Several striking aspects:
- All presentations about security in a virtualized environment were mobbed. People were pretty angry when turned away at the doors of the presentation rooms, but fire marshall regulations prevented people from standing at the back. It appears this is the “next interesting thing” in security, and there is great curiosity. On the reality side, there were very few products / technology for sale to address the potential issues. I believe there are a great many startup companies currently in stealth mode in this area.
- The days of radical and revolutionary change in security from the late ’90’s and early ’00’s are way over. The big vendors seem to be just pulling together “fix it all” suites as best they can through acquisitions.
- Michael Chertoff’s presentation was a tad scary: he mentioned that government agency computers are all interconnected, and that security is not consistent across all agencies (some have 24/7 monitoring for security and some don’t). This is bad for the obvious reason – just like in the movies, the bad guys can find an innocuous-looking, under-protected entrance and get to the agencies of interest. The other scary part was that Mr. Chertoff seemed to think 24/7 monitoring was the main thing. I’d tend to focus on preventative measures, vulnerability assessment, intrusion detection, user training, Identity and Access Management, strong authentication and other areas as well, but they were not mentioned.
- Bruce Shneier’s presentation on security rationalization was provocative. He focused on the separation between reality, feelings and models by “experts” when it comes to assessing security risks. One example was the Tylenol scare, and it was successfully addressed from a commercial standpoint by adding hermetic seals to bottles. It made people feel better. The reality is that a syringe could inject poison pretty easily, but people feel better. He also introduced the notion of “security theatrics”, where the media and security vendors exaggerate risks and cause people to feel bad when the reality just doesn’t match. Interesting concept.
RSA Conference is growing: attendance was estimated at 17,000