Security budget issues to resonate at RSA Conference

By Robert Westervelt, News Editor 16 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

"Security budgets are generally not being cut; we are finding that they are staying flat in many cases," said Andreas Antonopoulos, senior vice president and founding partner of Nemertes Research. "Given the increased threats and pressures on security, a flat budget with increased threats equals a cut budget."

Antonopoulos and two other industry analysts took part in a teleconference hosted by RSA Wednesday to discuss the top security trends that could resonate at the conference. Thousands of security professionals are expected to attend the conference, April 20-24, in San Francisco.

RSA Conference: A look back RSA Conference 2008 special news coverage: Experts shared best practices on data classification, Google explained its security strategy and Michael Chertoff, secretary of the Department of Homeland Security called on the private sector for more help at the 2008 RSA Conference.   RSA Conference 2007 special news coverage: The future of cryptography was discussed, Oracle CEO Larry Ellison went missing and Microsoft's Bill Gates talked about authentication and access management strategies at the 2007 RSA Conference. RSA Conference 2006 special news coverage: Cisco Systems Inc. unveiled its self defending network strategy, Microsoft's Bill Gates unveiled the company's security vision and FBI director Robert Mueller asked for more cooperation at the 2006 RSA Conference.

Virtualization security, which has seen increased interest in recent years, could get even more attention at this year's conference. The technology promises significant cost savings, according to early adopters, but its increased use with sensitive data has some security pros wondering how companies can maintain the same levels of security in a virtual environment. Antonopoulos said he expects a significant increase in security vendors touting products designed to protect virtual environments and secure data in the cloud.

"Virtualization is a great example of how technologies come along and disrupt the equilibrium that has been reached over the years," Antonopoulos said. "Virtualization is a great technology; it's only pointing out the flaws and mistaken assumptions we've made in our security paradigms and so we need to reevaluate those models."

Other firms are turning to Software as a Service (SaaS) to cut costs, including shifting some security programs onto managed security services. The analysts said many companies will take a look at cloud-based security services to cut costs.

The Cloud Security Alliance plans to start the dialogue on the issue of virtualization security and securing data in the cloud, officially launching at the event. The fledgling organization plans to release a whitepaper outlining 15 areas that need attention. Jim Reavis cofounder of the organization, said it would try to provide a big picture perspective of solid governance, risk management and technology mitigation around cloud computing.

"This is going to provide some solid information, but also define a lot more work that we all need to work together on," Reavis said.

Charles Kolodgy, research director for IDC's security products service said he expects some companies to pay more attention to encryption technologies and products that address application security. While many firms have encryption of data in motion under control, others are looking for efficient ways to encrypt data at rest, Kolodgy said. Encryption has gained momentum over the last several years. Seagate has produced enterprise-class encrypted hard drives. The company has been pushing to get encryption into the data center. More recently, Samsung developed self-encrypting solid state drives that automatically encrypt data saved to the drive.

"There's a lot of interest in data at rest encryption and it ranges all the way from a person's laptop and mobile devices up to large storage arrays and tapes," Kolodgy said. "Encryption is sometimes hard to grasp … but I think the real key is just understanding that it's required, why it's required and where people need to do it and how they're going about meeting these needs in different ways because there is no one single answer."

SearchSecurity radio:

Meanwhile, attackers targeting Web application vulnerabilities to break into company systems have put the spotlight on application security scanning technologies to mitigate the threat posed by major flaws such as SQL injection errors, he said.

"The issue of having strong security at the application level is critical," Kolodgy said. "The real key is getting into making software secure before it gets deployed or being able to fix it quickly as it goes live."

Chenxi Wang, principal analyst at Forrester Research Inc., said a Forrester survey, conducted last November suggests that companies are cutting back on secure software development. Instead they're turning to compliance driven technologies such as application scanning and Web application firewalls to bolster defenses. Still, an increasing number of firms are deploying consumer-based technologies such as Web-based applications, which are frequently targeted by attackers.

"Today they're not investing as much in an end-to-end application security program," Wang said. "We're encouraging companies thinking about opening up their company boundaries to include collaboration oriented consumer technologies to think about their application security measures and their investment commitment level."

RSA Conference 2009 For all the latest news, podcasts and more direct from the show floor in San Francisco, visit our RSA Conference 2009 special news coverage page.

Vendors that address application security issues are beginning to gain more attention. One vendor that address application security is a finalist in the Most Innovative Company at RSA Conference 2009 contest. SafeMashups Inc. has produced a standard SSL protocol to secure bundled Web applications allowing them to authenticate each other securely when mashed together. Another firm, Mykonos Software, plans to launch at RSA. A spokesperson for the company said its software tools help developers build Web applications more securely. The new product addresses AJAX vulnerabilities at the code level.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Disk Encryption and File Encryption,  Virtualization Security Issues and Threats,  Software Development Methodology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts Schneier-Ranum face-off, part1: The future of information security Cybersecurity grant to fund research into critical infrastructure threats Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows Security Industry Market Trends, Predictions and Forecasts Research Disk Encryption and File Encryption Health Net healthcare data breach affects1.5 million Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? Virtualization Security Issues and Threats Cloud computing data security starts with internal strategy, experts say PCI virtualization SIG closer to proposing changes to standard Security challenges with cloud computing services Secure virtual desktop software enables remote client security Security threats to virtual environments less theoretical, more practical At VMworld 2009, companies focus on virtual desktops for security Security fundamentals remain focus of virtualization deployments How to implement virtual firewalls in a complex network infrastructure How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary