Thursday, 10 April 2008

Final dissertation for RSA 2008

No more RSA for me, my last security 'appointment' of the week just finished, dinner with Mike Dahn and Walt Conway at Sam's, just down the road from my hotel. And with friends like these, of course the conversation turned to PCI (after the mandatory bitch about my luggage of course, which still isn't here).

I thought I'd been alone in my utter confusion at most of the products on display at RSA this year. Some of them seemed OK, most of them were pretty rubbish to be honest, and all of them purported to be DLP/PCI/GRC or part of a risk management solution. Right. Like Rich said in his blog earlier, there was hardly a theme.

The problem seems to be that security got sexy, the guys in sandals became guys in suits, then girls in nurses uniforms. I have nothing against this, but it proves that where there were once ideas, there is now marketing in force. Once the marketeers get involved, everyone has to fight for the same dollars, which become cents, slices of a finite pie.

In a way I'm glad there was no theme. It means that I was right about the market not going anywhere. Maybe security will have a chance to catch up with the marketing now, and
then the compliance will get nicely rounded too, and everyone will stop complaining about it. I doubt it though.

Some of the bigger crimes of the conference that we discussed tonight:
The vendor who talked about 'encrypting the PIN' to Walt, who when corrected, ('er, that's PAN'), threw a strop and refused to talk any more.

The vendor who Mike asked about their POS protection who replied that what they were selling was more of an e-commerce solution, like TJX. Mike pointed out that TJX was POS, to which she replied, 'oh yeah, that sort of thing.'

The literally hundreds of vendors sitting there trying to make one little box do 50 different things, just to get a sniff of a customer, purporting to solve PCI in one fell swoop. THIS CAN'T BE DONE.
And finally, there was some good stuff too:
I've heard rumour that there was a log solution vendor saying that they just addressed logs.

I also hear tales of the vendor who only purported to address PCI requirement 1, and nothing else.

I saw products which only addressed one problem, not even a compliance issue, didn't talk about GRC or DLP or TJX or PCI, and did it well. These are the ones you will see at next year's conference.
I was particularly impressed with PKWare, who I will be representing at InfoSec in a couple of weeks. I love their technology, just because it's simple, it cuts through the marketing bullshit and does what people need, much like their products always have. It's also cheaper and easier to install than anything else I've ever used, and when it comes to encryption, there's not much I haven't used.

So, some of RSA was disappointing, but to be expected. There are still some genuine treasures to be found out there, and the future for them is bright.

No comments: