Speaking of Security – The RSA Blog and Podcast

I was at the Gartner IAM Summit in London last week and had the chance to catch up with Robin Wilton, including attending his session on “High Identity Assurance in a Mobile World”. It was a great presentation, full of interesting ideas and insights. I was particularly struck by Robin’s discussion of personas, especially in the light of the keynote panel discussion of “the death of authentication” the day before.

It’s a new, exciting era for Trojan builders. The mobile space in 2012 is a vast, unchartered territory that attracts the talent and creativity of black hatters and malware writers like moths to a flame. If you think about it, the entire mobile security space has huge ‘Here there be monsters’ sections where the cartographers don’t really know what to draw. With its unique architecture, security platforms and operating systems, it’s a challenging, yet highly rewarding exercise.

From Monday’s Innovation Sandbox to Friday’s keynotes, innovation was a central theme of this year’s RSA Conference 2012 in San Francisco. As Hugh Thompson said in his final remarks, the Innovation Sandbox proved that innovation is alive and well in cybersecurity. Perhaps 2012 will indeed be, as Hugh suggested, “The Year of Innovation”.

At RSA, we have a legacy of authentication innovation from multifactor to risk-based, heuristic authentication. We challenged ourselves with “What’s Next?” As an industry we continue to conceive more usable yet stronger authentication but we have a bigger mandate to meet a need that has gone unmet for a long time.

In Securing Enterprise Use of Mobile Devices, I wrote about my participation as a panelist in the “Mobile Security Show”, aired on the AT&T video channel in November 2011. We talked about a lot of things, from the drivers behind bring-your-own-device strategies to the technologies supporting enterprise security for personal devices and the policy implications, for enterprises and society as a whole, for the privacy of individual and enterprise information. Towards the end of the evening, we got into a discussion of whether homogeneous technical environments are more risky than heterogeneous ones. Ed Amoroso, the CSO of AT&T, had particularly interesting thoughts on the complexity of this issue for IT departments, ending with the remark: “Count me in as favoring the diverse ecosystem.”

The problem that RSA and Zscaler are taking on is a fundamental one for the new dynamic of user interaction with enterprise information. User access increasingly comes from outside corporate networks, using devices not controlled by the enterprise IT teams. Connectivity with IT systems is increasingly in short duration bursts and employs many different approaches: HTTPS, VPNs, VDI. The security posture of the user device changes continuously as the user accesses different resources from different locations, and I don’t mean just between home and office, or between different cities as we travel. It’s being connected via our home wireless at 8 a.m, via the office LAN at 9, the Starbucks wireless at 10 and so on. We are all out in the cloud a lot of the time!

In September I was invited to be a panelist on the AT&T Mobile Security Show, videotaped at Stevens Institute of Technology in New Jersey. They have just posted the show on their website (http://techchannel.att.com/play-video.cfm/2011/11/4/The-Mobile-Security-Show-Episode-2) and you can also watch it here.

One of the most refreshing moments one can experience is the reminder that things long ago learned and forgotten are still valuable and relevant. It is the realization that “I learned everything I needed to know in kindergarten”.

It’s a common question around here: who holds the most power in the mobile infrastructure? The carrier? The handset makers? The OS providers? Security is by its nature an add-on service, something that often is piggybacked on other more top-of-mind services, so whenever you try to sell security in the mobile space you always come to that golden question: Who owns the most customer mindshare on the mobile device?

We are witnessing a technology revolution, and within this massive shift in endpoint devices, there is also a rolling thunder of change to the traditional security landscape. And not surprisingly, mobile security is often a few steps behind the curve as the industry rushes to catch up with business requirements.