The Cloud, Convergence, Consumerization and Common Sense

| 0 Comments | 0 TrackBacks

Page:   1   2  Next  »

An RSA Roundup

The Cloud has been everywhere at RSA this week permeating presentations and vendor discussions and casual discourse almost as much as foreign-originating cyberattacks.

Thumbnail image for RSA2010 logo blk+gray.jpgWhat the tone of conversation reminds this writer of is the earliest days of the Web, when it was becoming obvious the Web and the Internet were disruptive, game-changing technologies--but no one truly knew exactly how the game would change or what their new position in it would turn out to be.

Worried about being left behind, many companies scrambled to "get on the Web." Some had a vision; others did it just to say they were there, often spending a lot of money for those bragging rights. It wound up taking some years before it became clear about how to integrate the Web into business processes and make the Web work as a tool.

The breathless cloud discussions at the 2010 RSA Conference in San Francisco have some of this tone of "we've gotta be in the cloud!" As we've talked to smart, smart people in security and identity management from CA, Hewlett-Packard, IBM, Microsoft, NetIQ, Novell, Splunk and VidSys, it's clear that some plain common sense needs to
temper some of the cloud conversation--at least, if companies are to use the cloud with their security policies and procedures intact.

"A lot of [business] departments are buying Software as a Service (SaaS) without going through approval processes," said Nick Nikols, vice president, product management, identity and security for Novell in an interview with Security Squared.

Nikols said many CSOs/CISOs don't realize how much SaaS-based computing is going on in their organizations. Yet they and their enterprise are still accountable. "The fact that it's cloud-based doesn't mean security and compliance requirements don't apply," he said.

Further, some security experts argue cloud risks aren't fully understood. "That should be alarm enough," said Geoff Webb, senior product manager for NetIQ, a security information and event management solution vendor.

What Nikols, Web and other sources say is that enterprises must extend their internal security access and identity-proofing policies to whatever cloud or SaaS applications they use, whether they own them or buy them from a third party. The more automated this process, the better, so that enterprises can also get employee access to SaaS apps shut off when they leave. Otherwise, as Nikols put it, "there's not much" to stop them from accessing cloud apps and enterprise data whenever and wherever they choose.


Consumerization of Identity Management?

As we've reported, authentication of identities was a big theme all week as well. What struck us was how the notion of identity is likely to become more top-of-mind for increasingly tech-driven consumers in the U.S. 

First, it's not just within enterprises that identities need to be authenticated, but on rapidly proliferating mobile devices. Cisco announced its solution for tying enterprise mobile devices to enterprise networks at all times. Cisco has consistently talked about the power of rmobile computing and social networking and the need for enterprises to secure them rather than forbid them.

Meanwhile, a raft of big players including Google and CA announced the formation of the Open Identity Exchange.  Its goal is to facilitate the exchange of trusted online credentials among private and public bodies.

And Microsoft discussed its "End to End Trust" vision for the Internet this week, a component of which is U-Prove. The goal is to securely authenticate identities, yet do so by sharing as little data as possible, to help users feel more in control of their online persona.

What we wonder about these initiatives is if it's possible for consumer-oriented strong identities to trickle into the corporate and public environment. Some of that is occurring in Europe, as explained by Nora Cox, senior manager, product management, for Entrust, in an interview.

In brief, the intelligence and investment that's gone or going into national identity cards in places like Germany, Spain and New Zealand is being viewed as a source of identity proofing that other entities could accept for transactions as well.

A national ID card in the U.S., in the form of the DHS's RealID initiative, has been beaten down by privacy and security concerns. Still, as cybercrooks try to steal our real and digital identities, such efforts might take on new life and, just as consumers drove instant messaging and are driving social networking into enterprises, it could be they'll push some identity technologies in as well.

(Hey, it's RSA: We can blue-sky too.)

Page:   1   2  Next  »

An RSA Roundup

The Cloud has been everywhere at RSA this week permeating presentations and vendor discussions and casual discourse almost as much as foreign-originating cyberattacks.

Thumbnail image for RSA2010 logo blk+gray.jpgWhat the tone of conversation reminds this writer of is the earliest days of the Web, when it was becoming obvious the Web and the Internet were disruptive, game-changing technologies--but no one truly knew exactly how the game would change or what their new position in it would turn out to be.

Worried about being left behind, many companies scrambled to "get on the Web." Some had a vision; others did it just to say they were there, often spending a lot of money for those bragging rights. It wound up taking some years before it became clear about how to integrate the Web into business processes and make the Web work as a tool.

