RSA Conference Recap

A few weeks ago at RSA Conference, there were three areas that really stood out:
1. Mobile apps and mobile security
2. Cloud Security
3. BYOD (Bring your own device)

Mobile App Security:

While it is probable that I overlooked many things, I did not see anything that was earth shattering in this area. Considering the pace and trajectory of mobile threats, the solutions are too narrow in scope and do not offer much value. This is mostly due to the limitations of the Mobile OS’s themselves (see Identive post on Mobile Security).

On a positive note, it is exciting to see vendors working to solve this, but personally would like to see solutions that provide stronger authentication to the device instead of PIN, email signing in a simpler way with an external smart card, and authentication to external applications and third parties other than OTP generation through a soft token/app.  If we are to truly transition from mobile access anywhere to “mobile computing” this needs to happen.

Cloud Security:

There were a few things here that were interesting. To be honest, I think I DID miss stopping at some booths to get more details. A couple notable companies are Symplified and CloudLock.

Symplified aggregates user identities across the web (internally and externally) to provide seamless access for users to cloud apps of different sources. I like what they are doing here in the spirit of fully recognizing we are migrating to a cloud paradigm, focusing on simplifying this complex task within the internal IT department.

As more companies use public clouds, they reap benefits of them, but there have been few tools to manage a group of users within them. Take Google Apps for example, along with a new company called CloudLock. They provide a parallel service that links the Google Apps account so that IT administration can be performed to have visibility and control as to who accessed what and what they can access. It is sort of a RBAC (role-based access control) for public cloud apps.

They are not addressing identity or authentication though – they leave that somewhere else to get solve din conjunction. I would say that in the spirit of security I would have liked to have seen them build in administrator controls where they have to validate their identity before applying rules and controls to everyone else. Super User accounts that are based on username and password scare the daylights out of me and most organizations aren’t going to easily figure this out in the same timeframe they can stand up this application. Hey CloudLock, if you read this…Identive can help.

BYOD:

This is the topic that I actually found as being the surprise standout. BYOD means that the device that an individual may use to authenticate or validate their identity to an organization (or application), where it would normally be issued by the corporate entity, is brought in by the user. So in this model IT doesn’t issue devices, end users sort of do by bringing their own.

The theory, and application model to justify it, is that there is a binding process to securely associate register the device to the organization before it can be used inside the organization.  The most common approach is to use a mobile device as an authenticator by downloading an OTP app to it from a public marketplace.

An example might be that I already have an Android phone that I previously purchased. I am a consultant doing work for two weeks at a company. I am instructed to go to the Android app store and download a publicly available application from one of these BYOD vendors. Launch the App, and it will run me through a process by which the software will be registered to the organization and every subsequent OTP generation will be recognized and accepted. The registration can work differently across vendors and this was a very crude example, but you get the idea.

This is an upside for the organization because they do not have to distribute devices or manage software out to all the devices. Also, they don’t have to supply the device. Cost and efficiency.

The BIG question is -  is there a market for this? Consider:

- As an infosec person, am I ok with people using their own devices?
- There is not yet enough data to go through all scenarios to see if the exploits are mitigated.
- WHO really needs a BYOD paradigm? Likely it is applies to specific audiences, use cases, and security profiles than everyone across the enterprise.

The sheer number of vendors promoting this was quite impressive.  However, I didn’t see much differentiation between their messaging, approach, and none really seemed to crash through the Enterprise security requirement barrier (yet). This will evolve though and look forward to next year when this is more mature. I predict this will be significant growth area for consumer/cloud authentication and long term blend to address the first topic of mobile security once they blend.