RSA Conference 2014 redux

If you follow me on Twitter, you probably noticed a heightened volume of Tweets from me during the RSA Conference in San Francisco. It was great catching up with many of you based stateside that I rarely get to see in person. I was also fortunate enough to be allowed to attend sessions and live-Tweeted the ones that were interesting. Therefore, I'm not going to regurgitate/organise my Tweets into thoughts here. I will however, highlight a few key points that I felt were important.

NSA, NSA, Snowden, NSA

This was an RSA conference where everyone was talking about the NSA. First, there were the well-publicised boycotts from speakers. Then came the competing conference. Then there were the protesters. RSA Chairman Art Coviello opened the conference and addressed it up front (right after William Shatner's song and dance). Stephen Colbert closed the conference with an NSA-heavy keynote (incidentally, he was hilarious). And in a show of courage or stupidity depending on your perspective, the NSA even had a booth on the expo floor.

There were many stories written about this during the conference, so just use your search engine of choice. But if you don't feel like searching, check out the New York Times' Nicole Perlroth and her blog post detailing some of the NSA-focused activities. My Tweet stream was also relatively NSA-heavy, so go check that out too.

Damage control

There were many US Government speakers from various departments and they all had one thing in common: they were in damage control mode. Essentially, it boiled down to these points:

1. We assumed everyone knew we do the whole electronic surveillance thing. We didn't know it would be such a big deal and we're sorry, but we have to do it. And by the way, better it be the US Government than some foreign hostile nation. They're all just pissed that we're so much better at it than everyone else.
2. We must work on collecting only what we need instead of absolutely everything. But if you've ever tried to do this, you know it's easier to collect everything instead of being selective.
3. We, the US Government, want to work more closely and cooperatively with US companies on making the Internet, technology and the real world safer for all.

Encryption

How do we make life more difficult for governments to spy on us? Encryption. Sure, governments have quantum computers working at cracking encryption measures, but they really don't like having to do it. It was a topic of discussion during the cryptographer's panel and made in relation to the NSA. Bruce Schneier has mentioned it on many occasions and reiterated his sentiments during his session at the conference.

I said it in my IT security predictions for 2014 and I've mentioned it on television.

Start with encryption. It won't fix all your security issues, but it's a good start and a good countermeasure for issues beyond the NSA and government spying.

Privileged user controls

Despite the fact that Snowden's been the poster child for the fact that privileged users can do a lot of damage, there wasn't a great deal of noise (compared to the NSA and government spying), except in sessions relating to industrial control systems. In every session I attended where industrial control systems were a topic of interest, privileged users came up as a primary focus area. Often, industrial control systems are tied to users directories (usually Active Directory) and most attacks simply aim to compromise an account within the directory. Once compromised, an attacker will escalate privileges until they have sufficient access. In other words, the more "administrative" the account, the quicker the compromise. In short, at the very least, organisations must secure and monitor privileged accounts in directories and operating systems.

Internet of Things (IoT)

You didn't need to attend the conference to know IoT is big in 2014. While I don't believe many are doing anything in terms of IoT, I don't discount the fact everyone wants to talk about it. It became clear in listening to some IoT-focused sessions that the biggest challenge in securing the IoT at the moment lies with the ignorance and complacency in the manufacturing process, particularly with device manufacturers.

Far too many do not implement (or care about) basic security practices in delivering a product. Many use default settings, which are often insecure. In addition, they often reuse the same insecure software components in updated versions. Beyond this, there is difficulty patching existing devices, particularly in trying to figure out how to do this without user intervention. We can't even get this right for existing computing devices. How are we expected to get it right for devices with in-built computers most are not aware of and cannot access easily through a usable interface? This is why it's relatively easy to hack cars.

A little more on RSA Conference 2008

The two Identity Management related things that seemed to generate the most noise at this year's RSA Conference were:

• Hitachi's acquisition of M-Tech
• Oracle's SOA Security announcement
  

I've already blogged about both these things (follow the links). There was also apparently quite a lot happening in the user centric identity space.

I wasn't physically there, so I'll have to defer to others for a roundup. You can start with the RSA Conference's blog and then move on to Matt Flynn (here and here) and Gunnar Peterson (here, here and here). UPDATE: Here's what security guru Bruce Schneier had to say.

Also, can someone tell me how I managed to get on the RSA Conference's Blogroll? Screenshot below in the event they realise I'm not worthy and remove the link :-)

Oracle reaches out to the blogging community

Oh, and they made a rather significant announcement at the RSA Conference too. Both are tied together. Allow me to explain.

I was first contacted by a representative of Oracle's PR department about an invitation to attend an exclusive blogger luncheon with Oracle executives on April 10 in San Francisco around their impending RSA announcement. During the luncheon, Hasan Rizvi (Vice President of Identity Management and Security Products at Oracle) was to provide attendees with an exclusive preview of Oracle's keynote announcement at the RSA Conference.

My first thought was "Oooooooo, free lunch". Then it hit me. It was in San Francisco and I live in London. "D'oh". So I had to politely decline, despite being tempted to ask if Oracle would pay for my air ticket and accommodation.

