With a focus on what is not working, the annual RSA Conference was rife with ideas, but few solutions. Keynote speakers at the event claimed that vendors have over-hyped the cloud, and that developers and operators need to focus on securing their services, while vendors and providers need to figure out the security of clouds before businesses can really move there.
The RSA Conference, which took place earlier this week in San Francisco, kicked off with an overflowing session on security in the cloud. It was a potent metaphor for the conference’s focus on services and trust.
Phillip Dunkelberger, CEO of data encryption company PGP, said in his keynote address that security in the cloud needs to be similar to the security used on mainframes in the 1960s and 1970s, such as having users share a system and keeping them out of each other’s sensitive information through access controls.
He recommended reading the best practices produced by the Cloud Security Alliance, which were released last April.
Dunkelberger added that vendors have over-hyped the cloud and have yet to solve the fundamental security problems therein. The most notable missing piece, he said, is a solution for federated trust within the cloud. He then told the audience that moving to the cloud was akin to leaping off of a cliff for most businesses.
Tough on cybercrime
For enterprises, the focus was on securing services. Al Zollar, general manager of Tivoli at IBM, advocated proven development processes as a solution to services security woes.
“In all cases, we have to be ahead of the bad guys. We have to design security into the services,” he said.
“Vulnerabilities arise from people refusing to follow proven, repeatable design processes. We’re doing this with the thought in mind that with strong business security will come strong prosperity.”
Zollar later announced the founding of the IBM Institute for Advanced Security, which will collaborate with academic institutions to further the state of cybersecurity.
FBI director Robert Mueller used his keynote on the final day of the conference to ask businesses to work together with the FBI to identify cybercrime. He specifically called upon businesspeople at the show to ask them to report systems breaches promptly rather than keep them a secret.
“We in the FBI understand that you have practical concerns about reporting breaches of security. You may think this will harm your competitive advantage,” he said. “We do not want you to feel victimized a second time. We will minimize the disruption to your business. We will seek, when necessary, protective orders to protect business secrets and confidentiality.
“No one country, no one agency can stop cybercrime. A ‘bar the windows and block the doors’ mentality will not work. Together, we can find better ways to safeguard our systems and stop and incarcerate those who would do us harm. We both serve the American people, and we must do what we can to stop and minimize these attacks.”
Janet Napolitano, director of the U.S. Department of Homeland Security, spoke earlier in the week. She announced a competition to create a marketing campaign for increasing public awareness of computer security issues.
Napolitano admonished the audience to increase its security efforts, and to focus on using proper security practices when building software. She also advocated increasing the speed in which teams respond to security issues.