How dare it take me so long to do the follow up on the RSA Conference. It has been weeks and I should have been better at getting an update out. I will be honest that my goal was to write a blog post after each day but you know how that goes. Somehow San Francisco got the best of me. I must admit that I had a great time. This time, the conference was different for me. Yes I got to do booth duty but I also got to spend time with my fellow vSpecialist security lovers. At the conference was Joe Adams (vJoeAdams), Jim Brigham (@i2speakgeek), Brian Lewis, and Aaron Sanchez-Delgadillo (@aaronesd ). We each experienced different sessions of the conference, taking in the components that we thought were most beneficial.
I want to get it out there that the best comment I heard was… “Cloud is like a chicken nugget. It looks good on the outside, it tastes good, but you never really know what is in it”. How great is that? I mean that is what the entire battle of the cloud comes down to right? Sometimes I think that people mention that security is their concern regarding the cloud because they think that is what they are supposed to say but when it comes down to it, I feel like they don’t want to know. Not knowing gives you an excuse and in some cases lets you blame others. It is almost like that line, what you don’t know can’t hurt you. Now I am not saying that people actually say that they don’t want to know. I mean how would that make them look. I do think that this is what they say to themselves though. Which leads me to the second HUGE thought and conversation that I had at the conference….
Security vs. Compliance… Are you doing compliance and because you are compliant do you think you are secure? Now this isn’t a new thought… It isn’t like I came up with it on my own but I have noticed (after four RSA Conferences) that people still think like this. That because they are compliant or implementing compliance, they are secure. So lets focus on compliance first. There are always two types of people right? Those that do compliance for the check mark and those that really believe in what they are doing. The first party doesn’t want to know what is inside the chicken nugget because it tastes so damn good and that is all they know. Then there are those that wants to know that there are no by-products in there and even wants to know the calories associated with the chicken nuggets. So… which one are you? I mean seriously, do you want to do compliance or do you want to check a box. Now granted, I started this thought process talking about security and compliance and you can’t necessarily put them in the same bucket but in reality, performing compliance tends to lead to security (in my opinion). By implementing the control standards and the requirements, you establish a level of security but of course, that isn’t all you need but for some, I will take it at this point. Some other great and bad things that I heard at the conference are listed below (wow did I get some good material for future blog posts):
- threats move at network speed
- regulations and laws are rarely wanted in the beginning but they are needed. For example, seatbelt laws were hated in the beginning and now you never get in a car without putting one on
- we have a plan for the exploit and for the attack back but we do not have a plan for defense
- legislation is necessary but insufficient. We do not have a good plan
- private cloud is just a public cloud behind a firewall
- it is the responsibility of the implementer to turn the security switch on
- provide update to the clients within 24 hours when there has been a breach
- passwords are the Achilles heal of cloud security
- can’t solve problems unless you know the problems
- business is changing to lower costs but it ends up increasing security needs