Trends emerge from RSA show

SAN JOSE, California--The annual RSA Data Security conference, once a smallish gathering of cryptographers, high-level mathematicians, and hard-line privacy advocates, has evolved into the most important gathering of the Internet security industry.

It goes beyond the 50-plus companies announcing new products at RSA, beyond the preliminary deal negotiations, beyond the professional conference sessions on the hottest topics, and beyond IBM's annual Cryptographers Gala [held this year at San Jose's new Tech Museum].

With an ear to the ground, one can discern the forces shaping the Internet security industry. Here are the 10 trends that will move the industry in 1999:

1. Consolidation--You ain't seen nuthin' yet
Jim Hurley, industry analyst at Aberdeen Group, earlier this week cited Kroll-O'Gara's January 4 purchase of Internet security startup Securify as a trend for the future. Acquisition-minded Kroll-O'Gara offers a full range of security services in the physical world and is coming online.

"We are going to see more of these kinds of examples as we go forward," Hurley said in a speech at the RSA Data Security conference. "It will extend the envelope of security." To underscore the trend, yesterday Kroll-O'Gara bought another Internet security firm, Background America.

2. Security--not a suite idea.
Ted Julian, the well-regarded security analyst at Forrester Research didn't make the RSA show, but his presence was felt nonetheless. Vendor after vendor cited Julian's November report, "Security Suites: Dead On Arrival." One keynoter laid out Julian's hypothesis in elaborate detail.

Julian's argument: Cobbling together several different security technologies--firewall, intrusion detection, and antivirus software, for example--into a suite of security products makes no sense for customers. Such bundles from Network Associates and Platinum Technologies can't offer the best product in every category, he said. Customers should buy the best, not the bundles.

3. Security as an enabler, not a barrier.
Today, Internet security is designed to keep bad guys out. But next-generation security will enable connections between companies and customers, letting the right people see the right information. Countless vendors hit the same refrain: Internet security will boost e-commerce.

4. End-to-end solutions
Two giants, IBM and Hewlett-Packard used the show to outline their enterprise security strategies. The message: Big companies like to work with a single vendor who can take care of all their security needs. The HP and IBM approaches differ significantly, but both are telling a full security story.

IBM is integrating technologies from other vendors in addition to offering its own, seeking to move beyond single "point products" to an enterprise-wide approach. HP, which has been slow to pull together its security strategy, is likewise telling CIOs they can get everything they need by working with HP. Both giants see consulting services and integration as key elements of their offerings.

5. Intel validates the market
Intel's announcement that it will build security into its chips and other core PC components had a huge impact. It will hurt some security vendors by making their offerings less relevant. If it's in the chip, why bother with some flavors of security software?

"Without support from major vendors like Intel, security has been an add-on product," said Gartner Group analyst Rebecca Duncan, who called Intel's announcement a "strong move." To be fair, Intel has had a security vision for several years. Its Common Data Security Architecture or CDSA is one of about three important security "frameworks." Microsoft's Crypto API is another, and David Thompson, general manager of Microsoft's security unit, extolled its virtues in an RSA keynote.

6. Security moves into hardware
Consistent with Intel's announcement, the conference highlighted the emerging role of hardware vendors. Security experts consider hardware-based security far stronger than software, which can be hacked.

Security hardware firms have been around for years making security tokens, smart cards, encryption chips, crypto accelerator boards, etc. Cryptography requires some serious number-crunching, which can slow down the main processor of computers--hence the budding popularity of special chips to handle the crypto.

7. Digital certificates blossom into PKIs
True to the pre-RSA hype this year, public key infrastructure, or PKI, was a dominant theme, with more than a dozen announcements. PKI is the software that issues, renews, revokes, and otherwise manages digital IDs. It used to be called certificate authority software.

Furthermore, the PKI industry is proliferating new authorities. ValiCert and others successfully pitched themselves at RSA as a "validation authority" or VA, a specialist in verifying whether a digital certificate is still valid. Another company hyped itself as an AA or "authorization authority."

8. Washington, D.C., comes to Silicon Valley
Americans for Computer Privacy called a press conference at RSA to communicate its optimistic view that progress is possible in '99 on the encryption-export issue. RSA is a natural venue for that rallying cry, of course, with many libertarian cryptographers and the generally anti-regulation crowd in attendance. In addition, RSA's crypto-cracking contest [a record 22 hours and 15 minutes to decode a message encrypted with a 56-bit DES key] is designed to make U.S. government policy look ridiculous.

But ACP admitted another reason for bringing its inside-the-Beltway message to the RSA conference: Washington is focused on impeachment, so not much could be done there anyway.

9. Security as insurance
It's not an obvious link, but the insurance industry is developing an Internet security adjunct. Internet security is about managing risks--and so is insurance. With insurance, you take steps to reduce risk ]of catastrophic illness or hacker break-ins), and then you pay an insurance company to cover the rest of the risk in case something happens.

The insurance folks are beginning to show up at RSA, and a number of offerings in the next year will add insurance components. Hacker insurance that protects a company against loss from a hostile attack is already available, and new forms of insurance are coming too.

10. RSA--killer crypto brand?
For two years now, RSA has been a subsidiary of Security Dynamics, a sort of old-line information security company. The problem: Among computer users, RSA is far better known the Security Dynamics, which is often referred to as SDTI, its stock ticker symbol.

RSA or SDTI? How to brand the company has been discussed internally on and off virtually since the acquisition deal was done. The talk has now bubbled up again and probably won't go away as long as the RSA conference continues to grow in importance. A suggestion: How about RSA Security? Lay the issue to rest, RSA.