Most Recent Blogs

RSA 2017 - Security Pains for Software Providers and Government

Posted: February 17, 2017   /   By: Dan Conde   /   Tags: Cloud Computing, Cybersecurity, Networking

IMG_20170216_150533328.jpg

As the RSA Conference continues to grow, I saw two ends of the spectrum related to solving security problems. At one end is a software provider, AutoDesk, which is figuring out how to provide security while they adopt cloud computing, SaaS, open source, and CI/CD methods. At the other end were the challenges of the US Federal government in delivering cybersecurity in an always connected world.

In the useful talk presented by Autodesk's Tony Arous, Head of Application Security, and Reeny Sondhi, Chief of Product Security, titled "Rethinking Product Security: Cloud Demands a New Way,"  we learned that issues related to areas as disparate as corporate culture, the move to using open source, and CI/CD methodologies to deploy software in a cloud combine to create new security challenges. You are no longer delivering shrink-wrapped software that goes through an old school waterfall methodology where you have plenty of time to gather and specify requirements, test out security, run beta tests, and gain confidence that the product is secure.  Instead, you incorporate pieces of open source, and deliver continuously to a cloud SaaS model, forcing you to rethink all aspects of how to provide security. The talk is too long to summarize here, but the takeaway is that you need to look at everything -- starting from technology all the way to company culture -- to make sure that old methods do not impede the adoption of new software development and delivery methods. Even though Audodesk is a software provider, all firms that develop cloud software, including enterprises creating internal apps ought to heed their lessons. I hope they share their lessons for all to read.

At the other end of the spectrum was a forum titled "Modern Policymaking in a Hyper-Connected World," a panel IMG_20170216_124349378.jpgmoderated by Michael Daniel, Former Special Assistant to the President, Cybersecurity Coordinator; with panelists Adam Hickey, Deputy Assistant Attorney General (DAAG), National Asset Protection, US Department of Justice; and Jeanette Manfra, Acting Deputy Under Secretary Office of Cybersecurity and Communications (CS&C), National Protection and Programs Directorate (NPPD), Department of Homeland Security (DHS).

These departments have the challenge of moving a large organization to the modern age, recognizing that their assets and processes are traditionally slow moving, with legacy requirements and internal oversight and responsibilities. But they can't hide in a box and move slowly. Society demands immediate action (often to world events), adapting to fast rates of innovation, and ultimately delivering on a responsibility of the government to provide frameworks that guide other departments as well as private industry.

There is a tremendous tension between providing security while ensuring the freedom that the citizens of the United States expect. I am in no way saying that they are shying away from the problem, as you would expect from a cliched view of a government bureaucracy. I recognize that they have a completely different set of challenges that a SaaS vendor such as Autodesk has. The issues are more complex and they are doing some thankless work to deliver change. Almost all aspects of the government are connected via networking and are therefore increasingly vulnerable, but you can't just reduce connectivity to ensure security, as we all demand easy access to information and services.

The key item is adhering to the set of policies and conventions that cannot be changed at a moment's notice. Enterprises too can learn from this, as compliance and regulations also govern enterprise behavior. Understanding and respecting the challenges these departments face will give pause to enterprises that think they have a complex task to secure their retail stores, on-line banking or medical systems.  

Understanding the requirements that these departments face will give us pause: Some of the commercial enterprises' challenges are minor in the grand scheme of things related to national security and obviously the stakes are higher.

I wish there was more representation from the current administration and their views on cybersecurity. Prior years' RSA conferences had good representation from various federal agencies, such as Attorney General Loretta E. Lynch or Secretary Jeh Johnson, Department of Homeland Security, both from President Obama's administration. Given the current cybersecurity climate, it would have been nice to hear how the current administration views this topic, such as someone from cybersecurity adviser Giuliani's office.

 

campus network

Dan Conde

Dan is an analyst covering distributed system technologies including cloud computing and enterprise networking. In this era of IT infrastructure transformation, Dan’s research focuses on the interactions of how and where workloads run, and how end-users and systems connect to each other. Cloud technologies are driving much of the changes in IT today. Dan’s coverage includes public cloud platforms, cloud and container orchestration systems, software-defined architectures and related management tools. Connectivity is important to link users and applications to new cloud based IT. Areas covered include data center, campus, wide-area and software-defined networking, network virtualization, storage networking, network security, internet/cloud networking and related monitoring & management tools. His experience in product management, marketing, professional services and software development provide a broad view into the needs of vendors and end-users.

Posts by Topic

see all