For the last several years, security experts and vendors at the RSA Conference have explained the risks associated with the use of cloud-based services. Far fewer have identified specific ways to protect data in the cloud.
There's really only a handful of products or services out there designed to help somebody secure data in a cloud environment.
That may change at RSA Conference 2011, according to a panel of industry experts and analysts assembled Wednesday by conference organizers to discuss the themes that may emerge from the industry's largest security conference. At least that's their hope.
"There's really only a handful of products or services out there designed to help somebody secure data in a cloud environment," said Rich Mogull, a former Gartner analyst who heads Phoenix-based Securosis LLC, a security research firm and consultancy.
While the cloud is likely to be the most dominant theme at RSA, every year multiple key topics emerge. The panelists said hot-button topics in 2011 would likely include compliance, the threats posed by smartphones and tablets in the enterprise, and securing the nation's critical infrastructure.
The shift toward more mobile applications has fueled an increasing interest in secure software development. Herbert "Hugh" Thompson, program committee chair of RSA Conferences and chief security strategist at New York-based People Security, said companies seem more willing to share best practices around the software development lifecycle.
"We're seeing talks, even from specific large companies, that are saying, 'Here's exactly what we're doing internally. … Here's what developers are forced to do and here's what our testers are forced to execute on,'" Thompson said. "That's a positive trend."
But securing cloud services is the issue that's likely to be top of mind. Mogull said conference attendees will see a lot of hype from security vendors. Many vendors are merely using the cloud as a service model for their security technology. Others have simply virtualized their appliances to make the technology deployable in hosted virtual environments. Mogull said attendees should look for specifics from vendors.
Security experts and vendors need to stop talking superficially about the cloud and start speaking more specifically about the aspects of the cloud they are referring to, said Joshua Corman, research director of enterprise security at The 451 Group, a New York-based analyst firm.
Conference attendees should ask vendors whether their product is "in, for or from the cloud," Corman said. "People are calling everything cloud, and when everything is cloud, nothing is," Corman said. "We will we start having a meaningful discussion when vendors, in their press announcements, differentiate if their technology is in, for or from the cloud."
Vendors need to be clear whether their technology is sold to cloud tenants and "ideally optimized for cloud, virtualization, container or guest use." Vendors should explain whether their product is intended for cloud providers to secure their "SaaS offerings and enable and support the security demands of their tenants." And vendors need to say whether their technology is from the cloud and they are merely "using the cloud to deliver security capabilities to enterprises and end users."
However, Mogull said some innovative security technologies for cloud environments do exist. A number of vendors are developing new encryption capabilities for data stored in the cloud. Others are addressing the issue of key management in cloud environments. There are also emerging technologies around identity management in the cloud, and other vendors are showcasing innovative ways to lock down SaaS platforms.
IT decision makers are finally gaining a better understanding of cloud technologies and that could translate into more mature buying behaviors, said Rob Ayoub, an industry manager of information and communication technologies at Mountain View, Calif.-based research firm Frost & Sullivan.
Ayoub oversaw a survey of more than 10,000 security professionals commissioned by security certification organization, (ISC)2. More than half of the respondents indicated their organization was already using SaaS or cloud services in some form or manner, Ayoub said. He added that survey respondents indicated they worried about data leakage and weak access controls.
"Maybe a lot of what's already been deployed in the cloud wasn't thought of as the core critical components of the cloud," Ayoub said. "Organizations thought they were not in the cloud yet when truthfully they're using Salesforce.com or another SaaS service."