By Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group
Representing Xerox, Larry Kovnat and Doug Tallinger attended the RSA Conference on February 27 to March 2, learning and talking all things security. Below, Larry offers his perspectives on the most interesting and insightful moments of the conference.
Art Coviello, Executive VP of EMC and Executive Chairman of RSA gave the opening keynote at RSA. The show started off with a gospel chorus coming on stage to sing the Rolling Stones, “You Can’t Always Get What You Want” with a little bit of Aretha Franklin’s “Respect” in the middle. The thing I remember is Mr. Coviello’s call for increased cooperation and information sharing in the security industry.
On Wednesday, I listened to an unexpectedly good keynote from Philippe Courtot, CEO of Qualys. He had an interesting point that the cloud and the plethora of mobile devices, which are really essentially thin clients, are taking us back to the old mainframe days. That makes him optimistic for security because you can keep all the important information in one place and concentrate the security resources there. But in the next talk, Stuart McClure of McAfee basically contradicted Courtot’s point when he said that if I’m a bad guy and I know all the good stuff is in one place, then guess where I’m going to attack?
Both points of view are valid in their own way. The “Duality of Security” you might call it. Two contradictory ideas held simultaneously. Both ideas are right, yet both ideas are also somehow wrong. You can try to reconcile them, or try to make them complementary.
I think the truth is that what will happen is that the focus will oscillate. Right now, everyone is rushing to the cloud because of the promise of mobility and the advantages for security. But, I expect somewhere down the road the trend will move back the other way and that people will once again demand more local control of information and compute power. The concept of the duality of security is kind of Zen, isn’t it? I like that.
What was my overall impression? Listening to the speakers, I started to think about why people continue to take risks online? Why is IT equipment still being installed on the network with defaults unchanged? Why are user accounts not being set up?
For an answer I’ll take an analogy from history. It took 50 years to go from the Model T to get the first seat belts installed in cars. The death rate was alarming, but people loved their cars anyway. They just had to accept the risk if they wanted the personal freedom that a car brought them. I think we’re sort of in the same phase in terms of computer security, but we probably don’t have 50 years to get it right. We can count on the cycle time of the current era to help us there, but remember that it finally took government intervention to require seat belts and air bags. So does the security industry want to wait for government to intervene in order to force change?
I think the answer is in many of the things discussed at the conference: better information sharing, better training and recruitment of new security professionals, and maybe most important, making security simple. Simple does not mean security is off. It means it’s on, but unobtrusive, running in the background, literally watching our backs as we go about our business.