RSA Conference Message: Make Security Simple
Promoting simplicity in an increasingly complex environment may seem like a paradox goal, but that's exactly what needs to happen if IT security is to become more effective.
The simplicity theme popped up repeatedly at last month's RSA Conference in San Jose, Calif., the biggest security trade show of the year.
To get an indication of just how crucial security has become, look no further than the list of the event's keynote speakers: Microsoft's Bill Gates, Sun Microsystems' Scott McNealy, Cisco Systems' John Chambers, Symantec's John Thompson, RSA Security's Art Coviello and VeriSign's Stratton Sclavos, among others.
Gates kicked off the show by stressing the need to eliminate much of the technological clutter around security.
"If you look at the security systems that are out there today, we don't achieve [simplicity]," he said. "The number of things people have to keep track of is probably an order of magnitude more than it needs to be for people to be able to manage their systems effectively."
Gates' hour-long presentation featured glitch-free demos of how Microsoft is enabling stronger security across its platforms, including Vista--the forthcoming replacement for Windows XP. The demos highlighted Microsoft's desire to establish fundamentally secure platforms.
"Older systems were secure because they were isolated," Gates said. "You can't layer on top of a system elements to make it secure; you get too much of a mismatch between the components. This design approach is absolutely critical--thinking these things through from the beginning and not bringing security in at the end is very important. This has been a big shift for Microsoft."
The software giant is moving aggressively with its vision for smart cards to reduce or eliminate the need for multiple passwords. One news snippet to come from Gates' keynote speech was the announcement that Certificate CLM, which enables the provisioning of smart cards, is now in beta-testing. Gates also told the audience that new antimalware products are on the way, but he didn't disclose specific release dates.
"Today, we're using password systems, but they simply won't cut it," he said. "Very quickly they're becoming the weak link, so we need to move to multifactor authentication. A lot of that will be a smart-card-type approach that needs to be built into the system itself. I don't pretend that we'll move away from passwords overnight, but this change can and should take place over a three- to four-year period."
Despite sharp increases in new threats, Gates is confident about the direction in which the security industry is heading.
"Advances in standards make me very optimistic that we'll be able to pull this together," he said. "But the move toward digital approaches in everything we do is accelerated. We're making progress, but it's a very big challenge to make sure security is not the thing that's holding us back."
The security sector is so critical, volatile and fluid that, more than any other current technology area, it encourages big thoughts and new ideas. Sun's McNealy shared one such brainstorm during his wry and conversational keynote address.
McNealy theorized that the current security landscape is fractured because of how the client and server business evolved.
"Because we had a monopoly--IBM--that didn't meet needs and stay aggressive, people decided to build their own [solutions] with different parts from different companies," he said. The result, he added, has been a Frankenstein-like setup in server environments. "You wonder why you have a security problem when you can't certify [the environment] and it keeps changing," McNealy said. "Do the math. You're changing the configuration on your data center by the minute."
Without citing Microsoft, McNealy talked about concomitant problems on the other side of the fence. "On the desktop side, a really effective virus can wipe out every desktop in the government because they all have the same DNA. There's not enough genetic diversity on the desktop."
Combine all that with the difficulty customers have in changing technology vendors when they want or need to.
"When you buy IT from anybody, the basic assumption is that it will be obsolete within 18 months, sometimes even before you install it," McNealy said. "As soon as you buy something, you have to figure out how to get off of it. This is the barrier to exit. If you're not moving forward, you won't be able to take advantage of all the security features you need, and the barrier to exit dwarfs the cost of buying and installing the equipment in the first place."
Thompson, Symantec's chairman and CEO, suggested that technology businesses need to improve their own security practices as a group, while also taking the government's cue in pushing for better technology legislation.
"The next logical step is [technology vendors] joining together to create a trusted online community; building it would go a long way toward restoring confidence by making sure users and companies are protected," Thompson said. "The business community also should join together to push for comprehensive privacy regulation. So far, the U.S. government has been reactive, but this approach will result in more conflicting and confusing policies."
Meanwhile, RSA attendees offered their own thoughts on what the most crucial and overlooked security issues will be in 2006.
Jay Chaudhry, CEO and chairman of messaging security vendor CipherTrust, said new messaging threats will come to the fore this year.
"Spam is about selling, but phishing is about stealing, and enterprises and vendors are less prepared than they should be about it," he said.
Another area that likely will receive increasing focus is databases. For years, those applications served merely as information repositories, but given the exploding volume of more sophisticated and business-critical data, database security requirements are becoming more stringent all the time.
"Database security is becoming a huge issue," said Shlomo Kramer, CEO of database vendor Imperva. He cited recent vulnerabilities found in Oracle databases. "People aren't aware of how vulnerable their databases are now that LANs aren't isolated anymore. But databases today aren't built to handle many security needs."