That's not the end of the story though. They subsequently followed up by inviting me to an alternate event. A blogger exclusive call the morning of that same day (April 10) to be held by Amit Jasuja (Vice President of development for Oracle's Identity Management and Security products) with the caveat that information shared on the call was to be embargoed until noon PT that day. Those who read this blog regularly know that there's no risk of me talking about anything so soon after finding out about it because I just don't have the time nor the urgency to behave like a journalist...or Robert Scoble.

The announcement itself is not the main purpose of this post. I'm not a fan of regurgitating information that's available, so I'll just point you at what I've found so far (admittedly the links are very Oracle centric in terms of content, but most others out there have just been regurgitating the press release and not adding to it):

• Oracle's press release
  
• Oracle's Nishant Kaushik on the announcement
• Oracle's David Chappell on the announcement
• Oracle's Thomas Kurian's keynote at RSA
• Oracle's whitepaper to accompany the announcement
  
• Dave Kearn's article at NetworkWorld

I will say a couple of things regarding the announcement (briefly). It didn't surprise me one bit. In fact, all it did was formalise what they've been evangelising and selling anyway. Oracle's been charging very aggressively into 2 particular areas over the past year or two. SOA, and security. Of course, they went out and bought most of their technologies. But there is no stronger indication that they believe in the SOA strategy than their acquisition of BEA Systems in January this year. Their security technologies have been built out very nicely through their acquisitions and it's also nice to see that they're starting to build out the emerging areas of fine grained authorisation (aka entitlement management), role management (through their acquisition of Bridgestream) and governance solutions. The suite is starting to round out nicely and they look to be running faster than their main competitors (IBM, Sun, CA) at the moment. Their marketing and PR departments are certainly earning their money.

Now I'll get to what I actually wanted to say. I applaud Oracle for reaching out to the blogging community because:

• They've certainly understood the whole blogging thing for a lot longer than the other big vendors out there (just look at the large list of people working in key Oracle positions that actually blog about their technology).
• They understand there's more than issuing a press release and hoping something happens that justifies the marketing costs.
• They understand that it's about creating discussion and awareness. Multi-way discussions are much more interesting and have the added bonus that something well written and insightful can have a viral effect.
  
• They know a lot of key decision makers read blogs.
• An opinion written by a non-Oracle employee holds a lot more credibility (assuming the author is credible themselves) than something written by an internal Oracle person who has to "toe the line". And if something written turns out to be less than positive, that's fine too because Oracle's bloggers can respond to it in a very interactive and hopefully constructive manner that makes Oracle's products better in the long run (if product management listen).
  
• Press releases are just boring and don't offer anything people couldn't otherwise find by looking on a company's website.

I agreed to attend the call fully aware of their agenda and am playing into Oracle's hands by talking about it. That's completely fine by me, because I'm just giving my honest opinion and they haven't influenced my comments in any way.

They did mention that this was the first time they had reached out formally to bloggers and they would like to continue doing so moving forward. Being the first time also meant that they didn't quite know how to conduct the call and generate some interactivity. Amit Jasuja basically gave a more detailed version of the press release and presented the rationale behind a lot of it. When it came time for questions, no one asked anything. I tried very hard to think of one, but I just couldn't. Not quite what they were hoping I'm guessing. They needed more stimulant material to get people's creative juices flowing. Also, it was an audio only call. Perhaps in future they could have some visual aspects. I'm not advocating slides, but at least that would be better than an audio only presentation. Hopefully they'll get better at these calls as they do more of them. But it was a nice first attempt at extending the olive branch to the community. They also followed up a few days after the call to see if I had any questions, which was a nice touch. In case you were wondering, I still had no questions :-)

The other large juggernauts of the software industry in the security space need to take note. Oracle's marketing is very good. If their products keep getting better and they keep rounding out their portfolio, they're going to be very tough to stop.

P.S. You may notice that the Oracle call I attended was almost 2 weeks ago. It's taken me this long to write about it because I've just moved apartments in London. What that means is that I've been very busy with the move and I don't have Internet connectivity in the new place yet. It's apparently going to take 3 weeks for my ISP to get my connection enabled again (even though I gave them advance warning and my new phone line was active for over a week prior to the move). When I asked why I had to pay for the 3 weeks of ABSOLUTELY NO SERVICE, they just said it wasn't their fault. I don't understand why ISPs in the UK are soooooooooooooooo bad at providing decent customer service. But that's another whole issue that I probably shouldn't get started on. I'm writing this from my hotel room in Prague (I have business meetings here over the next few days).

CardSpace and OpenID announcement

The big news today in the Identity world revolves around an announcement made at the RSA Conference in San Francisco by Microsoft that they would collaborate on interoperability between CardSpace and OpenID in cooperation with JanRain, Sxip and Verisign.

This is obviously a good thing as long as Microsoft don't decide to take over the world...at least not in Identity terms. I'm sure they want to take over the world in just about everything else.

Plenty of commentary from people directly involved with this initiative here, here, here, here, here, here and here.