RSA 2007

Once again, no demos. This is an interesting trend. Everyone is taking a step back and trying to think strategically about where the business is going. NO product stuff. NO demos. Is this RSA?

John Thompson starts up by talking about how things are changing. More collaboration and online transactions. The user is in charge. More NSS.

IT systems are drivers of collaboration and growth. CONFIDENCE is the key value in this new world. Amazingly enough isn't Norton's new consumer product called "Norton Confidential." Coincidence?

Symantec announced a new identity initiative last week at Demo (link here). I didn't cover it because it is at least 12 months off and requires a lot of folks to play along, which has proven very very hard in the past. I don't think Symantec is the right player to drive an independent Identity Network.

Thompson says, the role of security officers must evolve to encompass "risk management." Identifying and quantifying company risk vs. company return. Risk to the availability of data and compliance. This sounds pretty Pragmatic too!

He's laying a lot of FUD. $2 billion in opportunity cost in e-commerce because people are scared. GPS malware. John wears a fancy suit (black mock turtleneck is killer), but he's talking like chicken little nonetheless.

SO what's the answer? AV and firewalls a first line of defense (shocker). But you need more. Like a "less vulnerable" operating platform will still be vulnerable over time. Guess you better renew your AV subscription, no?

But identity is the key challenge. Identity management is about operational streamlining, NOT adding new capabilities. He actually said "user-centric" identity.

Now we have McAfee trying to take the high ground with security risk management, which is a term that's been around for ever. Now the Big Yellow is focusing on trying to co-opt "user centric" identity. This is highway robbery and Microsoft should be pissed. Of all the big technology companies, Microsoft has been on the front end of the Identity 2.0 developments.

Not only is CA and IBM now the competition, he's going after Microsoft too on the identity front. But Symantec doesn't have any real identity assets. They should just buy something (maybe authentication) and start really playing. How about Entrust? That could be an interesting combination.

Now he's transitioning to talk about security "intelligence" and it's ability to let you know what's coming. I do believe in this capability and it's importance to staying out ahead of the bad guys. Got to give props to Symantec on this, they continue to make the investments in research.

It's all about user-centricity for the Big Yellow. Very interesting. So, are they not focused on the enterprise anymore? This sounds like Microsoft, but I guess Symantec needs an excuse on why customers should keep their agents implemented on their devices.

But my nagging question is whether this is enough? Symantec is under siege on all fronts, will focusing on identity and users going to happen fast enough to deal with the inevitable erosion of their core business? Let's just say, I don't have a lot of confidence that it'll be enough.

 

Art looks tanned, relaxed and healthy. A $2.1 Billion deal will do that for you.

Oh, yeah. Back to the keynote. He seems to be channeling Joe Tucci (head of EMC). It's all about the information. "If you can't manage the information, you can't secure it." You think he's in the information management business?

Clearly the approach we've taken for security isn't working. I've said that once or twice before. So I'm there with him.

He's calling for THE END OF THE STAND-ALONE SECURITY INDUSTRY. Within 2-3 years. That's a Bill Gates-ian prediction a la spam. Interestingly enough, he's putting the nail in the coffin of his own damn conference. If there is no stand-alone security business, who is going to pay the tab?

Big is the new small. Boy, the stuff I wrote last year was right on the money. Kind of scary. I better think of some new stuff for this year. Did I mention the Pragmatic CSO? That's new, right?

Security is inextricably linked to business strategy. Man, that's Pragmatic.

Now he's talking about how security can "accelerate" business. That's crap. Didn't believe it back then, don't believe it now.

But security is a hallmark of all the big technology providers. It's true. Cisco, HP, IBM, EMC, etc. Security is a key part of what all of these folks are doing.

Security is not about firewalls and IPS. It's about cash, unimpeded business processes, the customer experience. Interesting. We haven't implemented "information security." Haven't focused on the information or linked security to the information. Amen.

The new term is INFORMATION-CENTRIC security. Start at the core and work out. Minimize risk. Three guiding principles:

1. Not about perfect security - security aligns with the value of the information they are trying to protect. Did Art read my book when I wasn't looking???
   
   
2. Needs to adapt - Pattern recognition right into the infrastructure. Kind of like anomaly detection-based approach. Based on behavioral techniques. It's the only way to defeat malware. Of course he pushes adaptive authentication. I do buy into that.
   
   
3. Requires defense in depth - Proactively understanding the risk to your organization. Intelligence sharing and a layered approach to security. Need to leverage security being built into applications.

Now he's pushing EMC's other software products. Oh joy. At least Art knows who pays his salary.

Another pitch without a demo or specific product announcements. Maybe this is a trend.

