Notes from on the ground at the RSA Conference in San Jose.
It was a little jarring to discover that a show about security had become a show of security. At the outset, getting to the scant few booths here required running a gauntlet of law enforcement from just about every California agency as well as a beefed-up cadre of red-jacketed private guards. Bomb-sniffing dogs completed the ensemble and gave the impression that this was a force serious about keeping us show-goers safe.
But how safe were we, really? By day two, attendees were having great fun posing for photos with the K9 units, and access control at the show had become spotty at best. The security, it turns out, was mostly for show. For the thousands of technology security professionals and experts gathered here, the parallels were obvious. The way we approach the safeguarding of anything, people or data, is often hampered by the same underlying missteps.
All show and no go: Cops with dogs are an impressive sight, but when they are stacked up at a single entrance and made to wander aimlessly as more of a point of interest than a viable defense, their effectiveness is negated. Security tools need to be big and toothy and fearsome, but they also need to be smartly and strategically deployed. They also need to be engaged ... always. They are not ornaments. Lesson: Work your dogs.
Technologies are only as good as the folks running them: The RSA show featured photo ID badges printed on site. This sparked a human version of facial recognition access control at each doorway. But the difference in diligence among the guards was notable. Some waved folks through with hardly a glance while others, even once theyd learned your name and seen you a dozen times, had to study the face to be sure you could pass. One guard checked my badge nine times in three days and told the same joke every time. Hed point to the image of Mary Queen of Scots on the RSA pass, chortling, and say, "That doesnt look like you." The first four times, it was a hoot. Lesson: Keep all of your guards on the same page.
Some things are not worth protecting: OK, I stole that line from @Stake, but its essential truth was in evidence at RSA. Separate guards had been posted within the already-secured hall to check badges coming in and out of the press area. Look, I hate it when exhibitors wander into the pressroom and steal our Danishes and fruit, but with everything else going on, this security resource could have been better used elsewhere. Lesson: This stuff is expensive, use it wisely.
Concentrate on the real soft spots: I dont know how much danger any of us was in at RSA. What does a collection of IT guys and government officials and ex-hackers and mathematicians and reporters rate on the terrorist target scale? The band Cheap Trick was there; so was Kevin Mitnick. Neither has had a Top 10 hit in a while. But if the point was to safeguard the folks at RSA, then concentrating the security inside the convention center left a gaping hole. Several times a day, hundreds of attendees crossed San Carlos Street en masse to get to the general sessions. Hundreds of them, on a set schedule, trundling through a crowded crosswalk. Bad guys could have done more damage with a Ford Expedition out on the road than they could have ever wrought inside. Lesson: Remember that every system has a place where the goods must occasionally cross the road.
Coming back from RSA, its easy to feel that security is a mishmash of things—mostly people-dependent—that tries hard to put on a good show but remains porous. Perhaps its the location. Maybe its the folly of trying to turn a convention center in the heart of downtown San Jose into a secure facility. It was never meant to be that. You want a secure conference? Rent Cheyenne Mountain. If you want digital security, maybe an Internet that was built to let everyone connect to everyone and everything is a questionable venue.
E-mail eWEEK Deputy News Editor Chris Gonsalves