RSA Conference: Security Issues from the Cloud to Advanced Persistent Threats
The 20th annual RSA Conference in San Francisco came to a close Feb. 18, ending a week of product announcements, keynotes and educational sessions that produced their share of news. This year's hot topics: cloud computing and cyber-war.
The conference included a new session track about cloud computing, and the topic was the subject of the keynote by Art Coviello, executive vice president at EMC and executive chairman of the company's RSA security division. Virtualization and cloud computing have the power to change the evolution of security dramatically in the years to come, he said.
"At this point, the IT industry believes in the potential of virtualization and cloud computing," Coviello said. "IT organizations are transforming their infrastructures. ... But in any of these transformations, the goal is always the same for security-getting the right information to the right people over a trusted infrastructure in a system that can be governed and managed."
EMC's RSA security division kicked the week off by announcing the Cloud Trust Authority, a set of cloud-based services meant to facilitate secure and compliant relationships between organizations and cloud service providers by enabling visibility and control over identities and information. EMC also announced the new EMC Cloud Advisory Service with Cloud Optimizer.
But the cloud was just one of several items touched on during the conference. Cyber-war and efforts to protect critical infrastructure companies were also discussed repeatedly. In a panel conversation, former Department of Homeland Security Secretary Michael Chertoff, security guru Bruce Schneier, former National Security Agency Director John Michael McConnell and James Lewis, director and senior fellow of the Center for Strategic and International Studies' Technology and Public Policy Program, discussed the murkiness of cyber-warfare discussions.
"We had a Cold War that allowed us to build a deterrence policy and relationships with allies and so on, and we prevailed in that war," McConnell said. "But the idea is the nation debated the issue and made some policy decisions through its elected representatives, and we got to the right place. ... I would like to think we are an informed society, [and] with the right debate, we can get to the right place, but if you look at our history, we wait for a catastrophic event."
Part of the solution is partnerships between the government and the private sector.
"One of the biggest issues you got-[and] unfortunately we haven't made enough progress-we need better coordination across the government agencies, and from the government agencies to the private sector," Symantec CEO Enrique Salem said. "I think we still work too much in silos inside the government [and] work too much in silos between the government and the private sector."
The purpose of such efforts is to target advanced persistent threats (APTs).
"Part of the problem of when you define [advanced persistent threats], it's not going to be like one single piece of software or platform; it's a whole methodology for how bad guys attack the system," Bret Hartman, CTO of EMC's RSA security division, told eWEEK.
"They're going to use every zero-day attack they can throw at you," he explained. "They are going to use insider attacks; they're going to use all kinds of things because they are motivated to take out whatever it is they want."
The answer, Hartman said, is a next-generation Security Operations Center (SOC) built on six elements: This vision includes six core elements: risk planning; attack modeling; virtualized environments; automated, risk-based systems; self-learning, predictive analysis; and continual improvement through forensic analyses and community learning.
Preventing attacks also means building more secure applications. In a conversation with eWEEK, Brad Arkin, Adobe Systems' director of product security and privacy, discussed some of the ways Adobe has tried to improve its own development process, and offered advice for companies looking to do the same.
"The details of what you do with the product team are important, but if you can't convince the product team they should care about security, then they are not going to follow along with specifics," Arkin said. "So achieving that buy-in to me is one of the most critical steps."