Hacks, espionage, inside jobs, viruses, malware, cybercrime, data loss, denial of service, hostile intrusions are but a few of the reasons last week's RSA Conference saw a record crowd of nearly 25,000.

 

And thanks to mobile devices and clouds, this pit of eternal uneasiness, which is companion to every security professional, is getting deeper.

 

 

Art Coviello, executive vice president of EMC and executive chairman of RSA, opened the conference with a keynote on how big data will shrink the pit. How big data will provide a wealth of information that can be sliced, diced, analyzed and shared to fuel intelligence-based security systems.

 

Maybe.

 

National, state and local government security agencies and police forces have toyed with the benefits of sharing data for years - but have been unable to do it with any consistency, effectiveness or trust.

 

I talked to a few security architects who questioned big data analytics and security, especially when Coviello talked about a shared data architecture - not only across systems, but across domains.

 

One just shook his head and said, "that won't happen in our environment." The concept is actually sound: analyze, adjust, protect. Coviello said those steps would put the white hats out in front of the black hats.

 

But the jury is out until the concept gets into the details and is compared to IT realities.

 

After Coviello spoke, the notion of a different perimeter entirely was on stage in RSA's first-ever dedicated identity and access management track.

 

In the "Emerging Conflicts in the Identity Space" session, Michael Barrett, CISO at PayPal; Chuck Mortimore, vice president of product management at Salesforce.com; Eric Sachs, group product manager for identity at Google; and Ping Identity CEO Andre Durand exposed the sharp corners of today's IAM landscape. (Read my Tweet "transcript" of the entire session).

 

One agreement among the panelists was that identity must be able to move across boundaries, using tokens, attribute exchange or other methods.

 

Mortimore said identity needs to take over as a new perimeter, "but our corporate identities are behind our perimeters and not ready for the cloud".

 

"Everything is crossing boundaries and identity has to follow across those boundaries," said Durand. "Third-party identifiers need to be trusted by the organization."

 

These concepts will indeed face scrutiny, but judging by the size of the audiences in the identity tracks I attended, there seems to be a willing contingent ready to give it a go.

 

The trust element of the discussion came up in the "Trust Frameworks: Alternative Approaches to Achieve the Panacea" session where the panel talked about trust in the context of crossing boundaries.

 

"There is a real need here," said Tom Smedinghoff, a partner in the Chicago law firm Edwards Wildman Palmer, and an expert in information law and electronic business activities. "Unless we can interoperate across jurisdictions, we might not accomplish much."

 

In Europe, the EU's Stork Project is trying to bring countries together to build a unifying trust framework, said panelist Ioannis Krontiris, senior researcher at Goethe University in Frankfurt, Germany.

 

Another burning conversation I heard from both sides was on the National Strategy for Trusted Identities in Cyberspace (NSTIC). The wheels must be turning because the critics are out.

 

Much of the criticism focuses on the absence of players such as Google, Facebook, Twitter and Microsoft, which today function as de facto identity providers but are not officially behind NSTIC. An identity architect from one of those big four told me there are still no plans to get involved in a meaningful way.

 

A panel of NSTIC participants provided their own version of progress detailing efforts within its steering group, management councils and working groups.

 

"This is the best chance yet to get identity at scale," said Brett McDowell, the Identity Ecosystem Steering Group's Management Council Chair and senior manager of ecosystem security at PayPal. "Get involved."

 

In his keynote, "Making a Case for Security Optimism," Scott Charney, corporate vice president for trustworthy computing at Microsoft, characterized identity as a chicken and egg problem. "It's hard to get consumers to get identity, when no (online) merchants are asking for them," he said.

 

He lamented the lack of identity market drivers because "we know how to do the technology."

 

From RSA's main stage, Charney noted NSTIC's effort to build an identity "ecosystem,” and acknowledged it might be a catalyst to finally align interested parties and break the logjam.

 

"We are coming to more robust identities and then it’s up the stack we go. "

 

Hopefully.

 

---