As the week of the 20th RSA Conference winds down, it only seemed appropriate to use the week of security as a post. I wanted to make it clear first off that the RSA Conference is not owned by RSA, The Security Division of EMC. RSA is just the largest sponsor of the event. This is why you see other vendors during the sessions and keynotes. We tend to have the largest booth on the expo floor but our competitors are on the floor too. The RSA booth this year was impressive and incredibly busy. I had booth duty this past week, focusing specifically on the Vblock 0 that we had in the RSA booth as well as the security components surrounding it and the cloud capabilities, for instance the Cloud Security and Compliance Solution that I discussed on the last post and the Cloud Trust Authority that we announced early in the week. It was a great week for cloud, virtualization, and security. It was as if all my favorite things were together for one week.
People were incredibly interested in the two Vblocks we had on the floor (one in the RSA booth… great idea by the way and one in the VCE booth). They were interested in what it provided to them as a company but most importantly, they were interested in the components that would secure it. People were so excited to know that there is finally a solution that had security options. Last but not least, Harris Corporation and Lockheed Martin both had press releases regarding the Vblock and securing it. There were also press releases focusing on a partnership with RSA and McAfee. VCE announced the Vblock Infrastructure Platforms Trusted Multi-Tenancy Overview… people were begging for hard copies and it should be available on www.vce.com this week.
Out of the sessions that I did attend though, the highlights of the discussions (I attend very few vendor sessions) was the need to protect the applications. Many of the speakers indicated that it was not about the infrastructure as much as it was about the applications. Or maybe that the infrastructure is now covered and we need to move on to something else. “The need for secure code is more important then ever” was the consensus … not sure I agree with that statement… I think it has always been important. Lets be clear though… when I refer to infrastructure, I am referring to all aspects that the application sits on. I am referring to the server, the router, the firewall, the network, all of it. It has always been defense in depth but didn’t that always include the software? I question why it is that we keep jumping around to the various aspects of the infrastructure. Is it perimeter-centric security or information-centric security? It is all of it…. this includes the applications. We keep talking about being proactive versus reactive and yet nothing ever changes. We / I keep talking that we have the chance to get it right and yet we are just now talking about creating safe applications. Then again, maybe we did get it right and in the mean time forgot about the applications. I understand that the threat constantly changes and the attackers go to the easiest point but we should have known that. Secure code is not a new thing so why did it come up multiple times. if you are unfamiliar with safe code, a good site for information is www.safecode.com. I think they say it best… safe code is “increasing trust in information and communications technology products and services through the advancement of effective software assurance methods”. This is a non-profit organization that aims to “identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services” with members including organizations such as Juniper, Microsoft, and EMC. Maybe the fact that there are only seven companies participating, means that it is has not been top priority. I love that we are talking about it… it is important but actions will always speak louder than words. We need to protect from top to bottom… there is no debate over this topic. We can never lose sight of the problem… reducing risk. It is true, protecting the applications is important but can we please talk about what it means to protect the entire solution. It isn’t about products and product companies, it is about the security concepts that have been created over time and will continue to be created.
Side note: Best line of the week in my opinion, “run towards the risk”. How poignant is that? If you run from what you fear, you will never learn from it, you will never make anything better. Running is never the answer. Tackle it, respect it, and fix it.