I spent several days in San Francisco on my annual pilgrimage to the RSA security conference.<\/p>\n
![](\"http:\/\/zapt2.staticworld.net\/images\/article\/2017\/02\/rsa_conference_2017-100710656-large.3x2.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Mathias Thurman| Date: Mon, 27 Feb 2017 04:23:00 -0800<\/strong><\/p>\n I spent several days in San Francisco on my annual pilgrimage to the RSA security conference.<\/p>\n At issue:<\/strong> Another year, another RSA security conference.<\/p>\n Action plan:<\/strong> Spend time with vendors and colleagues while investigating the best ways to mature the company\u2019s security program.<\/p>\n This year, I attended a few sessions related to cloud security, privacy and compliance, since my world these days is consumed with enhancing the security of our cloud platform and addressing the never-ending burden of maintaining compliance with the likes of PCI, SSAE 16, SOC 2 and HIPAA, and the recent changes related to Privacy Shield, which is the replacement for the European Union\u2019s Safe Harbor.<\/p>\n Of course the RSA conference wouldn\u2019t be complete without spending quality time with colleagues and friends at the myriad lunch events and evening parties. We talked about the convenience of having access to so many vendors \u2014 two huge expo floors, with some vendors on both. It\u2019s definitely my preferred way of interacting with vendors. Some of the ones I talked to offer technology I was interested in and some have technology I have already deployed. RSA gives me a chance to discuss challenges or get face time with knowledgeable engineers.<\/p>\n In my office, if I\u2019m interested in a technology, I typically have to set aside an hour for an office visit or online meeting. The first 15 minutes are usually gobbled up by logistics such as getting the representatives badged in, escorting them to the conference room and connecting with the remote people. Murphy\u2019s Law usually applies, and folks get lost or there are remote setup problems. Then, you need 10 minutes for all the introductions. That\u2019s followed by 15 minutes of marketing slides. So we have about 20 minutes left, and so far nothing of value. Finally, we might get a meaningful demo and a discussion about architecture. Most meetings end with me wishing I had been able to ask more questions.<\/p>\n At RSA, the formalities are tossed and you can jump right in, asking about the things you most want to know about. After a few short hours on the floor, six or seven vendors have given me a wealth of information and I have leads on several technologies I might be interested in moving forward with, as well as answers to questions about technologies I have already deployed.<\/p>\n This year I spent time with vendors that offer CASB (cloud access security broker) technology, which would let us extend and apply our security policies to the many SaaS-based cloud applications we use. Also intriguing was a tool that could help our operations team with behavior monitoring of privileged access to our production infrastructure. Another company of interest offers a way to very easily manage the security configurations of our critical infrastructure, although for now I will just be keeping tabs on its progress, because it doesn\u2019t yet work with many of the primary devices and operating systems we use. Until that shortcoming is eliminated, I\u2019ll continue to manage cumbersome XML-based policy files.<\/p>\n At the evening events, my colleagues and I shared thoughts on security strategy and opinions on what works and what doesn\u2019t. Those discussions are a good way to validate that my security program is on track and a reminder that I\u2019m not the only one with frustrations and problems. (In the case of our yearly PCI audit, our problems related to the auditors\u2019 interpretation of some of the controls are paltry compared with what some colleagues are going through.)<\/p>\n Back in the office, I passed out the swag I had collected on the expo floor. Now I need to schedule some follow-up meetings with the most promising vendors and get back to maturing my security program.<\/p>\n This week’s journal is written by a real security manager,\u00a0“Mathias Thurman,”<\/strong>\u00a0whose name and employer have been disguised for obvious reasons. Contact him at\u00a0mathias_thurman@yahoo.com<\/a>.<\/em><\/p>\n Click\u00a0here<\/a>\u00a0for more security articles.<\/strong><\/p>\n