One of the most challenging aspects of attending RSA each year is not just attending, but also recovering from, RSA each year. It occurs to me as I finally get this recap post drafted that it’s been almost two weeks since I returned and am only now getting a chance to put virtual pen to virtual paper to share my thoughts from the event. So, here goes…
Another USA edition of the RSA Conference is now in the books, and it was a doozy! For the first time in years, there seemed to be an air of hope and innovation, which was really quite refreshing. There were a few themes throughout the event; some were overt, while others more covert. Overall, though, it seemed like we’re nearing a tipping point. The end-users are returning, the vendors are starting to evolve, and maybe – just maybe – there is cause for hope that we’ll find ourselves “jumping to the next curve” in the not too distant future.
Amid Hopefulness, Innovation Returns
In a surprising twist, innovation seems to be returning to the industry. Emerging from the doldrums of “business as usual,” there were a number of excellent conversations occurring all around the event. Mind you, many happened away from the show floor, or at least in the south expo away from mega-vendor-land. People seemed truly hopeful for the first time in a long while, even as the size and frequency of data breaches seems to be growing. There is, in fact, some hope that automation and DevOps will help transform enterprises, with security finally starting to catch-up and realize the opportunities.
Predictive Analytics Starting to Emerge (for realz)
Speaking of automation, a major (official?) theme seemed to be around “predictive analytics.” While I’m not necessarily sure what that means in the vendor PR context, I do think there is something to be said for enterprises finally being shown how this nebulous “analytics” beast might be turned to a useful advantage. We saw vendors across numerous product verticals (such as appsec, VA/SCA, endpoint protection, etc, etc, etc) starting to build in analytical capabilities that, in some cases, even went so far as to include quantitative risk analysis capabilities. It’s too early to say how long it will be until these emerging notions will truly be ready for primetime, but again, the mood was hopeful. Perhaps the most interesting notion is being able to take automated scan/test results from varying sources, run them through a “risk engine” that in turn uses asset information and associated valuation information to automate impact scores put in terms of $$$. From a prioritization perspective, this advance could be very interesting going forward.
One phrase I heard over and over again while speaking with vendors was “reducing friction.” Regardless of context, the general meaning here is that you don’t want security activities or functions to be a one-off that ends up derailing business as usual. In an appsec context, this means feeding appsec testing findings directly into native bug tracking systems such that developers tackle the fixes as part of standard practice (as opposed to handing them a big report that will get ignored or burned because it isn’t in a native format for their consumption). I heard similar phrasing in other realms, too, such as around authentication and authorization. For instance, the notion of inherent, transparent (low friction!) authentication based on analysis of many factors (akin to what I described in my September 2013 post “AuthN TNG: Many Factors, Confidence, and Risk Scoring”). There are now several kits available for mobile devices that allow for built-in continuous monitoring capabilities that essentially profile users when they run an app, adding that contextual information to the overall authentication picture. One vendor described this as a “new” 4th type of authentication factor (“what you’re doing” or “contextual authentication”).
Overall, it will be very interesting to see how this concept of “reducing friction” plays out going forward. I think it certainly plays well to a DevOps-oriented crowd, and I’m hopeful (there’s that word again!) that it can lead to a shift in how security architecture, technologies, and decisions are considered, composed, and executed.
Automating Lower Risk Decisions/Remediation
Speaking of automation and reducing friction, an interesting idea I encountered in a couple places was the notion of automating lower risk decisions or remediation. For example, you run a vuln scan, you find a list of ports or services that are open, but they’re not really high-risk items. What do you with them? Up until this point, most enterprises will simply ignore these as “low risk, no concern” findings. But, what if you could push a button and have the changes automatically made for you, such as after a quick vetting discussion? This notion could potentially scale nicely over time, and if you give it some hooks into a DevOps build and release pipeline, then you might even start to some very interesting changes, too.
Part of this idea ties into the notion of “configuration as code” that we’re starting to hear more about, especially as pertains to Software Defined Networks (SDN) and Software Defined Perimeters (SDP). In fact, in many ways, as SDN and SDP become increasingly automatable, there is a good opportunity to start encoding security requirements in such a manner that they also just become configuration items that are automatically applied to an environment (dare I even suggest that we may some day see “policies as code”?). It’s an interesting notion, which when combined with risk analytics engines, could have some very interesting results in the near future.
Colbert’s Closing Keynote
Despite the various “protests” being lodged against EMC/RSA Security for an alleged business interaction with the NSA, Stephen Colbert did take the stage for the closing keynote as planned. As he put it, he looked at the requests for him to back out, and then he looked at the contract he signed, and thought that following through on his commitments was probably more important, at least so long as the check cleared.
As an aside, it should be noted that the planned protests had no real perceived impact on the event, which is rumored to have had attendance in the 25-30k range (I’m waiting on “official” numbers from RSA). Yes, the Vegas 2.0 crew did run their awareness event on the Wednesday of RSA, and some people were handing out pamphlets around the event, but really, that was about all that people noticed. I spoke to several people who planned to attend the competing TrustyCon event, but most of those people also were RSA speakers or attendees. Basically, the protests seemed to amount to much adieu about nothing…
Overall, I found Colbert’s keynote to be one of the most enjoyable in recent years (which have included people like Bill Clinton, Condoleezza Rice, and Tony Blair, as well as Adam Savage and Jaime Hyneman of Mythbusters). Colbert delivered a prepared talk that seemed to be reasonably well research, full of political jabs, as well as a recurring theme about his “new startup,” CloudFog. After the address, he then did something truly unique… he sat down in a chair, alone on stage, and took questions from the audience. During this period he effectively shifted out of his “Colbert Report” persona and responded largely out of character, which was quite fascinating. Unsurprisingly, Colbert was thoughtful, intelligent, and insightful, even when lampooning politicians or even the event’s namesake.
For a truly gack-worthy summary of the closing keynote with Stephen Colbert (which was, I thought, well done), check out CNN’s coverage.
And, well, that’s about it. Overall, RSA seemed to fun again this year, despite it being my first (grueling) year as a Gartner analyst. I spoke to dozens of vendors (officially and unofficially) and, of course, chatted with hundreds of end-user attendees. As always, I found the event to be very useful in gauging the timbre of industry.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.