I attended the RSA conference this year, as I always do, and spent most of the time talking with attendees and clients about what they were learning and trends they were seeing. Here is a summary of what we discussed.
Although mobile security concerns seems to be a theme, I tried to dig deeper, and it seems that more than a few people are concerned about the upcoming changes to Facebook’s currency model. Facebook plans to force all users to use “Facebook Credits”. The worry is that since Facebook is on virtually every smartphone in the world, the digital wallet may come to the consumer faster than expected via facebook. The Facebook credits system is similar to PayPal or Google Checkout; however, since mobile phones don’t normally contain identity information they haven’t really been targeted. Once faceobok account can store credits, like a bank account, having a mobile virus or Trojan that steals your facebook login/password will be akin to stealing your bank account username and password. I think we have heard this story before…
The cloud is always a hot topic but it seems as if nothing has changed. It is all about cost savings and whatever cost to security. As Dave, CSO from eBay put it. Vivek Kundra, whitehouse CIO, plans to save over 20billion by moving to the cloud and when you are saving 20 billion, who lets security get in the way?
Other people were more realistic and have conceded that the cloud will happen and they need to have data classification and risk management processes in place to ensure the *right* date moves to the cloud. A couple cloud vendors mentioned that they will need to educate their customers on how to do risk management and data management so that their customers can securely move to the cloud. This is a departure from the “We don’t talk or tell you about our security processes” stance the cloud vendors had last year.
Also, Symantec is making a big splash with their .cloud initative which is a marketing rebranding of all their cloud offerings including cloud based endpoint protection, cloud email encryption and filter, and cloud based web filtering. While the moniker may be funny and many have laughed at it, it is simple and effective. AV.cloud sounds much better than “cloud based anti-virus”. Marketing changes aside, not much has changed in terms of the technology behind the solution but Symantec is committed to heavily investing into .cloud and becoming the premier cloud security services provider in the world.
As I met with attendees and vendors, I asked if CIOs were adding cloud security services into their ROI analysis when moving their data to the cloud, almost everyone said no. Is this an indicator that cloud services don’t apply to the enterprise or perhaps the security CIOs want is ”real security controls” on the platforms, operating systems, and databases in the cloud rather than just moving their security tools from on-premise to the cloud? It seems to me the only people looking at cloud security services is the SMB.