Saturday, April 12, 2008

Notes from RSA 2008 Trade Show

Notes from RSA 2008 Trade Show
Frank Sudia, FW Sudia Consulting, 4-12-08

I spent about 4+ hours walking the RSA show exhibits, which seemed more uniformly high quality than usual. Almost all booths met high visual standards, and most offerings seemed relevant. The following are my take away perceptions and things that I found interesting. This is just an unscientific sampling, for the benefit of anyone who was unable to attend, and I did not not heavily validate all these assessments.

Appliances. Many Asian-looking vendors (over half a dozen) now offer metal boxes in all form factors. They will load your software, apply your logo, pack, ship to, and bill your client. This struck me as a great example of the magic of the marketplace. Many clients prefer the appliance delivery model, which eliminates the install step, and many vendors prefer it because it may make their product harder to clone, and/or pad top-line revenue. The devices can obviously include custom security processors, etc. Some of the smaller boxes looked very cute.

ConfigureSoft. I sat through a short talk (by Dave Shackleford) explaining their audit compliance product. They've hired a full-time staff (which Dave heads) to monitor major info-sec policies (GLB, PCI, HIPAA, etc.) and continuously update their policy database, which is mapped to an inventory of your systems, allowing you to immediately assess which machines need what remediation to bring them into compliance with which policies, and possibly take corrective action at the touch of a button (when the change is amenable to that). Attractiveness would depend on pricing and maintenance costs, and software escrow might be desirable, in case you got highly dependent and they went out of business or an acquirer dropped support. Still, it seemed to deliver on its promise that you could pass an unscheduled audit.

GraniteKey. Small company with a kiosk in someone else's booth. I saw a brief demo of a risk assessment tool, offered as an online browser-based service, which allows you to build complex dependency trees, which the system will then reason about, to see whether your mitigations actually mitigate your risks. Works for problems other than security, as there was an example of leaking seals on food containers. I asked for a more in-depth demo (they are SF based). I liked it because a) you could potentially build very detailed dependencies, b) the system-generated reasoning may help catch human errors, c) many sets of eyes could review your analysis, d) analyses could be cloned and improved over time in a standard format, and e) the resulting printout would nicely document your assumptions, for when others came back later to second guess you. I could imagine a site license with multiple departments standardizing on it and sharing templates. (NOTE: I have not tested this yet.)

PKWare. How could they justify a full-size RSA booth? After Phil Katz died in 1997 his mother ran the Milwaukee-based co for a while, then his wife sold out to private investors. The investors included former corporate and banking IT execs, who transformed it into a rising competitor to PGP, with 20 developers on staff. Now there are mainframe versions of PKZip. They've added AES-256, X.509, secondary recovery passwords, USB stick encryption, and more, to target major accounts. This worked, as Citigroup has deployed SecureZip on 320,000 desktops. Now they're moving to automate customer service and shift back down market to the SME level. Their advantages are ease of use, universal user recognition, and X.509 based key management -- as long as PGP is not already deeply entrenched at a given client. I agreed with the rep that this was a potential B-School case study.

==> For a limited time you can download a free, fully-licensed, individual copy of SecureZip at after giving up your e-mail. (Use MS-IE, not FireFox.)

PGP is now offering command line versions that run on mainframes and other platforms for automating batch operations.

Chilled RAM Attacks. At least 3-4 booths had huge photo renderings of big-horned sheep in polar ice conditions. (Good grief!) Apparently vendors were eager to profess that they were on top of this newly publicized vulnerability.

GemAlto / Microsoft. Two years ago GemPlus merged with another firm to form GemAlto, which now has 60% of the worldwide smart card market. I didn't see any big changes in their cards, but their rep touted Microsoft's new Identity Lifecycle Framework (ILF). The ILF is not free and runs (maybe) $14K extra, but will "turn on" and leverage the smart card features of the rest of Microsoft's software suite (Office, Outlook, etc.), e.g., for securing SOA under the .NET Framework. Evidently this is of great interest to GemAlto, since it can drive enterprise smart card deployments.

NetGear is now offering a large selection of (what I assume are) reasonably priced firewalls, secure gateways, and other boxes.

Red Hat is now offering an X.509 certificate system, and an audit policy framework.

Elsevier will soon commence publication of the International Journal of Critical Infrastructure Protection. (IJCIP). This will no doubt cost real money, but is certainly needed.

Target department stores had a booth solely to recruit security engineers to come and work for them in Minneapolis.

NapaTech offers a family of boards that can sniff all the packets off a network, with protocol flitering, traffic analysis, etc. Prices run from $1,500 to $9,000 for the more high performance sniffer (ahem, traffic analysis) boards. This reminded me of a case study of a large health care provider that logs their entire network, so if they notice a problem, such as inappropriate actions by a user, they can replay past traffic to look for related prior incidents.

Verdasys, Dan Geer's company, is taking their enterprise desktop security product down market with a B2C solution, where one initial deployment has (I think) 3 million clients. Dan may have acquired something resembling rock star status. I could not attend any of his book signing sessions, but when I mentioned that I knew Dan, the floor rep asked me to put in a good word for him, suggesting to me that he has developed a near-cult level of respect.

Labels: , , , ,


Post a Comment

<< Home