The last several years security experts and vendors at the RSA Conference have been explaining many of the risks associated with the use of cloud-based services. Far fewer have identified specific ways to protect data in the cloud.
The tide may change at RSA Conference 2011, according to a panel of industry experts and analysts assembled by conference organizers Wednesday to talk about some of the themes that may emerge from the industry’s largest security conference of the year. At least that’s their hope.
“There’s really only a handful of products or services out there designed to help somebody secure data in a cloud environment,” said Rich Mogull, a former Gartner analyst who heads Phoenix-based Securosis, a security research firm and consultancy.
Mogull said conference attendees will see a lot of hype from security vendors. Many are merely using the cloud as a service model for their security technology. Others have simply virtualized their appliances to make the technology deployable in virtual environments. Attendees should look for specifics from vendors, Mogull said.
Some innovative security technologies for cloud environments do exist, he said. Some vendors are developing new encryption capabilities for data stored in the cloud. Others are addressing the issue of key management in cloud environments. There are also emerging technologies around identity management in the cloud and other vendors are showcasing innovative ways to lock down SaaS platforms.
Security experts and vendors need to stop talking superficially about the cloud and start speaking more specifically about the aspects of the cloud they are referring to, said Joshua Corman, research director of enterprise security at the 451 Group.
Conference attendees should ask vendors whether their product is “in, for or from the cloud,” Corman said. Vendors need to be clear whether their technology is sold to cloud tenants and “ideally optimized for cloud, virtualization, container or guest use.” Vendors should explain whether their product is intended for cloud providers to secure their “SaaS offerings and enable and support the security demands of their tenants.” And vendors need to say whether their technology is from the cloud and they are merely “using the cloud to deliver security capabilities to enterprises and end users.”
“People are calling everything cloud and when everything is cloud, nothing is,” Corman said. “If only vendors in their press announcements differentiate for if they are doing this in, for or from the cloud, will we start having a meaningful discussion.”
As with every RSA Conference, multiple themes will emerge. The panelists said likely hot-button topics in 2011 will emerge once again around compliance, the threats posed by smartphones and tablets in the enterprise and securing the nation’s critical infrastructure.