco. In this podcast, we talk mobile, BYOD, cloud security, professional hackers, and security jobs.
Haff: Hello, everyone. This is Gordon Haff, Cloud Evangelist with Red
Hat, and I'm sitting here with Ellen Newlands, who's the product manager for
Red Hat's identity management products. Ellen's with me here today because she
just got back from the RSA conference in San Francisco. Lucky her.
I think probably most people in this podcast have heard of RSA, but why don't
you briefly introduce it just in case someone hasn't heard of it?
Newlands: The RSA conference is the premiere security conference in
the world today. This week in San Francisco for the conference, it was a larger
conference and more globally attended than at any time that I can remember in
Why do you think that is?
I think that frankly, security has gone mainstream. It used to be, quite
frankly, a very geeky conference with a lot of cryptographers, many
mathematicians, and quite detailed. Now, it seems that it has expanded and I
think the reason for that is the number of security breaches that have taken
place and the economic and potentially military impacts of those breaches is so
Now, is it that people have forgotten how to do security? Or the bad guys
are getting worse?
I think, frankly, it's that as we evolve into the cloud and into new ways
of computing, that there are new security risks and different security risks.
In addition, these days, being a malicious hacker is not an independent sport.
It's a business in and of itself. It's not usual for the "other side"
to have doctorates in the field, to be very sophisticated software engineers,
and to be working for an organization that provides nine to five benefits,
vacation, etc. It's a very, very professional world out there.
In your view does this mean we need fundamentally different ways of doing
security? Or do we need to just do a better job with more or less how we're
doing things today?
I do think that both of these things are true. I think that there is a
fundamental difference in security today in that the point products and end
point products in particular no longer do the job. In addition, we're seeing
that static products aren't enough. You need a combination of products that can
be dynamic. That work together to form a true security circle around the data
and your employees. The old one on one products just are insufficient.
I'm going to get to cloud computing in a little more detail in a couple
minutes. First of all, I want to talk about mobile. I saw a tweet from someone
who suggests that maybe there wasn't quite as much paranoia about mobile there.
But there still seems to be a lot of interest in mobile security generally.
I think there is a great deal of interest in mobile security. Of the
three areas that were biggest on the docket and the agenda, mobile security at
the RSA conference was one of the most attended. I think what you're seeing is
that employees expect to bring their own devices. The corporations don't
necessarily like the risk, but they feel that they have no choice.
Maybe that's what the tweets are referring to. They sort of like to just
have everyone still use their Blackberries or whatnot. We can certainly make
exceptions for three letter government agencies and maybe even the financial
sector. But by and large there seems to be an acceptance that BYOD is just the
way things happen.
It is the way things happen. But bring your own device is still
responsible for some of the breeches that we have seen. Perhaps not the most
costly. But mobile devices are another way into a company's or enterprise's
data that represents an open hole that has to be plugged.
Is there any consensus on the best way to do that?
As usual in security there's no consensus as far as I can see on
anything. But there are lots of new techniques in this area. Downloaded
certificates for the mobile devices themselves, centralized management, and a
number of things that are either in the works or on the research table to make
mobile device computing a little more secure than it has been.
Let's talk about cloud security now. In some ways this conversation seems
to have become more sophisticated. It's no longer quite as simple as is the
cloud safe or is the cloud unsafe. But there still seems to be quite a bit of
debate around it and quite a bit of concern.
One of the biggest concerns that I saw at the RSA conference this year is
the dynamic tension between… cloud providers and their customer base. This all
revolves around who's responsible if bad things happen. The enterprise
customers say we don't know what the public clouds are doing for security. They
don't let us touch our data when it's in the public cloud. They don't let us
have the audit trails or the logs. Yet, we are the ones still responsible for
the data. The public cloud providers very often will say the enterprise is
still responsible for the data. Very, very few of them will take any
responsibility for the security of your information in the public cloud.
been a lot of advice lately from some of the pundits in the area that the
enterprise customers should ask question after question after question of their
cloud provider to find out what kind of security is actually provided. The
biggest issue that we have seen is the lack of transparency with public cloud
A company like Amazon has various certifications. When I was at their AWS
Reinvent Conference last November, they were really promoting this idea of
shared responsibility. Essentially, you're responsible for the stuff above the
infrastructure. But really, our infrastructure is secure and you don't need to
worry about it. You're saying a lot of companies still don't buy that.
