Sailing off the Map: RSA 2015

Cloud, Latest Trends

Written by Chenxi Wang

The annual RSA conference is the biggest gathering of security professionals on the planet. The 2015 conference happened last week, with over 30,000 attendees descended upon San Francisco.

“We have sailed off the map, my friends,” RSA”s Amit Yoran said in his opening keynote. “Sitting here and awaiting instructions? Not an option. And neither is what we’ve been doing – continuing to sail on with our existing maps even though the world has changed.”CSA Summit 2015

Sailing off the map the security industry certainly did. No one who attended the RSA conference 10 years ago would have predicted how big the industry has gotten or how complex and multi-dimensional security technologies have become.

At some level, the security industry is an oddity: failures of the past – failures to secure user data and applications — helped to foster today’s boom. Obviously, this is a caricaturized description – environments and attack methods have changed and hence new defense mechanisms are needed. But as Adi Shamir said on The Cryptographers Panel, the industry has “failed miserably” on several fronts. We cannot keep doing the same thing and expect that the next generation of technologies will save us from current failures.

That said, the industry is at an exciting juncture today; the number of dollars invested in security technologies and the number of new security startups entering the market are both at a historical high. It’s an exciting time for CipherCloud. Coming off the launch of our latest Cloud Discovery product, our CEO Pravin Kothari addressed America’s Growth Capital conference to a standing-room only audience.

Security end users this year would find plenty of technologies to help them tackle the various problems confronting their organizations. For me, the highlights of RSA 2015 are:

  •  Cryptographers’ panel called into question the practice of government key escrow. On the annual cryptographers panel, Ron Rivest said government backdoor access means many will have access to encrypted content, “This is going to be a house of many doors and many parties and it’s just not going to work.” Adi Shamir said that the security community has “failed miserably” in preparing end users for recognizing spear phishing and other threats that could lead to Ransomeware.
  • Waratek wins innovation sandbox: It’s great to see that Waratek, an application security company, won the coveted innovation sandbox prize at RSA. Waratek provides a run-time self-protection solution for applications by wrapping Java programs automatically within a virtual machine. The virtual machine can take care of program patching and zero-day threats. What they have built is akin to the proposal I made to the app sec community in my 2010 OWASP keynote on self-protecting programs. It’s great to see someone is making strides in that direction.
  • Cloud Security Alliance’s Top 5 security challenges: CipherCloud rocked the Cloud Security Alliance summit. On the top-five cloud security challenge panel, I posed the question: “Will enterprise continue to live with the added complexity of having separate security stacks for cloud deployments and internal operations?” “When is the time for these two stacks to start converging?” It was an interesting and spirited discussion on the direction of cloud security in front of a packed house.
  • Bugcrowd and crowd-sourcing security: What Bugcrowd is doing for the community is astounding. A crowd-sourced bug bounty and analysis program that harvests the power of a broad security research community. Bugcrowd allows any company to quickly establish a bug bounty program and see immediate results. As an industry, we need more programs like Bugcrowd and more vulnerability/threat intelligence sharing, which is also a hot topic at this year’s conference.

And of course, one of the best things about RSA is the opportunity to see friends and colleagues that you have not seen for some time. I certainly did plenty of that, and made new friends along the way. It was an exhausting but rewarding four days. Adios RSA, until next year!