Below are my notes and takeways from the first day of RSA London. The day started off with plenty of cinematics and a nature theme opening session by the heads of RSA. The location is fantastic – the conference hotel is very close to good trains in London and there are plenty of things around. While the hotel is a bit of a maze – I am told it is a fair trade off from prior years.
Arthur Coviello opened the conference and gave a great deal of specifics regarding the industry. He actually gave a fantastic introduction to my session materials, and that certainly helped the delivery of my own session. (Speaking of my session – I will be composing my session into a paper and posting it online to gather opinion and input).
- 15 Billion devices communicating – according to John Ganz “The Embedded Interent: Methodology and Findings”
- By 2011 – 75% of us workforce will be mobile (BNET)
- Facebook will exceed 300M users by end of 2009.
- More information has been created in this decade than “all time”?!
- All content is created digitally at inception or within 3 months.
- Physical control of IT assets are loosening
- Growth and adoption of IT Cloud services will grow to 35 billion Euros. It will capture 25% of ALL IT spending
- Today “high value” is in taming the complexities of information and this is the challenge of IT organizations.
- The challenge of the security industry is to enable these ubiquitous technologies and enable them in a boundaryless IT environment.
Hugh Thompson of People Security:
Hugh have a great session that was both animated and well structured. His presentation reflected a past project where I created algorithms and technology to conduct social cyber forensics using similar mechanisms. He gave a good number of points regarding Data Gateways and I hope that his presentation will be available to help disiminate the definitions and risks.
He highlighted (the somewhat obvious fact) that people are posting indiscriminately data online through social sites. There will be a fallout to the information posted online. There should be some kind of education for people on “what to post” online.
A takeaway from the Meetup dialogs was if the social norm is to post all this information then the minority is to not. Therefore is it right to educate the masses or secure them for them? Interesting implications regarding security authentication and authorization systems as a result.
Guy Bunker’s session:
Highlighted the Jericho forum 2009 Cube and provided very interesting and impactful questions that every organization should know about – need to see if I can find a copy of that slide.
In a internal infrastructure situation – if the system to system controls fail it is generally OK. An audit deficiency or a weekend is in order to rectify the error. If such errors or security failures occur at the Cloud Administrator the exposure has an impact – the severity depends upon the breach, information, and audience.
“Compliance is the dark side” … hmmm
- Moving to the cloud doesn’t devoid the duty of complying with regulations
- Moving to short time contracts with Cloud providers (i.e., spinning up an environment for XYZ project over a measured time frame) introduces requirements to demonstrate that these environments are appropriately secure and compliant. What is the onboarding, management, measurement, and offboarding process occur in these environments?
- Caution (especially within the EU) is the exporting of data to these providers, and do they maintain the possession in proper approved regions and systems.
- Data Migration:
- Moving data back and forth between internal and external clouds can be difficult
- Moving the data if the systems are proprietary requires API and conversion efforts
- Restoration of data from backups based on prior / old applications creates challenge when the system is wholly updated and older updates are no longer supported (Think JP Morgan required to provide restored email backups from systems they internally managed that are no longer available by the vendor).
- Questions to Ask Part 1 and Part 2 are a nice breakdown of sanity checks when using cloud providers by Guy Bunker
- Trend in new threats is people taking the entire Virtual Machine images, not just data. This not only is the information but more importantly the HOW and MEANS of delivering the exact same service.
The end of evening included the Vendor booths which were significantly smaller than the April conference, but was better due to the quieter and more productive conversations I had and observed. The Blogger Meetup also was Tuesday and it was great. Plenty of very smart individuals and the conversations were all geek, security, compliance, and extensions of sessions conducted during the day. I actually hope that other such evening events will come together to take advantage of the presence of so many experts in their fields.
Day 1 was certainly a success. The tremendous focus on Cloud, Social Media Risks, Identity Fraud, and audit was rich and worthwhile. A personal takeway I have is how applicable my hands-on work around securing auditable Cloud environments is for businesses.
Other sources for information:
More to come…
James DeLuccia IV