Avoiding the Big One. It's not all that hard
The takeaway from RSA 2008 wasn't too different from years' past: When it comes to security, individuals and companies need to get serious about best practices. What's the holdup?
It's fashionable to dismiss trade shows as so 1998, but there's usually always something that makes it worthwhile if you look hard enough. So it was, the coolest thing I saw at the RSA 2008 conference this week was a prototype portable virtualization technology that SanDisk will begin selling in the second half of the year.
The product, developed in conjunction with Check Point, lets you copy a protected version of your apps and then plug into any client machine. When you're done, the "virtualized" version of your desktop disappears after logging out.
My hunch is that this concept is going to continue to gain popularity, especially given the ongoing advances in "cloud storage." By the way, MokaFive is already out with software that lets you fit an operating system and application stack on a USB iflash device. U3 also gained attention a couple of years ago. Kate Purmal, the former president of the company, is now a VP at SanDisk. There are a few others that I can't think of right at this moment.
When I met up with Check Point Software's CEO Gil Shwed to talk about the SanDisk relationship as well as the wider security arena, he was predictably upbeat in describing another advance in safeguarding portable data. But, he added, the ultimate success depends upon guaranteeing that the information will be "secure and protected."
Secure and protected. I can't tell you how many times I heard that line walking the show floor or in meetings the last couple of days. It's a great tech cliche these days. The rub is that no matter how good the technology offered by Check Point or any other security provider, we remain creatures of habit--and when it comes to security, bad habits, mostly. Every security expert I spoke with agreed that your typical computer user inadvertently functions as the bad guys' best friend. That was the other takeaway from the conference. Security professionals are at wit's end when it comes to persuading the rank-and-file to do the right thing.
Shwed and others say it's a matter of enforcing best practices. When Department of Homeland Security Secretary Michael Chertoff spoke on Monday, he pounded away at that theme. I heard the same thing from Howard Schmidt, who previously served as vice chair of the president's Critical Infrastructure Protection Board and as the special adviser for cyberspace security for the White House.
"The (best practices) concept is good but it's gotta be in your face," said Schmidt, now heading his own consultancy, R & H Security Consulting.
Schmidt's right but we're a long way from attaching DefCon 1 importance to the topic. I could go on for another 1,000 words enumerating the why's and wherefore's but suffice to say that society has been lulled into a false sense of assurance about digital security. Maybe it will take a concerted cyberattack to shake that lethargy. (Estonian government and business Web sites last year suffered denial-of-service attacks protesting the move of a World War II statue in Estonia. Meanwhile, the Arabs and the Israelis have been engaged in low-level cyber skirmishing for several years.) John Thompson of Symantec drew an analogy with the Smokey Bear campaign in the 1960s and 1970s, when the government sought to reduce forest fires through public education. Clearly, he said, it had had an impact.
"And now you have critical business and government information exposed, and people realize there's an underground economy involved in trading stolen data," Thompson told me. "Also, you have nation states (digitally) attacking each other for competitive edge in a global economy. And so the government realizes that now is the time to act. But when you talk about best practices and thinking holistically, or extending responsibility to more than just the IT heads, that's not new."
DHS has requested $192 million to spend on cyberdefense in the next fiscal year, up from the current $115 million. Given the other budgetary demands related to digital security, that doesn't leave a lot of shekels to foster public education. The implicit message is that Uncle Sam is waiting for the private sector to pick up the tab. I suppose it's just as well that individual companies fill the breach before they suffer the Big One.