Part of me wonders whether Microsoft will ever be able to impress me with a keynote. Last year, I hated it because Bill Gates didn't really say anything. This year, he and Craig Mundie are sitting down and talking to us.

I don't like this either. Let's be clear, this is not Gartner's ITExpo. This format isn't working for me. Maybe I'm jaded by folks like Steve Jobs and John Chambers, who are great performers. Even when they say next to nothing, it feels substantive. Bill Gates is never going to present like Steve Jobs, so I should probably recalibrate my expectations.

I find this kind of boring. Too much set up. It took way too long for them to tell us that they are going to talk about 3 things: Networks, Protection and Identity.

Very little on actual products. No demo. That's very interesting. I think this is a lost opportunity. Microsoft is trying to push the conversation forward, but they aren't balancing that need with show customers what they can do today.

Jeez, I'm very surprised by this. I figured he'd just talk about how great and secure Vista is and talk up Forefront and how security is very important to Microsoft. Not much on that at all. Is this Microsoft?

Security feels like a feature in their view of how the infrastructure shakes out. This is counter-intuitive. When they weren't doing anything, they talked about all these products that were coming (but not for years). Now that they've actually done something, they aren't talking about it. Go figure.

Customers can't wait until 2009 or 2010 for Microsoft to help them out. They talked about evolution (not revolution), but didn't lay out a plan for customers. So that is disappointing.

I do like the fact they are focused on setting the agenda, but there is no meat behind the story. It's not clear whether it's chicken, fish, beef or lamb. I don't know how this is going to look, and I probably won't know for 2 or 3 years. I'm an impatient guy and you probably are too.

WHERE'S THE BEEF?!?!?!?

Below are my raw notes and thoughts tapped out during the presentation, check them out if stream of consciousness is interesting.

At first they are focusing on the network, something near and dear to my heart. It needs to evolve. Right on. No one is going to rip and replace (except maybe for a greenfield location). The slide talks about a "trusted zone" and an "untrusted zone." IPSec is the technology they'll use. Seems very 2004 to me, especially since Microsoft themselves announced a new SSL VPN product last week.

"Policy, not topology." Hmmm. That's interesting, especially given mobility and the fact that most companies can't assume they control the networks that their users will connect over. Mundie now talks about Microsoft's own internal challenges. They are a big, global company. How are they eating their own dog food?

They use IPv6, IPSec, and store everything in Active Directory. Individual policies based on USER, not where the user is. Given that Microsoft controls most of the users out there, it's pretty logical that they would be looking at building an overlay. Allows them to poke Cisco in the eye - marginalize the network in the enforcement of security.

Now Gates starts talking about "health checks." They are talking about NAC (or what they call NAP). They spoke about NAP last year. What's new? Nothing, except that it's again a USER-centric model, which makes sense for Microsoft. But this requires Longhorn Server. Chalk it up for 2008, maybe.

Using their own environment as a case study to make the points is pretty effective.

Now he's talking about applying a default deny approach for information access. Don't let folks just get to anything once they connect to the network. Network Access Control (as opposed to pre-admission control), that's novel, eh? I wonder if that will show up as a default with Longhorn. That would be a lot of long term gain, but significant short term pain.

They are moving to talking about "protection." Which is basically information security. Hmm. Their architecture aligns pretty closely with the Pragmatic Security Architecture that I wrote about this time last year. Coincidence? Yep, pretty much.

Securing data at rest and motion. How? Rights management. Arghhh. The world is not ubiquitously Microsoft, so how does their flavor of rights management help me with that? Applications are also part of the equation. NSS (No Shit Sherlock). They "trust" the program and application? I don't buy it. Applications can be broken, trojans and rootkits installed at the hardware level to complicate things. I don't know I trust it.

Now "identity," which is the biggest issue. Again Gates is railing on passwords. Didn't he do that last year? Did they make any progress in deploying smart cards (and certificates). This is a broken record. Passwords are not dead. Not by a long shot.

Microsoft's directory is the key to their identity strategy. Managing certificates. This is a load of hogwash. Passwords aren't the problem. CardSpace is kind of interesting. Not enough to get me to upgrade to Vista right now, but I do look forward to kicking the tires on that.

They are announcing support of OpenID 2.0 within CardSpace. That's the only product announcement they are talking about. Again, I think this is a lost opportunity.

They are wrapping up with a discussion on interoperability. But it's not with other OS or other ecosystem players, it's about drivers that plug into the PC's. Actually it's not. Heterogenous to them seems to mean Windows everywhere, but on different computers.

Big partner slide. Hundreds of little logos. Like someone wouldn't get involved in Microsoft's partner program.

This will be Bill's last appearance at RSA, since he's got a lot of money to give away. Passing the torch to Mundie. At least he combs his hair.