A Cloudy Déjà vu

Last week we attended the RSA Conference Europe held in London. The conference had record attendance, with attendees coming from every imaginable Western and Eastern European country, and a significant contingent from even further afield.

Cyber threats and security were a major conference topics. With many sessions attempting to raise awareness and draw attention to specific threats or the general threat level, it was interesting to see how some previous "hot topics" now seem to have less attention. For example there were very few sessions focusing on social media or data loss prevention. A year ago these would have held prominent scheduling positions.

Instead of focusing on this past summer's SecurID attack, a couple of dominant themes unfolded and were mentioned at every turn.  The first dominant theme was CLOUD! Every aspect of "cloud" from data protection, outsourcing agreement frameworks, its impact on compliance, its affect on infrastructure architecture and performance- no stone was left unturned. 

When listening to both the cloud vendors and consumers of cloud services, something BlackRidge calls the "Cloud Paradox" arose many times: if each consumer of a cloud-based service wants to have the illusion of exclusive use of a cloud-based service, how do cloud service providers support that and deliver a scaleable service at a "shared infrastructure" price point? BlackRidge's approach of using First Packet Authentication to segment cloud tenants from each other securely whilst still enabling a shared infrastructure model for the service provider found considerable resonance at the conference. (This pattern of being in London and hearing about the Cloud feels like Déjà vu!)

Mobility was another prominent theme, with several sessions discussing mobile malware threats. It was fascinating to see the debate thrashed out on the security implications of the the Google Android "open" model of software development and deployment and the Apple "closed" model. No resolution was reached of course since this is a matter of perspective: each session looking at mobile malware had to concede that for non jailbroken Apple devices the malware footprint is pretty much non-existent, with many more real, "in the wild" successful malware samples reaching the Android platform. For many however the disadvantages and restrictions of the "closed" model are deeply abhorrent, and mobile malware is a risk to be managed alongside the benefits of the "open" software development and distribution model. The debate continues!

There was much less analysis of the growing use of mobile as a consumer digital channel. It wasn't that this was ignored, but it was interesting how the focus was malware, when many of the participants were grappling with strategic mobile platform issues: which devices to support? Whether to develop an "app" or simply a mobile-friendly web site? What types of transaction and servicing activity should be supported via mobile channels and so on. Attendees were really grappling with the many questions posed by the speakers and how to best answer and assess risk.

In our own discussions relating to mobility, with both enterprise users and handset manufacturers, the emergence of the "Internet of things" or "machine to machine" (M2M) emerged as arguably the real "10x" force that will shape the industry. As more devices speak to each other and exhange data, possibly without user interaction, what will the implications be for authentication, transaction security, key exchange, scaleability, and so on? This is an area where BlackRidge's own technology of communicating a device or user identity within the first packet of a network session will be highly relevant.

If we could be so bold as to make a prediction for next year's conference it is this: one of the principal topics will be the security implications of M2M. Check back next year to see if we were right!