That’s what I walked away with after the RSA Conference in San Francisco last month, and that’s new for me.
I attend the RSA conference for a lot of reasons. First of all, everyone in the security industry is all there in one place. I get six months of meetings done in three days. I especially like meeting with the little startups, the ones who don’t even have money to rent booth space, to hear their ideas. I also enjoy meeting with the venture capitalists, to hear what they’re excited about.
But I’ve also, in the last few years, joked that I don’t even go down to the conference floor anymore, because it’s a representation of where we are as an industry, and honestly, that hasn’t been great. We have created so much complexity that it has really become the enemy of good security. So much of what I see on the floor represents yesterday, old technology, and how we just keep adding more and more complexity.
This year, though, felt different. I walked away more optimistic than I have in the recent past, for a few interconnected reasons.
The cloud and digital transformation
First and foremost was the dominance of cloud; every solution is now cloud-enabled and cloud ready, with the potential to deliver a lot of possibility in ways that appliance-based solutions (feeding that complexity beast) of the past cannot.
Related to that, digital transformation is changing the experience for everyone. We’re seeing more agility, more focus on the user, much more speed and in many cases lower costs, and together with the cloud, digital transformation offers some really incredible opportunities for security.
The most notable example and what was a dominant theme at the conference is the concept of Zero Trust.
Abandoning the perimeter
Every year at RSA there’s a new buzzword or phrase. Artificial Intelligence and machine learning were definitely buzzwords last year; cyber threat intelligence a couple years before that. This year, it was Zero Trust, which implies the death of the “perimeter” — the decades-old practice of defining a network perimeter, and then using controls to keep the untrusted outside, while everyone inside is assumed to be trusted.
It is a very binary system: once you’re authenticated and allowed within the perimeter, you effectively have access to everything. Maybe not everything, but if you hang around, you might tailgate your way in somewhere you shouldn’t be. But essentially, you’re either in or out.
Today, there simply is no perimeter. Our mobile work force, expansion of internet enable devices, etc., have contributed to its demise. And that means we need a model where we trust no one — Zero Trust. And while that might sound terrible, it’s actually very positive, because now we can authenticate on a very granular level, and only for the specific need the particular user has at the time.
These granular controls look at you, your device, where you are, what time of day it is, and more. You see and access what you need; everything else is invisible to you — and you can’t hack what you can’t see.
The fact that so many were talking about Zero Trust at this year’s show I think is a demonstration that we’re finally seeing a break in how we’re approaching security going forward. I’ve been frustrated by the old network-based model, the proliferation of appliances and the constant increase in complexity, but this year, we may have finally turned the corner, with no perimeter, or what’s being called a software-defined perimeter, which is really another way of saying Zero Trust or Zero Standing Permission — and it’s all enabled by the cloud and digital transformation.
The end of the password?
In addition to seeing serious discussions around Zero Trust, I also saw real momentum at RSA around finally getting rid of passwords. We just have to do it. On the dark web, there are literally millions and millions of user names and passwords; they’re exposed every day.
For years, we in the security industry have been talking about getting rid of them. But this year, I saw evidence that we’re finally going beyond talk, and the end of the password is now in the foreseeable future.
The other trend I saw at RSA this year that left me optimistic was the focus on people. We can’t lose sight of the human being at the other end of the keyboard; how can we make their lives easier? The password is a good example. Who isn’t frustrated with keeping track of dosens of passwords? Who isn’t painfully aware, with the news of each privacy breach, that their information isn’t secure? What if we could offer a user-friendly tool that uses, say, voice recognition to get you into your ten most-used websites?
Biggest asset, biggest threat
At the same time, it’s often users who unwittingly make mistakes, who even with regular training fall victim to phishing attacks or other social engineering, putting their or their companies’ information at risk. We must constantly work to make it easier for users — easier to report suspicious activity, easier to keep their data secure.
At one of the RSA dinner’s a long time security professional and former NSA employee commented that our generation (us folks in our 60’s now) have thus far failed to deliver an effective security model. While that’s a harsh statement, I agree with him.
Yet after this year’s RSA conference, seeing all the companies taking a fresh look, trying to do new things, with the cloud and digital transformation enabling new approaches while keeping the end user in mind, I really think we’re turning a corner — and that’s a cause for optimism.
Rackspace offers a full and expanding suite of security and compliance offerings, including managed security services, compliance assistance, data protection and privacy.