Analysts Highlight Security Trends At RSA Conference

All four analysts agreed that federated identity and Web services security will be the most oft-mentioned buzzwords this week.

"Identity has emerged as a strategic business issue, not just a technology issue, and federated identity is at the dawn of its implementation," says Gerry Gabel, an analyst with Burton Group. "The market is finally coming up to speed with the technology to provide a more dynamic way for businesses to operate."

As for Web services, he says the adoption of secure Web services will soon begin to occur, but that the market still is "very immature, standards-wise."

Because security has so many flavors and security customers have such varied needs, the analysts agreed that it's impossible to predict which protocols or technologies will win out in the end. Take public key infrastructure (PKI), which not long ago was a hot area.

"PKI isn't dead, but it's morphing and becoming more aligned with the applications that depend on it," says Vic Wheatman, a vice president at Gartner Group. "The original vision of PKI became impertinent, and now it should be leveraged across multiple needed applications."

The other hot topic is security, of course, and how the post-9/11 world and the war on Iraq will affect the sector. The assumption a year or so ago was that the suddenly heightened need for increased security of all kinds would help boost the sales of all security technology companies. Yet that hasn't been the case at all. RSA itself, the show's host, already has made a production of its recent return to profitability after some recent financial setbacks, and while companies like Symantec have capitalized on the so-called security boom, the sector still has suffered from overall cutbacks in technology spending.

Part of this apparent incongruity is simply that the war on terrorism and computer security -- particularly for the consumers many of these companies sell to -- don't have all that much to do with each other.

"The war on Iraq and 9/11 don't really connect with cyber security," Wheatman says.

What these geopolitical events did do was change the way security decisions are made in the enterprise.

"September 11th changed the idea of who the threat is. Before 9/11 it was the 15-year-old hacker trying to break into a network for the fun of it; post-9/11 it could be a cyberterrorist or an organized crime ring," says Mike Rasmussen, an analyst at Forrester Research. "Now the decision-making on security has been raised to the board of directors level, so it's extremely important that the tech people explain security to the businesspeople in a language they understand."

The problem with this hubbub is that it causes overreactions in both directions. Spire Security research director Pete Lindstrom says that when encryption and authentication failed to abate security problems, companies rushed to add intrusion detection, but neither approach has proved perfect.

"Encryption and authentication slowed network performance too much, so the reaction was to detect the bad guys," he says. "Eventually the pendulum will swing back to the middle, but we still don't know what mix works best."

He says this is unlikely to get resolved until the economy improves. While spending is still down, the main question customers will keep asking is, 'What is the minimum security requirement I need to get by?'"