What was missing from RSA Conference 2006

While much of this year’s RSA Conference was more about progress being made toward the integration of security with infrastructure and systems, there were some memorable moments for what was not seen or heard from the major security vendors.

There was a relative dearth of feisty sparring among the keynote speakers, with the principal exception of Sun CEO Scott McNealy, who took expected jabs at Microsoft. This is in dramatic contrast to 2005’s open contention between Microsoft and Symantec as they squared off in their battle for securing Windows environments – particularly Symantec CEO John Thompson’s 2005 keynote in which he took Microsoft on directly for its inadequacies in securing heterogeneous environments and enterprises – and TippingPoint against its competitors as they showcased new offerings targeting the intrusion defense market.

While vendors such as Cisco demonstrated new product functionalities around integrating security event management with remediation, and CA demonstrated how its SiteMinder identity management tools can integrate with network admission control initiatives, other keynotes were notable for their lack of product- or company-specific information.

Microsoft Chairman Bill Gates made what has become his customary Tuesday morning RSA keynote, and made public a number of new security developments. But with some substantial exceptions (which we’ll come back to later), these tended to reflect progress rather than revelation.

Many of Microsoft’s most provocative moves into security since last year’s RSA event have already appeared in the market, in beta at least, and were not mentioned during Gates’ keynote. These include the company’s Windows Live initiatives, which feature its OneCare Live service for transparently maintaining Microsoft anti-virus, anti-spyware and system security maintenance. OneCare directly challenges the security market leaders.

Even more noteworthy was the absence in Symantec CEO John Thompson’s keynote of any mention of new products or initiatives. Symantec is planning its own security-as-a-service functionality in its Project Genesis initiative, and recently made its most significant push into enterprise management since its merger with Veritas, with the acquisition of application configuration management vendor, Relicore. But neither item was even touched on in Thompson’s remarkably slideware-free presentation. Instead, the focus of Thompson’s talk was primarily on the need for a single, consolidated national regulatory policy on information privacy in the U.S.

The marginal presence of VoIP proof-points generally was also in stark contrast to the comparatively high visibility given to the advancement of converged networks outside the security market. This is, of course, due to the immaturity of the field of VoIP security – but it is disconcerting nonetheless because it indicates that, once again, IT is being set up to take a security fall, as popular and desirable functionality is being enthusiastically deployed well in advance of any coherent understanding of what its risks are likely to be. VoIP infrastructure vendors are reluctant to embrace highly specific security measures until they see wide adoption, which means it may take widespread attacks or abuses of VoIP in order to raise awareness and precipitate customer demand for a more coherent approach to VoIP security.

This is not to say that this year’s RSA Conference was news-free. Among the more interesting developments was the emergence of initiatives to broaden, as well as deepen, the integration of identity in IT. Microsoft made its most public announcement of its federation initiatives to date – long awaited from the vendor of Active Directory, one of the most widely deployed identity information resource in IT – as well as highlighted its InfoCard approach to multifactor authentication. Not surprisingly, widening the scope of identity in security management also factored significantly in keynote messages from CA, RSA, Sun and VeriSign.

If there was a consistent theme among this year’s participants, it’s that everyone sees the need to bring integrated coherence to security management – but on whose terms? Customers face substantial challenges in selecting and integrating the right combination of cost-effective tools in a fragmented market of hundreds of players in siloed domains. Clearly, consolidation will continue to be a leading theme in the security market – yet while single-vendor solutions are gaining momentum, some vendors, such as Internet Security Systems CEO Thomas Noonan, expressed the belief that unified and integrated security management platforms can be open to solutions from multiple sources.

Would this belief come to pass as the security market consolidates the universe of solutions around a few major vendors? While possible, it seems unlikely that the market would become as highly consolidated as some imagine. New threats constantly emerge presenting new challenges that agile pure plays will always be in the best position to address quickly.

Perhaps, then, it may not be technology consolidation so much as the discipline of risk management – the objective measurement and analysis of vulnerabilities, threats, risks, and IT asset values for strategic decision support in the most sophisticated IT security operations represented at RSA – that will show the way toward the coherence so badly needed in IT security management.