I attended my first RSA security conference recently, and the experience left me with sore feet and lack of a strong lead for this story. Just what was the most important news from RSA this year? There were no ground-breaking product introductions, headline-grabbing security breaches, or other obvious "stop the press!" news from the event. Other than Al Gore telling the Fourth Estate to get lost (press was prohibited from attending his RSA speech) and the Olympic torch being hustled through San Francisco at breakneck speed--the torch bearer must have been told to "move it like you stole it"--most of the news from RSA 2008 was of a more evolutionary (rather than revolutionary) nature.
That said, there were several evolving trends in evidence. Securing virtual machines was a popular topic for attendees and vendors alike, as was hardening mobile devices and providing complete protection for enterprises with sensitive data. In the interest of providing a broad overview of all the disparate themes on display at the conference, I've put together a three-part report that presents some of the more interesting things I came across.
1. Data Loss Protection (DLP): More Steak than Sizzle?
Keeping confidential information private and secure--especially when it must be moved, copied, and shared with others, both inside and outside of an organization--can be a increasingly complex challenge. That was the focus of a Symantec sponsored panel I attended on data loss prevention (DLP).
The wide-ranging discussion focused on the current state of DLP in the enterprise. DLP is an obvious area of interest for Symantec, which recently acquired DLP solution provider Vontu. Joseph Ansanelli was the CEO of Vontu prior to the acquisition, and is now VP of DLP at Symantec. Ansinelli stressed that no DLP system can provide 100% security for sensitive information, but getting close as possible to that goal should be a high priority for any organization with acute information security needs.
Tony Spinelli, senior vice president of information security at Equifax, mentioned that his company decided on Vontu's DLP product to ensure that all secure data coming into (and going out of) the company was matched to verify accuracy and monitor potential security issues.
Some panelists expressed concern that the terminology used in the DLP market was somewhat nebulous, with former Gartner analyst (and Securosis.com Founder) Rich Mogull pointing out that many products being promoted at RSA with DLP features were using the acronym even when it wasn't technically accurate. Vendors often use related terms interchangeably, a development that can lead to significant customer confusion. (Read Mogull's DLP whitepaper for more information about choosing and installing DLP solutions.)
While the hype and confusing terminology around DLP may have muddied the waters a bit, it's clear that DLP is a pressing area of concern for organizations with vital security needs, particularly those in the financial, healthcare, government, and defense sectors.
2. Microsoft Shows Stirling, Deploys Booth Most Likely to Become a Tattoo
If keeping track of multiple security apps from different vendors across your enterprise is giving you a migraine, driving your IT budget deep into the red, and/or making your hair fall out, Microsoft has some news for you.
Microsoft chose RSA 2008 to announce the next-generation of their Microsoft Forefront security solution, which goes by the codename "Stirling." According to a Microsoft news release, Stirling will combine Forefront Security for SharePoint, Forefront Client Security, Forefront Security for Exchange Server, and the Forefront Threat Management Gateway (formerly known as the Microsoft Internet Security and Acceleration Server) into one integrated security suite. And the entire product will sport a spiffy new central management console that Microsoft hopes will increase efficiency and de-frazzle harried IT professionals when it comes to security duties. Our own Paul Thurrott writes in WinInfo Update that "If you're currently sinking under the weight of multiple security endpoints, Stirling might be just what the doctor ordered."
In support of the Stirling announcement, Microsoft gave out stickers touting Microsoft Forefront and dressed their booth in NAP-promoting livery that looks as if it escaped from a tattoo parlor, or perhaps fell off the Aerosmith tour bus. Rock on, 'softies.
3. Yubico: Proving that Chutzpah > Booth Space
I've attended dozens of trade shows, and most are dominated by sprawling booths of corporate behemoths like Microsoft, IBM, Symantec, and McAfee. Stop by for a product demo at most of them and you'll get a professional product demonstration, a pile of expensive product literature, and some cheap trade show tchotchkes in the form of pens, sweatbands, rubber balls, or some other gee-gaws, often emblazoned with corporate logo of said behemoth.
Nothing against the industry heavyweights, but one of my favorite things to do at any trade show is to find the small, tiny vendor that makes up for their lack of booth space and disposable freebies with lots of guts and initiative.
Such is the case with Yubico, a small Swedish startup whose CEO--Stina Ehrensvard--patiently waited outside the RSA press room to introduce me to her company and their new product, the YubiKey. Despite a press release that was never issued and some crossed signals with her US partner (ActivIdentity), Ehrensvard made a compelling (albeit impromptu) sales pitch for the YubiKey, a secure USB login device. The YubiKey is essentially a USB key with a single button that generates a 128-bit ID code (AES-128 format) and a one-time passcode when pressed. Unlike other solutions that require use of a randomly generated keycode and have a finite battery life--like the RSA SecurID--the YubiKey automatically generates a unique authentication code when activated and draws power from the host PC. You can see a quick video clip explaining the YubiKey here. (I'm not sure why the YubiKey clip is hosted at a golfing tournament Web site, but I digress.)
On the downside, the YubiKey doesn’t currently support the emerging OATH reference architecture (although Ehrensvard mentioned in an email exchange post-RSA that Yubico is building a proxy solution that will support OATH), is currently only available for purchase directly through Yubico, and it still seems to be the early stages of product development: When purchasing a YubiKey from Yubico, a disclaimer cautions purchasers that YubiKeys (priced at about $35 singly, or as low as $2 each for volume orders) can be used for evaluation purposes only. Regardless, if the rest of the Yubico executive team has as much initiative as their CEO I’m sure we’ll be hearing more about them soon.
4. Quest Software, Enterprise Single Sign-On (ESSO), and Chips and Queso
Quest Software was at RSA to discuss the upcoming release of Quest Enterprise for Single Sign-on (ESSO), a new product that could be considered the spiritual successor to other products and technology developed by Vintela, which Quest acquired in May 2005.
In a statement supporting the product announcement, Jackson Shaw, senior director of product management for Quest software, said that "With the release of Quest Enterprise Single Sign-on we are further enabling our customers to leverage their investment in Active Directory by providing an industry-leading log on auuthentication product for Windows desktops." Shaw joined Quest Software via the acquisition of Vintela, a firm that specizlied in providing streamlined sign-on and authentication across heterogenous IT environments.
The ability to use a single sign-on for multiple applications, hardware and systems should be music to the ears of many IT pros. Active Directory (AD) is undoubtedly the most ubiquitous directory structure currently available, and Quest's efforts to extend AD support to other platforms and systems is a big plus. Shaw mentioned that ESSO also supports the OATH reference architecture, an emerging cross-platform authentication standard.
If ESSO works as promised, IT pros could possibly save enough time from cat-herding authentication and logon issues to enjoy some chips, queso, and guacamole at the local eatery of their choice. Or they could visit Shaw's blog for advice on how laptop-using IT pros can fend off a cold boot hacker attack. I have a suggestion: Listen for chattering teeth and report anyone with blue skin.
More Perspective, and What's Coming Next
For another perspective on the show, my Windows IT Pro colleague (and our resident security expert) Renee Munshi has also posted about her RSA experience, so be sure to check out her coverage as well.
Check back on Wednesday, April 23rd for Part Two of our RSA 2008 Conference recap. In our second installment we'll take a look at why StillSecure wants to beat Cisco at their own game, how SaaS is changing email security, and how easy it is to buy a $10 glass of tea in San Francisco....