Guest Post: Jim Reavis on the RSA Conference

Posted by: Jim Reavis, Executive Director, Cloud Security Alliance

For our industry, the RSA Conference is the Oscars, a political convention and a college reunion, all rolled into one. We spend months preparing for this one week, and out of this one week comes a year’s worth of new initiatives we must tackle. As always, Cloud Security Alliance (CSA) had a big presence at this year’s show, with our Monday CSA Summit keynoted by Mike McConnell, a former director of the NSA. Between our summit and all the other activities I participated in, I wanted to share the impressions that stuck with me:

Mobile computing shared the spotlight with cloud. There has been a significant growth in mobile deployments over the past year, virtually all of it relying upon public clouds for the back end. Several large companies shared stories with me of new end-to-end solutions that did not traverse the enterprise network with even a single TCP/IP packet. This was a big reason behind our announcement of CSA Mobile, a new research project to provide security practices for mobile computing as it interacts with cloud computing. Central IT control over the computing paradigm shrunk again, and those who are embracing this change and growing their knowledge of the business and even anticipating its needs seem to be in the best position.

The information security industry often gets a bad rap for being alarmist and I always hesitate to go in that direction personally. So, I can just blame it on the people I was hanging with. Mike McConnell was certainly of the opinion that cyber-economic espionage was on the rise, and the United States has not developed the defensive capabilities necessary to combat it. The bad guys have taken their game up two notches. We certainly saw the most sophisticated attacks in history in the past year, and many enterprises are getting ready for more. But I also heard from many organizations that had decreased digital fraud and certainly we are getting better at IT risk management.

What’s old is new again. Aside from the unlimited free beer at RSA, my favorite activity is sitting down with some of the geniuses of the industry to listen to their views of what we face next. In discussing the many possible directions computing may take over the next several years in becoming an even more pervasive part of our lives, none of us came up with scenarios that would not continue to rely heavily upon our DNS and Certificate Authority infrastructure. These technologies will likely outlive the Web as we know it, and it is important that we continue to implement DNSSec, pervasive HTTPs and do even more to improve the security and trustworthiness of these systems.

Competitors will need to share information more than ever. I heard from many of their frustration in sharing attack information that could help others in suffering the same fate.  I may be oversimplifying the problem, but over and over again, it seems as though the requests for disclosure were blocked by that company’s own internal legal counsel. This is penny-wise and pound-foolish, as the successful hacker will be encouraged to wreak even more havoc. The financial industry has been doing this fairly effectively for years, the rest need to catch up.

I will leave it on that last point, as I have reason to be optimistic. Cloud Security Alliance has been able to get competitors of all stripes working together, and I think the information security community is even more committed to cooperating beyond any boundary. Amazing what free beer will do.