I spent a week in San Jose, CA (which I found very UNappealling, BTW) for the RSA Conference. Here are my thoughts:
1. As stated above, the venue was not AT ALL appealling. The main convention center did not have enough room for the Keynote speakers, so they were across the street in some building (can’t remember the name). That area was simply old and dirty looking. I am not adverse to dirt (I was born and raised in Mississippi, for goodness sake), but I don’t like it when I am trying to listen to big-name CEO’s talk about trends in security. They had to have an annex for overflow (this is also where they placed “laptop” row, so people who actually wanted to get some work done could plug in). The annex had a telecast of the keynotes, so this tells me that the San Jose venue is just not suitable for a convention of this size. I am sure there was some reasoning behind San Jose, but I cannot see going there again.
However, since #1 did not seem to directly affect the quality of the tracks, speakers, etc., I will digress.
2. RSA itself is a very important event in the world of security because of the trends that come out from experts. This year was no different. Here are some of the trends I heard talked about:
a. De-perimeterization: This one is not new, but it seemed to really take focus and gain strength this year. Many speakers were talking about this. One Microsoft speaker was talking about moving the firewalls to the ISP, so the company would basically be getting “clean bits”. He also talked about the move of the firewall to the desktop and server level, and the increasing popularity of host-based IPS.
Another company (can’t remember now – sorry) spoke of “zoning” using software instead of hardware VPNs, etc. This also came from the disappearing perimeter argument.
What this company called “de-perimeterization”, I simply call a “dynamic perimeter”. The perimeter was still there, it was just allowed to kind of flow to meet your requirements. It hasn’t disappeared at all.
What Microsoft proposed was simply a gargantuan DMZ between the ISP and our servers / desktops. He said that we should look at the network as just being another part of the Internet. I say he’s opening us up for a huge management problem by making us more closely manage of desktop firewalls and making us go to our ISP for opening ports, creating policies, etc. Yes, the ISP could give us a virtual firewall that we could manage, but then the ISP would not be able to guarantee clean bits, thus defeating the move of the firewall.
b. Though this has also been happening for the last couple of years, there seems to be a big push towards integrated firewall, IPS, switching, routing, etc. 3Coms acquisition of TippingPoint has them on this bandwagon. Juniper’s acquisition of NetScreen gave them a huge push in this direction. However, this flies in the face of the disappearing perimeter. I am not seeing how these two can work together. What I see is that the disappearing perimeter as a partial move by some companies, but it is still not a direction that many security experts are seeing as viable. Defense-in-depth is still taught by the vast majority of security experts, and creating a large gap with no security measures does not square with this tried-and-true practice. I see deperimeterization as something of a pipe dream for most organizations.
c. At last years RSA conference (2005), spyware was the big problem that almost no big security software vendors had a solution for. Now, everyone has a solution for it. It is amazing to me the way needs get met in security. Now, spyware is not longer the problem-de-jour (though it is still very much an issue).
d. Network Access Control (what I call sandboxing) is one of the big dogs this year. Everyone is tieing on to Cisco’s NAC right now, giving it extra functionality and rules. MS’s NAP is not there yet, but the promise seems very big. BUT, you have to be an all-MS shop to really take advantage, so I am not sure where that is going. Juniper and 3Com are also moving in this space, but I am not sure how successful they will be since they have limited marketshare with switching and routing. They seem to be an add on at this point, but Juniper can definitely play if they continue to gain share in the routing arena. Their security products (firewall, IPS, SSLVPN) are the best out there in this humble blogger’s opinion.
e. Compliance is and continues to be a huge issue. Now, the focus is on the scanning the network, auditing the results, and reporting complaince levels. Many companies seems to be giving all-in-one compliance solutions. They are tieing this in with their basic management products.
Overall, I see security moving more and more towards becoming this pervasive idea / strategy that will basically take over all apsects of IT. Manufacturers and software vendors of any real size will not be able to make a product without first considering security. It is becoming THE focus of IT, and I think that is a positive thing. Where the differences will be is which way the market decides to go. Some new aspects of security are too important and will be around no matter what (some type of access control, compliance, others), but others (deperimterization, security product integration) seem to be competing, at least in the enterprise. It is an exciting time in security. I am glad I am here to see it.