Speaking of Security – The RSA Blog and Podcast

I’ve never spent much time in an office. I wouldn’t say that I’m Up in the Air as much as George Clooney’s Ryan Bingham. But the value of personal interaction with our customers from Sao Paolo to Sweden, learning about the issues they’re facing and working together to address those issues, has meant I spend a lot of time out of the office (not to say in the clouds). So I was particularly interested in the RSA and Zscaler announcement this week. But I think its relevance goes well beyond us road warriors.

The problem that RSA and Zscaler are taking on is a fundamental one for the new dynamic of user interaction with enterprise information. User access increasingly comes from outside corporate networks, using devices not controlled by the enterprise IT teams. Connectivity with IT systems is increasingly in short duration bursts and employs many different approaches: HTTPS, VPNs, VDI. The security posture of the user device changes continuously as the user accesses different resources from different locations, and I don’t mean just between home and office, or between different cities as we travel. It’s being connected via our home wireless at 8 a.m, via the office LAN at 9, the Starbucks wireless at 10 and so on. We are all out in the cloud a lot of the time!

The RSA/Zscaler solution starts from these two premises of the changing security posture of the security device and of our mobility across different applications and access points. The idea is to create a continuous and dynamic index of the validity of a user’s authentication, federated across the applications the user needs to access. It combines strong user authentication and dynamic risk assessment based on device identification, user behavioral profiling, and vulnerability detection.  By performing continuous, heuristic monitoring of the behavior of authenticated users and environmental conditions, it orchestrates a complex assessment of how confident a given resource can be that a given user is indeed who they say they are.

I like that analogy of orchestration for this solution: not just the metaphorical coordination of resources, but the actual conducting of an orchestra, an analogy that Martin Kuppinger has used as well. I’ve played in orchestras for many years (including the Nashua Chamber Orchestra shown above), under many different conductors, not only as a brass player but also in more unusual roles such as pouring water from one bucket to another in Diane Wittry’s Mist. Like the conductor drawing together the contribution of each player into a single complex work, the RSA/Zscaler solution assembles a single understanding of the measure of confidence in a user authentication. It draws on multiple resources, in the same way that the conductor draws on the capabilities of instrumentalists, to create coherent security intelligence about the level of trust any given resource can have in the authentication of the user. This is, in fact, one of the aspects of the relationship of identity and security intelligence in the panel that my colleague Matthew Gardiner and I will be exploring in our panel at the European Identity and Cloud Conference 2012 in April.

At RSA, we’ve spoken for many years about the need for a security ecosystem, where vendors work in concert to provide trust, visibility and control. This announcement is, like the Canopy one, is a great step towards that ecosystem, building security across all devices and access methods wherever the user and information are.

•