I think a lot of companies don't buy that. I think part of the reason
that a lot of companies don't buy that is because so many of the larger
companies have compliance and governance issues that public cloud in general
does not assist them with. They have a regulator who is asking for information
that public clouds do not necessarily provide to their client base.
How do you think this is going to be resolved? Are the enterprises going
to get more comfortable? Are the public cloud providers going to be more
transparent? How do you see this playing out?
The way that I actually see this playing out… you can't swing a dead cat
frankly at the RSA conference without hitting another set of standards or best
practices. I think with pressure from the enterprise customers, we're going to
see more compliance with standards and more standards. The Cloud Security
Alliance, the NIST organization, FedRAMP. All of these organizations are
putting out best practice guidelines, recommendations, and in some cases,
requirements for cloud providers. I think enterprises will be forcing the better
cloud providers to provide a kind of standardization for PaaS and IaaS that you
would expect to see.
Of course there's nothing that says we need to end up with one type of
public cloud that's all the same no matter who you are. I think it's very
reasonable to expect that we'll have public clouds that have better auditing,
better transparency, better attuned to the needs of particularly security
conscious enterprises. They'll charge for that.
I think that's absolutely true. I think one of the fundamentals in
security that has not changed is it makes sense to decide what is the value of
your data and match your security to the value of the information. I think
that's number one. Not all data requires the same level of security.
Let's talk about Rogue IT or Shadow IT. Pick your term. That's been one
of the big concerns around public cloud services in general whether we're
talking software as a service, infrastructure as a service, or whatever, just
the idea that maybe your IT department isn't making your life easy enough so
you just go out and do it your own way.
I think that this is very, very true. One of the things that we have seen
is if an enterprise sets up a private cloud in a secure way, if that cloud does
not allow for easy provisioning for any and all users who should have access,
the next thing you know your IT group will find that their end users are just
bypassing that and going outside to make life easier, and to get the computing
resources that they expect to have more quickly and more easily.
I think that's absolutely the case. A friend of mine, Andi Mann at CA,
actually wrote a blog post on a similar topic recently. The way I look at it is
that public clouds in a sense created this benchmark or expectation that users
have. It's great when in house IT sets up a cloud. But if that cloud doesn't
truly emulate what a public cloud provides for its users, it's probably going
I think that's absolutely true. Because sophisticated applications users
and developers these days who are not necessarily related to IT will just go
get what they need in the easiest way possible. All you need these days is a
credit card. The other area that has been a very big topic for security in
particular is the insider threat. Say what you will, perhaps your biggest
danger is the administrator who has all the privileges and access to all the
you are seeing ways to control the insider threat through product logs, through
dual change mechanisms, through least privilege, et cetera. But this is an area
that particularly does worry enterprises, who put their data in public cloud
is, how do we know that the public cloud's administration is also pretty well‑locked
So all this interest in security probably indicates, this is probably a
pretty good job market for somebody who's good at security.
Well, I must say, it reminds me a little bit of the old phrase from the
Clinton years, which is, "These are times that a blind felon could get a
job as a night watchman. Anybody who can spell 'security,' even with a 'k'
these days is likely to have work." The announced unemployment rate in
security is zero percent. Just as an example, the Department of Defense has 900
people working in security. It came to the conference with the intent of hiring
have no idea where they're going to get them, not unless maybe they get one of
the biotech firms to clone them.
I guess the message is that security's a good skill to have.
For the moment. Things may change. You never know.
I'm in the cloud product strategy group at Red Hat. Prior to Red Hat, I wrote hundreds of research notes, was frequently quoted in publications like The New York Times on a wide range of IT topics, and advised clients on product and marketing strategies. Earlier in my career, I was responsible for bringing a wide range of computer systems, from minicomputers to large UNIX servers, to market while at Data General. Among other hobbies, I do a lot of photography and enjoy the outdoors.