I spent several days in San Francisco on my annual pilgrimage to the RSA security conference.
This year, I attended a few sessions related to cloud security, privacy and compliance, since my world these days is consumed with enhancing the security of our cloud platform and addressing the never-ending burden of maintaining compliance with the likes of PCI, SSAE 16, SOC 2 and HIPAA, and the recent changes related to Privacy Shield, which is the replacement for the European Union’s Safe Harbor.
Of course the RSA conference wouldn’t be complete without spending quality time with colleagues and friends at the myriad lunch events and evening parties. We talked about the convenience of having access to so many vendors — two huge expo floors, with some vendors on both. It’s definitely my preferred way of interacting with vendors. Some of the ones I talked to offer technology I was interested in and some have technology I have already deployed. RSA gives me a chance to discuss challenges or get face time with knowledgeable engineers.
In my office, if I’m interested in a technology, I typically have to set aside an hour for an office visit or online meeting. The first 15 minutes are usually gobbled up by logistics such as getting the representatives badged in, escorting them to the conference room and connecting with the remote people. Murphy’s Law usually applies, and folks get lost or there are remote setup problems. Then, you need 10 minutes for all the introductions. That’s followed by 15 minutes of marketing slides. So we have about 20 minutes left, and so far nothing of value. Finally, we might get a meaningful demo and a discussion about architecture. Most meetings end with me wishing I had been able to ask more questions.
At RSA, the formalities are tossed and you can jump right in, asking about the things you most want to know about. After a few short hours on the floor, six or seven vendors have given me a wealth of information and I have leads on several technologies I might be interested in moving forward with, as well as answers to questions about technologies I have already deployed.
This year I spent time with vendors that offer CASB (cloud access security broker) technology, which would let us extend and apply our security policies to the many SaaS-based cloud applications we use. Also intriguing was a tool that could help our operations team with behavior monitoring of privileged access to our production infrastructure. Another company of interest offers a way to very easily manage the security configurations of our critical infrastructure, although for now I will just be keeping tabs on its progress, because it doesn’t yet work with many of the primary devices and operating systems we use. Until that shortcoming is eliminated, I’ll continue to manage cumbersome XML-based policy files.
At the evening events, my colleagues and I shared thoughts on security strategy and opinions on what works and what doesn’t. Those discussions are a good way to validate that my security program is on track and a reminder that I’m not the only one with frustrations and problems. (In the case of our yearly PCI audit, our problems related to the auditors’ interpretation of some of the controls are paltry compared with what some colleagues are going through.)
Back in the office, I passed out the swag I had collected on the expo floor. Now I need to schedule some follow-up meetings with the most promising vendors and get back to maturing my security program.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.