Getting Validation at RSA
- 27 March, 2012 01:51
You can't attend the annual RSA Conference without planning ahead. Action plan: Enter the conference armed with questions on BYOD, mobility and the cloud.
My Mecca is the RSA Conference , which this year was held the last week of February in San Francisco.
Every year, this conference lets me meet up with past bosses, colleagues, schoolmates and other security-minded folks. We catch up on a personal level and freely discuss any and all security topics. I also enjoy having all the vendors -- major as well as up-and-coming -- in one spot. And the various breakout sessions and keynote talks teach me something new or, even better, validate my security program and priorities.
RSA can be overwhelming if you don't plan ahead. Every year, I look for interesting breakout sessions and list the vendors I'd like to meet with. And I enter the conference with a focus on several pressing issues.
This year, the first issue was BYOD. My CIO wants the IT department to let employees use their own devices for business . I've had misgivings about this from the beginning, and the consensus that emerged from several sessions, meetings with vendors and discussions with other professionals was that BYOD is not sustainable. There are just too many problems that an IT department with strained resources has to handle: support, compatibility with existing infrastructure, the danger of losing intellectual property and the difficulty of securing the devices. Technologies like virtual desktops can help enable BYOD, but at the end of the day, most of us security folks are shying away from this trend -- at least for the moment.
A related issue was mobility. Employees are itching to get their iPads, Androids and other tablet devices on our networks. Most of the security people I talked to agreed with me that there are significant security concerns, but in this case, the overwhelming feeling was that enabling mobile devices is a problem that needs to be solved. Face it: Employees are figuring out risky work-arounds, such as syncing their corporate files to cloud file-sharing sites and accessing sensitive files (source code, financial spreadsheets, customers' personally identifiable information, healthcare data) from their mobile and other noncorporate, untrusted resources. Better to come up with a more secure approach and cut off these riskier tactics.
Then there's cloud computing. My company is deploying single sign-on for cloud applications. It's very convenient, of course: You just enter your credentials one time and voila -- you have seamless access to dozens of corporate and personal applications. At RSA, I quickly found out that I'm not alone in my view that this convenience is fraught with peril. Say an employee's credentials are compromised by a keylogger on an untrusted kiosk; his corporate and personal life is compromised as well. Two-factor authentication would help, but it's not universal yet, and some vendors have a sketchy idea of what is needed in two-factor authentication, which should be in the form of a one-time password containing something you have and something you know. For example, one company requires a username, a password and a single security question and calls that two-factor. Sorry, but no. A keylogger can grab all of that.
Speaking of the cloud , I talked to a lot of people about my new policy of locking down Salesforce.com , and almost all of them agreed that access to software-as-a-service applications that contain sensitive corporate data should be restricted by IP address. So, more validation!
Another thing I looked into was security-awareness training. One company that piqued my interest was Green Idea, which has created some entertaining, security-related screen savers.
Now I'm back in the office with a fresh supply of vendor-branded pens, but also a lot of brochures and business cards that should help me continue to raise the security bar for my company.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org .
Join in the discussions about security !
Read more about security in Computerworld's Security Topic Center.