I am attending RSA Conference 2006 in San Jose this week. Here are some of my thoughts during the second day. Let me know if you would like to learn more about any of the topics below, or anything related to Microsoft and security. E-mail me your questions and I will do my best to address them this week. Or, Sound Off! with your own comments at the bottom of the page.
Without the big Bill Gates' keynote, one would expect the second day of the RSA conference to be lacking in excitement, but once the fanfare settled down I was able to get back to reality. Those realities come in the form of the upcoming Vista release and ever present shadow of patch management.
Federated identity in the enterprise
I've been to quite a few RSA Conferences, and during the keynotes, CEOs of major technology companies stand up on stage and give their opinions on where information security technology is headed. Some, like Cisco's John Chambers, get up there and pitch their products, and others, like Symantec's John Thompson, try to provide a more balanced view of the industry.
Based on my previous experiences with Bill, I put him in the former category: a product pitch. I thought going into the keynote that Microsoft would be selling federated identity "products" that Microsoft is developing . And can you blame me? The last few shows I've been to have coincided with SQL Server 2005's release and the big Vista announcement. Who would have thought Microsoft would speak to the larger issues surrounding identity management, and from an industry perspective rather than their own. I didn't expect it. And, by the way, you shouldn't expect federated identity in the next few years either.
Not that federated identity management is complete science fiction. It most likely will be the future of online commerce -- once the standards are worked out -- and eventually will have a huge impact on the consumer world. Identity management won't have nearly the same impact within an enterprise, though. Tools like smart cards and single sign on can definitely offer some benefits. And implementing and understanding these technologies in an enterprise environment will help hasten the overall development of the technology.
The good and the evil: Vista, threats, patching
I was briefed by members of Microsoft's Vista product team. First the good news: The only security feature in Vista that won't be usable on a Windows Server 2003 network is NAP (Network Access Protection), which will require Longhorn server. Administrators will be able to use many of the other technologies -- like Windows service hardening, user account level control and application compatibility through redirection. Check out contributor Brien Posey's article on some of these security features next week.
Now for the bad news: Hardware requirements could be an issue. One Vista feature called BitLocker, which performs complete hard drive encryption, will require a fairly modern TPM chip to function properly. One thing the product team couldn't do was narrow Vista's release window. Anytime in the second half of 2006 is the best I could get. There are, though, enough intriguing security advancements that administrators should be ready to at least roll out Vista on any new machines around the beginning of 2007 at the latest.
I talked to more than a few people yesterday who said that tools like Windows Software Update Service (WSUS) are not effective enough for patch management. I expect to see a lot of enterprises turning to third-party patch management solutions. Another trend I expect to materialize this year is the integration of patch management and vulnerability assessment tools. Many companies already do this, but I see it becoming more of a differentiator in the patch management/vulnerability assessment product space.
I mentioned Symantec's CEO John Thompson earlier. Well, he was one of the few speakers during these first couple of days that was willing to stand up on stage and give Microsoft credit for improving the security of Microsoft's operating system, particularly the mitigation of the threats posed by viruses and worms. He pointed out that previous years had seen hundreds of attacks rated at medium-to-high severity. Last year, there were only six, according to Symantec.
Read Ben's blog of RSA day one here.