Security Manager’s Journal
MATHIAS THURMAN
Trouble
Ticket
At issue: You can’t
attend the annual
RSA Conference without
planning ahead.
Action plan: Enter
the conference armed
with questions on BYOD,
mobility and the cloud.
Getting Validation at RSA
The annual conference offers a chance to compare notes
with other security professionals.
MY MECCA is the RSA Con- ference, which this year was held the last week of February in San Francisco. Every year, this conference lets me meet up with past bosses,
colleagues, schoolmates and other security-minded folks. We catch up on a personal
level and freely discuss any and all security
topics. I also enjoy having all the vendors
— major as well as up-and-coming —
in one spot. And the various breakout
sessions and keynote talks teach me
something new or, even
better, validate my security
program and priorities.
RSA can be overwhelming if you don’t
plan ahead. Every year,
I look for interesting breakout sessions
and list the vendors I’d like to meet with.
And I enter the conference with a focus
on several pressing issues.
This year, the first issue was BYOD.
My CIO wants the IT department to
let employees use their own devices for
business. I’ve had misgivings about this
from the beginning, and the consensus
that emerged from several sessions,
meetings with vendors and discussions
with other professionals was that BYOD
is not sustainable. There are just too
many problems that an IT department
with strained resources has to handle:
support, compatibility with existing
infrastructure, the danger of losing
intellectual property and the difficulty of
securing the devices. Technologies like
virtual desktops can help enable BYOD,
but at the end of the day, most of us
security folks are shying away from this
trend — at least for the moment.
JOIN IN the discussions about
security! computerworld.com/
blogs/security
At RSA, I can catch up with past bosses,
colleagues and other security-minded folks.
proach and cut off these riskier tactics.
Then there’s cloud computing. My
company is deploying single sign-on for
cloud applications. It’s very convenient,
of course: You just enter your credentials
one time and voilà — you have seamless
access to dozens of corporate and personal applications. At RSA, I quickly found
out that I’m not alone in my view that this
convenience is fraught with peril. Say an
employee’s credentials are compromised
by a keylogger on an untrusted kiosk; his
corporate and personal life is compromised as well. Two-factor authentication
would help, but it’s not universal yet, and
some vendors have a sketchy idea of what
is needed in two-factor authentication,
which should be in the form of a one-time
password containing something you have
and something you know. For example,
one company requires a username, a
password and a single security question
and calls that two-factor. Sorry, but no. A
keylogger can grab all of that.
Speaking of the cloud, I talked to a lot
of people about my new policy of locking
down Salesforce.com, and almost all of
them agreed that access to software-as-a-service applications that contain sensitive corporate data should be restricted
by IP address. So, more validation!
Another thing I looked into was secu-rity-awareness training. One company
that piqued my interest was Green Idea,
which has created some entertaining,
security-related screen savers.
Now I’m back in the office with a fresh
supply of vendor-branded pens, but also
a lot of brochures and business cards
that should help me continue to raise the
security bar for my company. u
This week’s journal is written by a real security manager, “Mathias Thurman,” whose
name and employer have been disguised for
obvious reasons. Contact him at mathias_
thurman@yahoo.com.
