Subscribe to the RSA blogs and podcasts for the latest posts and security updates!
Bob Griffin is Chief Security Architect at RSA, the Security Division of EMC, where he is responsible for technical architecture, standards and strategy, particularly for RSA’s data security products. He represents EMC to several standards organization, including as co-chair of the OASIS Key Management Interoperability Protocol (KMIP) technical committee. Bob has extensive experience in security strategy, corporate governance, business process transformation and software development. He has had the primary architectural responsibility for a number of production systems environments and for major software engineering projects at RSA, Entrust and Digital Equipment Corporation,. He is a frequently requested speaker for professional and industry conferences and has instructed courses within both professional and university settings.
Over the weekend, three stories crossed my desk that got me thinking about the challenge that Art Coviello issued to the security industry in his RSA Conference 2012 keynote: to forge a “collective resolve” to stand together against “a host of adversaries who threaten our very trust in the world’s digital economy”. The first of [...]
At the European Identity and Cloud (EIC) Conference 2012 last week, I finally got what Craig Burton has been saying for some time now: “Baking your core competency into an open API is an economic imperative.” What brought it home for me was the presentation by 3Scale’s Steven Willmott, focusing on what he called “turning [...]
Last week my colleague Matthew Gardiner and I, along with Kim Cameron of Microsoft and Edwin van der Wal of Everett Consulting, presented a panel on “Security Intelligence and IAM” at the European Identity and Cloud Conference in Münich. Prompted by questions from our moderator, Dr. Horst Walther, we had a lively discussion about the [...]
Earlier this week I was at MIT Media Labs for a meeting with my colleagues in EMC technical leadership. While we there, we took a tour of the Media Labs, including talking with a couple of grad students and professors. One the projects we were introduced to is called Place Pulse, “a website that allows anybody to quickly run a perception study and visualize the results in powerful ways”. It was interesting from a lot of perspectives: as an investigation of perceptual clues we use in making decisions; as an exploration of visualization techniques; and as a model both for generating and for analyzing Big Data.
I was at the Gartner IAM Summit in London last week and had the chance to catch up with Robin Wilton, including attending his session on “High Identity Assurance in a Mobile World”. It was a great presentation, full of interesting ideas and insights. I was particularly struck by Robin’s discussion of personas, especially in the light of the keynote panel discussion of “the death of authentication” the day before.
There was lots of buzz about big data at RSA Conference, especially in terms of the essential role that big data analytics increasingly plays in detecting data exfiltration and other security issues. Using big data for security is clearly a significant opportunity. But the security and privacy of big data is equally important and yet got much less attention. These concerns did come up in the Tuesday afternoon panel on big data, during which Rick Mogull of Securosis articulated the distinction between securing big data and using big data for security. But for me the most striking insight about the security and privacy issues for big data was in the discussion that Hugh Thompson and Dan Gardener had during the Friday afternoon “Hugh Thompson Show”.
From Monday’s Innovation Sandbox to Friday’s keynotes, innovation was a central theme of this year’s RSA Conference 2012 in San Francisco. As Hugh Thompson said in his final remarks, the Innovation Sandbox proved that innovation is alive and well in cybersecurity. Perhaps 2012 will indeed be, as Hugh suggested, “The Year of Innovation”.
In Securing Enterprise Use of Mobile Devices, I wrote about my participation as a panelist in the “Mobile Security Show”, aired on the AT&T video channel in November 2011. We talked about a lot of things, from the drivers behind bring-your-own-device strategies to the technologies supporting enterprise security for personal devices and the policy implications, for enterprises and society as a whole, for the privacy of individual and enterprise information. Towards the end of the evening, we got into a discussion of whether homogeneous technical environments are more risky than heterogeneous ones. Ed Amoroso, the CSO of AT&T, had particularly interesting thoughts on the complexity of this issue for IT departments, ending with the remark: “Count me in as favoring the diverse ecosystem.”
The problem that RSA and Zscaler are taking on is a fundamental one for the new dynamic of user interaction with enterprise information. User access increasingly comes from outside corporate networks, using devices not controlled by the enterprise IT teams. Connectivity with IT systems is increasingly in short duration bursts and employs many different approaches: HTTPS, VPNs, VDI. The security posture of the user device changes continuously as the user accesses different resources from different locations, and I don’t mean just between home and office, or between different cities as we travel. It’s being connected via our home wireless at 8 a.m, via the office LAN at 9, the Starbucks wireless at 10 and so on. We are all out in the cloud a lot of the time!
Under the leadership of CyLab Adjunct Distinguished Fellow, Jody Westby, the CyLab team gathered information from CEOs, CFOs, CROs and board members of the Forbes Global 2000 regarding security governance practices in their companies. The results showed significant gaps in security governance in more than half the respondents. Even for someone like me who tends to see the glass as half-full, this is a major concern in a world of increasing threats to information security.
