RSA Conference 2002: Where FUD Gets Down to Business

Tester's Choice: This year's RSA Conference was a witches' brew of federal money, a rowdy crowd of nervous-but-not-showing-it second-tier players, serene market leaders, and circling, savvy IT security managers.

The RSA Conference, one of the longest-running computer security shows, was held in San Jose, Calif., during the week of Feb. 18-22. It was a witches brew of federal money, a rowdy crowd of nervous-but-not-showing-it second-tier players, serene market leaders, and circling, savvy IT security managers.

According to President Bushs 2003 budget proposal, IT spending by the federal government will jump another $7 billion, to $52 billion, most of which is meant to boost so-called homeland security. At the RSA conference, it looked more like a New Deal program for high-tech security companies.

On the show floor I saw a plethora of "security solutions" maneuvering for visibility in front of government agencies and merger-minded big players. After talking with nearly 30 different companies over three days, it became clear that many of the showy second-tier companies are exploiting potential or real weaknesses in market leaders to get mind space.

For example, one interesting company, TippingPoint Technologies, touted its 3-in-1 intrusion detection, firewall and vulnerability assessment tool that runs on a proprietary OS. TippingPoint couples the product with a vulnerability update service. This is a direct challenge to established companies such as NetScreen that uses ASIC-based technology to get blisteringly fast performance, but can be relatively slow when it comes to updating new attack profiles.

TippingPoint also rattles the cage of Check Point Software Technologies FireWall-1, a software-based product that is widely used even though its often beaten in straight performance tests.

Name dropping

Market leaders RSA Security, Netegrity and Internet Security Systems were mentioned in nearly every interview I conducted. At the show, these companies were placid in the face of the rabble, but all are clearly thinking about the technology challenges facing IT managers. For one thing, the implementation and education sessions I attended were packed with savvy IT staff who asked thoughtful questions about the best way to plan for security in a wireless network and about upcoming standards development, again, especially concerning wireless networks, which are areas that are still emerging turf.

There are still plenty of companies vying to answer IT managers tough questions with their products. For example, there were at least 11 companies hawking user identity management products (including Authenex, Authentica, Authentify, BioPassword Security Systems, Bridgewater Systems, Business Layers, Courion, Digital Signature Trust, IBM, Iridian Technologies, Novell, Oblix and Passlogix). There were also at least five smart-card vendors (ActivCard, Datacard Group, Datakey, Gemplus and SchlumbergerSema) and an innumerable swarm of VPN hardware and software products.

Nearly all vendors were talking about services in addition to their products, in part because integrating security into existing networks is quite difficult, but also because security vendors are discovering that they need an ongoing revenue stream to stay in business.

The conference was also swirling with more informal themes, including what to do about wireless, personal privacy, attack mitigation, the role of litigation in security (and it is coming on strong), identity management and whats the best way to implement crypto.

My advice is to think back to Sept. 10. What were your biggest security concerns then? For most IT managers, those should be the biggest concerns today.

As I packed up my laptop and tape recorder, I left the show with a mix of feelings. On one hand, its always a good thing to cover a maturing technology that has real value for IT managers and that lends itself to hard-science analysis (using X amount of computing power for Y hours will break Z level of encryption).

On the other hand, seeing so many distrustful people gathered together at an event designed to promote fear, uncertainty and doubt made it clear that eWeeks coverage (we had two news reporters and two technical analysts covering the event) was needed to bring a practical perspective to bear on the subject.

Senior Analyst Cameron Sturdevant can be contacted at [email protected]