What's the difference between secure and defensible?
It becomes more clear when we revisit the old, tired analogy of the castle model of security. Tough outer defenses meant to keep the 'bad guys' out, but once you're inside you've got full access to everything as if you belong. This thinking just doesn't work in today's modern enterprise... Let's talk about why and what we should be doing about it.
The RSA conference was held last week in San Francisco and what an event it was… 23,000 participants, 350+ companies, countless education sessions and copious quantities of food and drink.
The Mandiant report came out the week before and that had created a lot of buzz which did not abate. But what was the overriding theme? To me it was ‘big data’ (security buzzword of the year 2013!) or, rather, it was the fact that security today is starting to require an awful lot of data to be collected and analysed.
The term security analytics was used by multiple speakers – so expect that one to make the buzzword list next year. The latest generation of APTs (Advanced Persistent Threats – and the runner-up in security buzzword of the year 2013) are sneaky and there is no silver bullet to prevent them. Defence in depth is still required – and one of those defences is to collect vast quantities of information and then analyse it to look for anomalies which then points to security issues. It’s the quantities of this information (terabytes and petabytes) which then turn it into a ‘big data’ problem – or one that requires a ‘big data’ solution. Spotting the useful information in this mass of data is akin to the old needle in a haystack – not something anyone can do, even with all the smart tools that exist.
We (as an industry) have a new challenge here, if, as we are told, there are increasing cyber-attacks on businesses of all sizes, then how can we help those companies which do not have the expertise and resources (time, money and people) to combat them, or the security-poor as they were labelled at the conference?
Tools need to become even easier to use, not require large numbers of professional services personnel (aka consultants) to get the solutions installed and providing value back to the organisations. How can we turn the information collected into ‘everyday value’ rather than just forensic insurance? There isn’t an answer today (and especially not one that falls into the affordable bracket), but we need to look for one.
One message that came through at the RSA Conference was that not every security defence needs a substantial and on-going investment. In the case of information governance, for example, we are seeing that success comes through a diligent approach to security, rather than through big budgets.
The other theme which was apparent was identity. This is an increasing challenge for us all, especially with the increase in BYOD and cloud collaboration. Once more, there isn’t a solution today which works everywhere – even though there were numerous vendors touting their individual solutions at RSA.
A new open identity initiative was launched www.globalidentityfoundation.org to build on the Jericho Forum Identity Commandments. This programme looks promising, as it is a pragmatic approach to the global issues which need to be addressed – I look forward to seeing the progress next year.
And so to next year… this year, the place was buzzing, from the first day to the last – and that included the booking office for next year. I suspect the exhibition hall will have sold out by the time you read this. We have booked our space… and it’s twice as big as this year – but, then again, we will have more than twice as much to show. To RSA 2014… hope to see you there.