This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.
Data security is the toughest coverage area to write up this year. It reminds us of those bad apocalypse films, where everyone runs around building DIY tanks and improvising explosives to "save the children," before driving off to battle the undead hordes and—leaving the kids with a couple spoons, some dirt, and a can of corned beef hash.
We have long argued for information-centric security—protecting data needs to be an equal or higher priority than defending infrastructure itself. Thanks to a succession of major breaches and a country or two treating our corporate intellectual property like a Metallica song during Napster's heyday, CEOs and Directors now get it: data security matters. It not only matters—it permeates everything we do across the practice of security (except for DDoS).
But that also means data security appears in every section in this year's RSAC Guide. But it doesn't mean anyone has the slightest clue of how to stop the hemorrhaging.
Anyone Have a Bigger Hammer?
From secret-stealing APTs, to credit-card-munching cybercrime syndicates, our most immediate response is... more network and endpoint security.
That's right—the biggest trends in data security are network and endpoint security. Better firewalls, sandboxes, endpoint whitelisting, and all the other stuff in those two buckets. When a company gets breached the first step (after hiring an incident response firm to quote in the press release, saying this was a "sophisticated attack") is to double down on new anti-malware and analytics.
It makes sense. That's how the bad guys most frequently get in. But it also misses the point.
Years ago we wrote up something called the "Data Breach Triangle." A breach requires three things: an exploit (a way in), something to steal (data) and an egress (way out). Take away any side of that triangle, and no breach. But stopping the exploit is probably the hardest, most expensive side to crack—especially because we have spent the last thirty years working on it... unsuccessfully.
The vast majority of data security you'll see at this conference, from presentations to the show floor, will be more of the same stuff we have always seen, but newer and shinier. As if throwing more money at the same failed solutions will really solve the problem. Look—you need network and endpoint security, but doubling down doesn't seem to be changing the odds. Perhaps a little diversification is in order.
The Cloud Ate My Babies
Data security is still one of the top two concerns we run into when working with clients on cloud projects—the other is compliance. Vendors are listening, so you will see no shortage of banners and barkers offering to protect your data in the cloud.
Which is weird, because if you pick a decent cloud provider the odds are that your data is far safer with them than in your self-managed data center. Why? Economics. Cloud providers know they can easily lose vast numbers of customers if they are breached. The startups aren't always there, but the established providers really don't mess around—they devote far more budget and effort to protecting customer data than nearly any enterprise we have worked with.
Really, how many of you require dual authorization to access any data? Exclusively through a monitored portal, with all activity completely audited and two-factor authentication enforced? That's table stakes for these guys.
Before investing in extra data security for the cloud, ask yourself what you are protecting it from. If the data is regulated you may need extra assurance and logging for compliance. Maybe you aren't using a major provider. But for most data, in most situations, we bet you don't need anything too extreme. If a cloud data protection solution mostly protects you from an administrator at your provider, you might want to just give them a fake number.
One area trending down is the concern over data loss from portable devices. It is hard to justify spending money here when we can find almost no cases of material losses or public disclosures from someone using a properly-secured phone or tablet. Especially on iOS, which is so secure the FBI is begging Congress to force Apple to add a back door (we won't make a joke here—we don't want to get our editor fired).
You will still see it on the show floor, and maybe a few sessions (probably panels) where there's a lot of FUD, but we mostly see this being wrapped up into Mobile Device Management and Cloud Security Gateways, and by the providers themselves. It's still on the list—just not a priority.
Encrypt, Tokenize, or Die (well, look for another job)
Many organizations are beginning to realize they don't need to encrypt every piece of data in data centers and at cloud providers, but there are still a couple massive categories where you'd better encrypt or you can kiss your job goodbye. Payment data, some PII, and some medical data demand belt and suspenders.
What's fascinating is that we see encryption of this data being pushed up the stack into applications. Whether in the cloud or on-premise, there is increasing recognition that merely encrypting some hard drives won't cut it. Organizations are increasingly encrypting or tokenizing at the point of collection. Tokenization is generally preferred for existing apps, and encryption for new ones.
Unless you are looking at payment networks, which use both.
You might actually see this more in sessions than on the show floor. While there are some new encryption and tokenization vendors, it is mostly the same names we have been working with for nearly 10 years. Because encryption is hard.
Don't get hung up on different tokenization methods; the security and performance of the token vault itself matters more. Walk in with a list of your programming languages and architectural requirements, because each of these products has very different levels of support for integrating with your projects. The lack of a good SDK in the language you need, or a REST API, can set you back months.
Cloud Encryption Gets Funky
Want to use a cloud provider but still control your own encryption keys? Want your cloud provider to offer a complete encryption and key management service? Want to NSA proof your cloud?
Done. Done. And sort of doable.
The biggest encryption news this year comes from the cloud providers themselves, and you will start seeing it all over the place. Box now lets you manage the encryption keys used by the platform. Amazon has two different customer-managed encryption options, one of them slowly being baked into every one of their services, and the other configurable in a way you can use to prevent government snooping. Even Microsoft is getting into the game with customer-manageed keys for Azure (we hear).
None of this makes the independent encryption vendors happy. Especially the startups.
But it is good news for customers, and we expect to see this trend increase every year. It really doesn't always make sense to try bolting encryption onto the outside of your cloud. Performance and fundamental application functionality become issues. If your provider can offer it while you retain control? Then you are golden.
Check out other posts in the series: Introduction
Theme posts: Change; Internet of Things; Professionalism; Compliance; Big Data; Bonk; DevOps
Coverage Area Deep Dives: Overview; Endpoint Security; Network Security; IAM; Cloud Security; Data Security; Security Management;
Download your copy of RSAC-G