RSA Conference 2010 -- Day 4

| | Comments (0) | TrackBacks (1)
Cloud computing, virtualization, cyber-crime, and compliance were predicted to be the big themes of RSA.  After four days, I've been to about 20 sessions in 7 tracks, 7 keynotes, and heard from more than 30 corporate representatives from a half dozen industries.  Cloud computing has certainly come up, but almost exclusively in the keynotes.  It seems that the conference organizers want to talk about it, but the information security community has other things on its mind.  What have been the themes I've heard after attending all these sessions?  Identity and as corollaries to that authentication (as I said last night) and PKI.

I heard from Joshua Powers, CTO of Securboration and formerly of the US Air Force.  He talked about the difficulty of modeling identities and how semantic Web technologies can be used to create graphs to represent identities more effectively.  Then I heard from G&D and EISST about how they have been working to harder Web browsers and ensure that they haven't been patched by malware.  They called this technique Dynamic Application Authentication (DAA), and they used PKI and smart cards to do it. 

Then I attended a panel discussion chaired by a representative from Adobe which included a registrar in higher ed, a lawyer, and an auditor.  They talked about how there is a resurgence of interest in PKI.  Unlike ten years ago, they said, this new buzz is coming from business and not from crypto geeks going on and on about Alice, Bob, and Eve.  The result is a market pull rather than a push as was the case a decade ago.  The fundamental reason they said was because businesses of the twenty-first century are information companies.  Data doesn't remain neatly within the silos we've created in our organization -- it flows across them.  In order to comply with regulations, avoid leakages, and use data to provide customers with value, companies have to find a way to secure it.  PKI is an increasing way in which they're doing so, the panelist said.  They sited a number of examples:

  • Verification of hundred year old legal contracts
  • Digitally signing transcripts
  • Federation
  • Verifying the identity of doctors
All of these examples come down to authenticating the identity of different entities. 

BTW, when the layer, Randy Sabett, was asked by a Brazilian audience member about when America would get a national ID system like his country's, Sabett said it was a "long way off."  In light of this, perhaps my predication last night was a bit naive :-)

The last session I attended today was a P2P discussion about Identity Management (IdM).  The group was made up of folks reporting to CIOs, CSOs, and CTOs.  They talked about the huge disarray that their organizations are in with regard to identity.  From the sound of it, it seemed that their IdM systems were not working very well for them.

So cloud computing is important, but it seems that the information security community thinks identity, authentication, and PKI are more important.  Have you been hearing other things at the conference?  Are other issues more important to your organization than these?  Are these issues hot topics for you company as well?  I'd love to hear about it.  Leave a comment below or shoot me a note.  I've got one more day here at RSA, so keep an eye on my Twitter stream for real-time updates and check back tomorrow for my final post.