The breathless cloud discussions at the 2010 RSA Conference in San Francisco have some of this tone of "we've gotta be in the cloud!" As we've talked to smart, smart people in security and identity management from CA, Hewlett-Packard, IBM, Microsoft, NetIQ, Novell, Splunk and VidSys, it's clear that some plain common sense needs to
temper some of the cloud conversation--at least, if companies are to use the cloud with their security policies and procedures intact.

"A lot of [business] departments are buying Software as a Service (SaaS) without going through approval processes," said Nick Nikols, vice president, product management, identity and security for Novell in an interview with Security Squared.

Nikols said many CSOs/CISOs don't realize how much SaaS-based computing is going on in their organizations. Yet they and their enterprise are still accountable. "The fact that it's cloud-based doesn't mean security and compliance requirements don't apply," he said.

Further, some security experts argue cloud risks aren't fully understood. "That should be alarm enough," said Geoff Webb, senior product manager for NetIQ, a security information and event management solution vendor.

What Nikols, Web and other sources say is that enterprises must extend their internal security access and identity-proofing policies to whatever cloud or SaaS applications they use, whether they own them or buy them from a third party. The more automated this process, the better, so that enterprises can also get employee access to SaaS apps shut off when they leave. Otherwise, as Nikols put it, "there's not much" to stop them from accessing cloud apps and enterprise data whenever and wherever they choose.


Consumerization of Identity Management?

As we've reported, authentication of identities was a big theme all week as well. What struck us was how the notion of identity is likely to become more top-of-mind for increasingly tech-driven consumers in the U.S. 

First, it's not just within enterprises that identities need to be authenticated, but on rapidly proliferating mobile devices. Cisco announced its solution for tying enterprise mobile devices to enterprise networks at all times. Cisco has consistently talked about the power of rmobile computing and social networking and the need for enterprises to secure them rather than forbid them.

Meanwhile, a raft of big players including Google and CA announced the formation of the Open Identity Exchange.  Its goal is to facilitate the exchange of trusted online credentials among private and public bodies.

And Microsoft discussed its "End to End Trust" vision for the Internet this week, a component of which is U-Prove. The goal is to securely authenticate identities, yet do so by sharing as little data as possible, to help users feel more in control of their online persona.

What we wonder about these initiatives is if it's possible for consumer-oriented strong identities to trickle into the corporate and public environment. Some of that is occurring in Europe, as explained by Nora Cox, senior manager, product management, for Entrust, in an interview.

In brief, the intelligence and investment that's gone or going into national identity cards in places like Germany, Spain and New Zealand is being viewed as a source of identity proofing that other entities could accept for transactions as well.

A national ID card in the U.S., in the form of the DHS's RealID initiative, has been beaten down by privacy and security concerns. Still, as cybercrooks try to steal our real and digital identities, such efforts might take on new life and, just as consumers drove instant messaging and are driving social networking into enterprises, it could be they'll push some identity technologies in as well.

(Hey, it's RSA: We can blue-sky too.)

<!--nextpage-->

Convergence: It's the Data, People

Finally, we come to convergence--which has been present at RSA, if not always obvious. If one talks about physical security systems to IT security professionals, it doesn't track. But talk about matching data like physical access logs, sensor readings, inventory movement, etc., with login data, transaction data, change data--and lights go on.

Folks who "get it" include Splunk, which bills itself as an IT search engine. Splunk doesn't search the web, though; rather, it will comb through any and all enterprise systems, looking at logs and pulling out any data requested and running queries, such as "show me who came in door X at hour Y and what they did in system Z and how did sensor V react."

"Splunk is for when you don't know what you're looking for," said Mark Seward, director, security and compliance solutions marketing for the company. In talking with us, Seward said Splunk is popular with intelligence agencies and the Department of Defense as well as many retail enterprises. While the former are secretive about their uses, the latter turn to Splunk to help them see such forces as how long their customer service calls take and why.

"It helps break down silos between operations guys and security," said Seward. "They're siloed until they start sharing data and seeing the implications."

That data sharing and correlation is the heart of convergence, not just IP-based systems and integration of physical security on the IT network.

"It's all about data, regardless of the system it comes from," said David Fowler, senior vice president, marketing and product development, for VidSys, a physical security information management vendor, in an interview with us. "Not all of it is contained in or generated by security systems."

That's common sense--and cutting through all the technical issues and divisions of security labor, it's what convergence is all about. We'll bring you more of the IT perspective on that as our RSA follow up and feature coverage continues next week.


 





 

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/184

Leave a comment