Tuesday, March 05, 2013

Podcast: What happened at the RSA Conference?

The RSA Conference is the biggest security conference in the world and it's growing fast. Red Hat identity management product manager Ellen Newlands was there. She sat down with me to share what was hot out in San Francisco. In this podcast, we talk mobile, BYOD, cloud security, professional hackers, and security jobs.

Listen to MP3 (0:12:39)
Listen to OGG (0:12:39)


Gordon Haff:  Hello, everyone. This is Gordon Haff, Cloud Evangelist with Red Hat, and I'm sitting here with Ellen Newlands, who's the product manager for Red Hat's identity management products. Ellen's with me here today because she just got back from the RSA conference in San Francisco. Lucky her.
Ellen, I think probably most people in this podcast have heard of RSA, but why don't you briefly introduce it just in case someone hasn't heard of it?
Ellen Newlands:  The RSA conference is the premiere security conference in the world today. This week in San Francisco for the conference, it was a larger conference and more globally attended than at any time that I can remember in the past.
Gordon:  Why do you think that is?
Ellen:  I think that frankly, security has gone mainstream. It used to be, quite frankly, a very geeky conference with a lot of cryptographers, many mathematicians, and quite detailed. Now, it seems that it has expanded and I think the reason for that is the number of security breaches that have taken place and the economic and potentially military impacts of those breaches is so high.
Gordon:  Now, is it that people have forgotten how to do security? Or the bad guys are getting worse?
Ellen:  I think, frankly, it's that as we evolve into the cloud and into new ways of computing, that there are new security risks and different security risks. In addition, these days, being a malicious hacker is not an independent sport. It's a business in and of itself. It's not usual for the "other side" to have doctorates in the field, to be very sophisticated software engineers, and to be working for an organization that provides nine to five benefits, vacation, etc. It's a very, very professional world out there.
Gordon:  In your view does this mean we need fundamentally different ways of doing security? Or do we need to just do a better job with more or less how we're doing things today?
Ellen:  I do think that both of these things are true. I think that there is a fundamental difference in security today in that the point products and end point products in particular no longer do the job. In addition, we're seeing that static products aren't enough. You need a combination of products that can be dynamic. That work together to form a true security circle around the data and your employees. The old one on one products just are insufficient.
Gordon:  I'm going to get to cloud computing in a little more detail in a couple minutes. First of all, I want to talk about mobile. I saw a tweet from someone who suggests that maybe there wasn't quite as much paranoia about mobile there. But there still seems to be a lot of interest in mobile security generally.
Ellen:  I think there is a great deal of interest in mobile security. Of the three areas that were biggest on the docket and the agenda, mobile security at the RSA conference was one of the most attended. I think what you're seeing is that employees expect to bring their own devices. The corporations don't necessarily like the risk, but they feel that they have no choice.
Gordon:  Maybe that's what the tweets are referring to. They sort of like to just have everyone still use their Blackberries or whatnot. We can certainly make exceptions for three letter government agencies and maybe even the financial sector. But by and large there seems to be an acceptance that BYOD is just the way things happen.
Ellen:  It is the way things happen. But bring your own device is still responsible for some of the breeches that we have seen. Perhaps not the most costly. But mobile devices are another way into a company's or enterprise's data that represents an open hole that has to be plugged.
Gordon:  Is there any consensus on the best way to do that?
Ellen:  As usual in security there's no consensus as far as I can see on anything. But there are lots of new techniques in this area. Downloaded certificates for the mobile devices themselves, centralized management, and a number of things that are either in the works or on the research table to make mobile device computing a little more secure than it has been.
Gordon:  Let's talk about cloud security now. In some ways this conversation seems to have become more sophisticated. It's no longer quite as simple as is the cloud safe or is the cloud unsafe. But there still seems to be quite a bit of debate around it and quite a bit of concern.
Ellen:  One of the biggest concerns that I saw at the RSA conference this year is the dynamic tension between… cloud providers and their customer base. This all revolves around who's responsible if bad things happen. The enterprise customers say we don't know what the public clouds are doing for security. They don't let us touch our data when it's in the public cloud. They don't let us have the audit trails or the logs. Yet, we are the ones still responsible for the data. The public cloud providers very often will say the enterprise is still responsible for the data. Very, very few of them will take any responsibility for the security of your information in the public cloud.
