RSA Europe 2009 – Day 3 Recap

by kriggins on October 25, 2009

in Conferences

The final day of RSA Europe 2009 was particularly special to me since it was my speaking debut at an RSA function.

About 20 minutes before I was due to go on I tweeted "6 VMs, a slide deck and me typing...easy peasy :)." Surprisingly enough, it was easy peasy. I got through the deck, there were no technical failures and I didn't make a single typing mistake......okay, the last bit is a fib.

Things went well and I was able to demonstration most everything I wanted to. I am know looking forward to the audience feedback.

I did manage to attend a few sessions as well. I started the day out with "The Impact of Future Regulation on Risk & Security Management." The description indicated that the presentation would take a look at how future regulation might impact information security risk management. I was hoping for some possible guidance about what might be coming down the road, but that did not really appear. What was offered was a general implementation roadmap for any new regulation that might come along. Essentially, it was; study the new regulations, review current governance, define awareness, revise policy where appropriate, revise processes and controls as needed and review and consolidate. Nothing earth shattering, but not a bad plan either.

I next sat with James DeLuccia, who has some great recap posts too, in the "Can Virtualization Threaten Security & Compliance?" panel. This was a great discussion. One of those panels that you wish could go on well beyond the time allotted. There a great deal of good commentary about the impact of virtualization on security and compliance. Beyond the conversation, three things really impressed me about this panel:

  1. It did not turn into discussion about cloud computing although cloud computing was covered where appropriate.
  2. The panel members were all very respectful of each other and the audience.
  3. The panel was prepared and ready to discuss the topic.

The information was flying fast and I was too busy paying attention and participating to take good notes, but  a few things that stood out were:

  • Shadow IT - How are we going to enforce standards, policy and achieve compliance when anybody can fire up a virtual machine either internally or via a cloud service?
  • Server mobility is a real issue - What if the regulation you need to comply with says your machine has to stay in a particular location? How are you going to check that? How are your going to enforce that?
  • Inactivity/sprawl/licensing - Virtualization give us the ability to rapidly provision servers and, in a lot of cases, without the active participation of an IT worker. How are we going to deal with sprawl? How are we going to manage licensing? How are we going to keep on top of active vs inactive virtual machines? How are we going to deal with inactive machines?

One of my favorite bits from the panel was from John Howie, Senior Director, Microsoft Corporation. He said, a bit paraphrased, "The greatest threat to infosec pros is the Chief Financial Officer." This was in reference to the lower cost of running them and moving the expense from capital expenditure to operating expense. These business drivers mean we will see more and more call for virtualization.

I did attend the closing keynote. The only real message was there needed to be better integrated controls and they let me get away with it.

I will be making a final RSA Europe 2009 post with my general thoughts, so I will close this one down now.

-Kevin

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: