The cloud is huge. Client access devices are small, and they're everywhere. Personal computers are virtual. Access to all of these resources is continual. Control over the world's single most precious information resource - identity - has become a jump ball.
Next week, ReadWriteWeb will be covering the annual RSA security conference in San Francisco. I never attend a conference without an agenda, and no, I'm not talking about the pamphlet and the floor plan. There's an agenda all my own, and it's based on the subject matter that I've discovered you want to know more about.
There are six flashpoint topics that are relevant to this year more than any other. We'll be touching on each of these flashpoints throughout the week on RWW, and at the end, we'll revisit each one and review what we've learned... or whether we ended up with more questions than we started out with.
1. Who or what defines identity for cloud access? With Windows 8 - which may come sooner than you might think - you'll be logging on using something called a Microsoft Account. Apple iPad and iPhone users are already becoming accustomed to the iCloud account, which we can expect will be integrated into the iTunes account scheme. Before long, for you to use any functionality from any device, you will need access, and the thing that you access must either have or discover some way of recognizing you.
Are you prepared for that something to discover you through Facebook? Is that level of trust something you can accept? This will likely be a huge topic of discussion during the colossal four-hour Cloud Security Alliance Summit session on Monday. Business users expect single sign-on. That means, the credentials they use to log onto their computers or portable devices, must be translatable into credentials recognized by the services they use once they're logged on. Imagine trusting the credential level you use today to log onto your Desktop, applied to your bank account or your company's private network. (And you thought Facebook was dangerous?)
2. The rise of risk management. Because both cloud service providers and their customers have more specific expectations for their service level requirements than ever before, they've been able to state those expectations in service contracts with greater ease. And because businesspeople protect their interests when they're specified in contracts, the insurance industry plays a greater role now.
It is insurance that is compelling enterprises everywhere (including insurance itself) to institute risk management procedures. Every year when you see the ads for a security conference, you expect to see blurbs about the latest vendors for remedial technologies like backup and recovery, disaster management, loss mitigation. Now you're seeing the antithesis: Risk management, when done right, minimizes the need for loss mitigation, and replaces disaster management with disaster avoidance.
3. The decline of endpoint security? "Hardening the endpoints" was a metaphor intended to convey a picture of an armored fortress, a "Helm's Deep," impenetrable from the outside. With transaction models now incorporating cloud services at a rapid rate, suddenly the imperfections in modern endpoint security become clearer. New and more clever security services are demonstrating that it's not only feasible, but preferable, to secure the fortress by stopping malicious activity from ever reaching the endpoint in the first place. And it may be more practical to achieve this through the cloud than anywhere else.
At RSA next week, we expect to see some live demonstrations of cloud-based security in action; though we'll also certainly hear from the endpoint security pioneers, with the latest antivirus, firewalls, and spam blockers, defending the fortress the only way they know how.
4. Can privacy be delivered by technology? It's a question our Joe Brockmeier explored on Thursday, casting a ray of hope for technological methods - especially when compared to the legislative alternative. On the other hand, my interview with the co-creator of P3P revealed that privacy could be more of a psychological concept that technology may only serve to exacerbate - the way the presence of armed guards at an airport makes people feel less secure.
Some still debate whether privacy actually belongs as a subtopic of security in the first place. From the end user's perspective, no one feels truly secure unless she's certain she's not being spied on. The sad fact is that, while technology may have a better chance at delivering privacy than any laws passed by Congress, it has not done so yet, and it's had plenty of chances.
5. Is infrastructure security a joke? With nearly all of computing moving to a service model, and with centralized and virtualized data center resources relying more upon the security of power centers and the integrity of energy infrastructure, is the notion of a "smart grid" really an illusion? As easy as it appeared for someone to don the name of "Anonymous" and shut down the Justice Dept. Web site, could it be just as easy to shut down electric power to the Great Plains?
We don't talk a lot about the macrocosmic elements of technology around here, usually because we're playing with our smartphones. It's the little things that hold our attention, like cute kittens. The nation's energy infrastructure, by comparison, is an unexplored wilderness. We hope to change that fact a bit next week.
6. Could government really lead the way in security architecture? No, seriously? Government?
I'm not talking about Congress, though. The Dept. of Homeland Security is implementing some very clever new policies for rethinking government resources' approach to managing security. Risk management plays a role here as well, but also resilience - employing NASA-like procedures to keep the mission running smoothly even when failures do happen. And the National Security Agency is also implementing some bold initiatives in the field of mobile device security, that pick up at the point Research In Motion stopped moving.
Stay tuned to ReadWriteWeb all next week as we put on our thinking caps, our tinfoil helmets, and our stovepipe hats (hopefully not all at once) and talk to all the world's leading security authorities in the public and private sectors, in the enterprise and in academia.
Stock photos by Shutterstock.com