News

Reporter's Notebook: Cloud Security a Key Focus at RSA

Vendors showcase how they are addressing the issue; experts explore role security might play as services evolve

• By John K. Waters
• 04/28/2009

Concerns about the security implications of evolving cloud computing technologies dominated last week's annual RSA Conference.

With many viewing security as a major barrier to adoption of cloud-based services, key vendors used last week's event to showcase how they are addressing the issue while experts explored the role security might play as these services evolve.

Cloud computing might magnify common desktop security problems, at least in the short term, said Adi Shamir, professor of mathematics and computer science at Israel's Weizmann Institute of Science. Shamir was among a group of security pundits who debated the role of security in cloud computing during the highly visible Cryptographer's Panel. Shamir worried that a virus, which would be an annoyance on a desktop machine, for example, could be catastrophic in hosted computing environments.

Bruce Schneier, chief security technology officer at BT Counterpane, argued there are few fundamental differences between cloud computing and the client-server model. But Ronald Rivest, a professor of computer science at MIT, said that he expects cloud computing to become "a focal point in our work in security." He added, "I'm optimistic about cloud computing, but I think a lot of us have hard work to do."

A slew of vendors have launched new technologies and services to address some of cloud computing's security concerns. Cisco rolled out its new Cisco Security Cloud Services, a SaaS offering designed to connect services from multiple networks and applications to integrate security in the cloud with enterprise network security. Part of Cisco's "Collaborate with Confidence" initiative, the cloud security services include a botnet filter and a host-based intrusion prevention system (IPS). "The only way you can solve this [security problem] is through an architectural approach." said Cisco CEO John Chambers in a keynote address.

IBM released security offerings for the cloud based on studies from its X-Force security research group on global criminal organizations. The company introduced its new virtual appliance, the Proventia Virtualized Network Security Platform, which consolidates an IPS, Web app protection and network policy enforcement into a single service. Big Blue also added malware scanning capabilities to its Rational AppScan scanning and testing software, which performs Web site scanning and testing for embedded malware and malicious content.

Long-time security services provider Savvis unveiled a new managed Web application firewall (WAF) service that runs on its Cloud Compute offering. The Missouri-based provider of co-location and dedicated hosting services claims to be one of the first to offer WAF technology as a service (WAF has been available for about two years in hardware and software). According to Chris Richter, Savvis' vice president of security services, about 80 percent of his company's customers are looking to a WAF because it's now a requirement of the Payment Card Industry's Data Security Standard.

RSA Adds New Tools

For software developers, the big news at this year's conference came from event sponsor RSA (a division of EMC), which announced that it is making access to tools for building security into apps from the outset easier. The company launched the RSA Share Project, an effort combining the RSA BSAFE encryption tools for C++ and Java into a free toolkit. RSA Share also includes online support in the form of a developer community, according to RSA President Art Coviello in his keynote address. The RSA Share Project invites developers "to participate in an online community with some of the greatest minds in cryptography," he said.

According to the company, BSAFE Share toolkits are interoperable with existing products based on BSAFE encryption. Those products range from standalone software applications to browsers to gaming systems. RSA is offering a $10,000 reward for the developer who devises "the most creative and practical use" of BSAFE encryption in a Web-based application. The contest runs until May 20. Interested developers can enter on the RSA Share Project community Web site.

Microsoft disclosed a partnership with RSA/EMC to integrate RSA Information Rights Management Services (IRM) with data loss protection technology in Microsoft's SharePoint platform. The RSA Solution for SharePoint addresses various security issues that often come up in large SharePoint shops, Microsoft said.

"One of the challenges with IRM is that it works well within an organization, but not across organizational boundaries," said Scott Charney, vice president of Microsoft's Trustworthy Computing group, in a keynote presentation. "By doing this partnership with EMC, we take the capabilities of IRM and go cross-boundary."

A key component of the new solution is the RSA Secure View tool for SharePoint, which the company said provides a hierarchical view of SharePoint environments, from servers to files, and access control data. The result, Microsoft said, is a simpler process for determining where sensitive data resides in any given SharePoint environment, which can be used as a tool for assessing risk, among other things. The two companies had banded together last year to integrate RSA's Data Loss Prevention (DLP) classification with the Microsoft IT platform and "future information-protection products."

Charney also talked up some of Microsoft's key security initiatives, providing an update on the company's open identity platform project, code-named "Geneva," which the company says will be a key component in enabling its own Azure cloud services. One aspect of the platform of particular interest to developers is an included framework for building .NET applications designed to evaluate digital token claims and a server-based digital token service.

"The way we do identity today is completely flawed," Charney said. "I go to a Web site, they challenge me for some personal information -- a Social Security number, date of birth, mother's maiden name. They validate that information and then they give me a credential. Of course, those secrets aren't secret at all. Yet that's the way we've done identity on the Internet."

He also outlined the security features coming in Windows 7, which will include support for Trusted Platform Modules (TPMs) that support hardware-based encryption, such as the Windows BitLocker Drive Encryption, AppLocker and DirectAccess. Microsoft continued to describe new security features in Windows 7 as reported Monday.