5. End to end security
Iain Thomson: As attacks increase security professionals are having to go into more and more detail to secure data from beginning to end.
The situation was likened by one to that of his dog, who is an avowed escape artist. "Every day when I leave for work I watch him on a web cam and he just circles the yard all day, looking for loose planks and a way out." It's the same with hackers.
So end to end security is getting more and more important. Hackers are probing the whole data transfer route looking for weak spots. Sooner or later they find one that can be sprung and are through. It makes life a lot more complicated for the busy security professional.
Shaun Nichols: End-to-end security is one of those things that arrives and everyone asks "why didn't we think of this sooner?" It just makes sense that your anti-malware software should be able to communicate with your anti-spam and phishing filters. The idea of end-to-end protection isn't just hype, it is also a very cool idea.
The idea is of course being championed by the larger firms such as McAfee and Trend who already offer complete security suites, but now there are also rumbles from the smaller companies, advocating open standards which could allow users to mix and match smaller tools and still get an end-to-end system.
That idea is especially popular amongst network security experts who argue that large enterprise networks and databases are too big and valuable to be trusted to a single security package.
4. Application Security
Shaun Nichols: OS exploits are so 2006. These days, the bad guys are targeting higher-level targets; vulnerabilities at the application level.
Why is this such a risk? Think about how much more work is done in applications these days, particularly web browsers. An exploit targeting a flaw in Java or Acrobat can allow for a security breach with very minimal user interaction or notification.
To make matters worse, application developers don't have the sort of money or manpower that an operating system like Windows or Linux will have. This means that patches can often take longer to develop, leaving vulnerabilities exposed for longer periods of time. This has become a major topic of discussion at RSA as security professionals discuss ways to prevent these sorts of attacks.
Iain Thomson: It's a measure of how much Microsoft has picked up its game and IT administrators have improved patching that hackers are now turning to applications.
Applications also make a lot more sense to target. After all, there's usually only one operating system and many applications on a computer and patching them all is a nightmare. There's always going to be one that hasn't been patched properly.
There's little that can be done in the short term, the problem is just too big. I was very impressed with Secunia's free application scanning utility, I'd recommend giving it a go.
3. Collaboration
Iain Thomson: RSA set collaboration as one of the themes of the show and I have to admit I was a little cynical about this.
Security is a business and whenever I think about businesses collaborating I think of cartels like OPEC or De Beers or Microsoft working on standards only to subvert them for their own ends. So when the suggestion was made that security companies collaborate I'd like to see evidence that it's happening.
Nevertheless, from conversations with vendors and those overheard in the lunch, there does seem to be a remarkable level of willingness for people to help each other. This manifests itself most in the open source community, which pioneered the approach on a large scale, but even proprietary vendors were talking seriously about sharing data.
I think it's a measure of how much the online criminals are winning the security arms race at the moment. When you're under threat you make allies a lot more easily than then things look rosy.
Shaun Nichols: Security has always been an industry built on an uncommon amount of sharing amongst competitors. What other industry thrives on researchers actually sharing their data with the entire world?
As Iain touched on, the 'arms race' with malware writers and cybercriminals plays a big part in this. If all the bad guys are sharing their intelligence with one another, a security firm that doesn't want to share its research and information with others is going to see itself in a lot of trouble very shortly.
The rise of the 'end to end' approach has also helped bring the spirit of collaboration about. Smaller specialist vendors who fancy themselves 'best of breed' want to be able to connect their products with other specialist offerings to offer better protection through collaboration. The big boys of the business may not be as enthusiastic as they are claiming to be, but the sentiment amongst the smaller companies seems to be genuine.
2. Cloud computing
Shaun Nichols: Cloud computing has become such an obnoxious buzzword that reporters joke of playing drinking games with the term whenever an executive takes to the podium. If you were to take a drink every time 'cloud computing' was uttered during Tuesday morning's keynotes, you likely would have woken up in a jail cell that evening with a nasty hangover.
With seemingly every part of traditional software now being pushed into a web-based 'cloud' service, security vendors are left scrambling to protect users. Additionally, many vendors are now looking towards cloud services for their own products. Web services are now being prepped by many security companies as replacements for the drive-busting signature libraries currently in use.
Iain Thomson: If one more person had raved about cloud to me I was getting ready to scream. Cloud was everywhere this conference and it started to get a bit much.
Cloud is an important new area of business but it isn't the only card in the deck. It does make deployment less expensive and offers enterprises much more flexibility but it isn't a magic bullet.
In particular I've got concerns about handing over important data to third parties. Not only are the cloud vendors now prime targets for hackers but laws for controlling data flow still haven't been sorted out. Cloud is new territory and I'd like to see a bit more stability in the market before entrusting my data outside the company.
1. The economy
Iain Thomson: You saw evidence of the tanking economy all over the show. There were fewer people in evidence on the show floor, the exhibition stands were smaller and less flashy and the local bars were nowhere near as packed as usual.
This feeling of doom wasn't helped by pretty much every keynote speaker reminding us all about how the economy is tanking. "Worst financial crisis in a generation," "biggest challenge since the Second World War" and "darkest days since the 1930s" are all direct quotes.
All parts of the IT industry are being hit by the recession. Security should weather the storm fairly well, but no-one is going to be totally secure, and everyone here knows it.
Shaun Nichols: If you make your money by selling products to others (in other words, a business,) then the economy is going to be the elephant in the room. The security industry is no exception. It's no secret that companies are spending less and trying to make do with older products. How to push security in an economic crisis was a central theme for this year's conference.
As we touched on when discussing job security earlier, the industry likes to label itself as "recession-proof," but the air of concern about the economy was almost palpable at this year's conference.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