There's been a lot of advice lately from some of the pundits in the area that the enterprise customers should ask question after question after question of their cloud provider to find out what kind of security is actually provided. The biggest issue that we have seen is the lack of transparency with public cloud providers.
Gordon:  A company like Amazon has various certifications. When I was at their AWS Reinvent Conference last November, they were really promoting this idea of shared responsibility. Essentially, you're responsible for the stuff above the infrastructure. But really, our infrastructure is secure and you don't need to worry about it. You're saying a lot of companies still don't buy that.
Ellen:  I think a lot of companies don't buy that. I think part of the reason that a lot of companies don't buy that is because so many of the larger companies have compliance and governance issues that public cloud in general does not assist them with. They have a regulator who is asking for information that public clouds do not necessarily provide to their client base.
Gordon:  How do you think this is going to be resolved? Are the enterprises going to get more comfortable? Are the public cloud providers going to be more transparent? How do you see this playing out?
Ellen:  The way that I actually see this playing out… you can't swing a dead cat frankly at the RSA conference without hitting another set of standards or best practices. I think with pressure from the enterprise customers, we're going to see more compliance with standards and more standards. The Cloud Security Alliance, the NIST organization, FedRAMP. All of these organizations are putting out best practice guidelines, recommendations, and in some cases, requirements for cloud providers. I think enterprises will be forcing the better cloud providers to provide a kind of standardization for PaaS and IaaS that you would expect to see.
Gordon:  Of course there's nothing that says we need to end up with one type of public cloud that's all the same no matter who you are. I think it's very reasonable to expect that we'll have public clouds that have better auditing, better transparency, better attuned to the needs of particularly security conscious enterprises. They'll charge for that.
Ellen:  I think that's absolutely true. I think one of the fundamentals in security that has not changed is it makes sense to decide what is the value of your data and match your security to the value of the information. I think that's number one. Not all data requires the same level of security.
Gordon:  Let's talk about Rogue IT or Shadow IT. Pick your term. That's been one of the big concerns around public cloud services in general whether we're talking software as a service, infrastructure as a service, or whatever, just the idea that maybe your IT department isn't making your life easy enough so you just go out and do it your own way.
Ellen:  I think that this is very, very true. One of the things that we have seen is if an enterprise sets up a private cloud in a secure way, if that cloud does not allow for easy provisioning for any and all users who should have access, the next thing you know your IT group will find that their end users are just bypassing that and going outside to make life easier, and to get the computing resources that they expect to have more quickly and more easily.
Gordon:  I think that's absolutely the case. A friend of mine, Andi Mann at CA, actually wrote a blog post on a similar topic recently. The way I look at it is that public clouds in a sense created this benchmark or expectation that users have. It's great when in house IT sets up a cloud. But if that cloud doesn't truly emulate what a public cloud provides for its users, it's probably going to fail.
Ellen:  I think that's absolutely true. Because sophisticated applications users and developers these days who are not necessarily related to IT will just go get what they need in the easiest way possible. All you need these days is a credit card. The other area that has been a very big topic for security in particular is the insider threat. Say what you will, perhaps your biggest danger is the administrator who has all the privileges and access to all the information.
Increasingly, you are seeing ways to control the insider threat through product logs, through dual change mechanisms, through least privilege, et cetera. But this is an area that particularly does worry enterprises, who put their data in public cloud is, how do we know that the public cloud's administration is also pretty well‑locked down?
Gordon:  So all this interest in security probably indicates, this is probably a pretty good job market for somebody who's good at security.
Ellen:  Well, I must say, it reminds me a little bit of the old phrase from the Clinton years, which is, "These are times that a blind felon could get a job as a night watchman. Anybody who can spell 'security,' even with a 'k' these days is likely to have work." The announced unemployment rate in security is zero percent. Just as an example, the Department of Defense has 900 people working in security. It came to the conference with the intent of hiring 4,000 more.
We have no idea where they're going to get them, not unless maybe they get one of the biotech firms to clone them.
Gordon:  I guess the message is that security's a good skill to have.
Ellen:  For the moment. Things may change. You never know.
Gordon:  Well, thank you, Ellen.
Ellen:  Thank you Gordon.

No comments: