I had a bit of a weird moment a few weeks before the RSA Conference. I was grumbling a bit about finishing my slides, which were late due to an agenda change, and my wife just looked at me and asked, “do you remember how excited you were that first year you got to speak?”
Ah. Perspective.
I get that some people like to knock on RSAC as being too big or too focused on vendors, but I strongly suspect most of those people don’t look much at the agenda or go to any of the sessions. I have a bit of a different relationship with the conference as someone on the Program Committee who has given dozens of presentations (my record year was 7 sessions and panels… never again), and attended as an analyst, user, and now as a vendor. Yes, I enjoy the social events, but in the end, this is a work conference, and my main goal is to come home with new ideas, relationships, and knowledge that helps me improve professionally. RSAC 2023 did not disappoint.
The session content this year was incredibly strong. I made new connections with some very smart people, and carved out some quality time with friends and peers to swap the kinds of ideas that inspire me when I head home. Here are some of my key takeaways, which are totally biased around cloud-related topics because that’s what I’ve dedicated the last 12 years of my life to.
The Content was Strong and Technical
I was only able to attend a few sessions, but as a Program Committee member I have to review all the sessions in my track (Cloud and Virtualization). I can’t speak for all the tracks, but we ended up with some top-notch content. It’s hard to pick only a few sessions, but these (from my track) really stood out (links to the sessions for those of you with on-demand access):
Top 10 Ways to Evolve Cloud Native Incident Response Maturity by Sarah Currey and Anna McAbee: https://www.rsaconference.com/usa/agenda/session/Top%2010%20Ways%20to%20Evolve%20Cloud%20Native%20Incident%20Response%20Maturity
Walking on Broken Clouds by Chris Farris: https://www.rsaconference.com/usa/agenda/session/Walking%20on%20Broken%20Clouds
M365 Adversary ROI: Microsoft Cloud Attack Insights by Aaron Turner and David Etue: https://www.rsaconference.com/usa/agenda/session/M365%20Adversary%20ROI%20Microsoft%20Cloud%20Attack%20Insights
Cloud Agnostic or Devout? How Cloud Native Security Varies in EKS/AKS/GKE by Brandon Evans: https://www.rsaconference.com/usa/agenda/session/Cloud%20Agnostic%20or%20Devout%20How%20Cloud%20Native%20Security%20Varies%20in%20EKSAKSGKE
The Hacker’s Guide to Cloud Governance by Me: https://www.rsaconference.com/usa/agenda/session/The%20Hackers%20Guide%20to%20Cloud%20Governance
Economic Headwinds are Real and Security Won’t Escape This Time
One of the best parts of RSAC is spending time with friends and peers from across the industry. Stick around long enough and the friends from your 20’s and 30’s are now managers and executives in their 40’s and 50’s. Survive that long, and you start talking more about economics and less about the vulnerabilities of the day.
It’s clear that many organizations are battening down the financial hatches. Budgets are under more scrutiny, and cloud and security budgets are very high on the list for “optimization”. Much of this is driven by uncertainty; no one is really sure how current economic trends will impact daily operations, but all are trying to minimize costs just to be safe.
In previous economic downturns security has tended to avoid the worst cuts. But my suspicion is that the security industry has moved past a primary growth phase where organizations were still covering the basics with fundamental investments, and now organizations are looking for more cost optimization. This feels especially true in cloud, including security, where spending was less planned or constrained and is now under heavy scrutiny.
I do think this puts cloud security in a rough spot because, in my opinion, we still haven’t matured our foundation and the reality is organizations need to spend on people, skills, and tools to secure this still rapidly evolving set of technologies. It’s one reason we released FireMon Cloud Defense Free. (Totally free, enterprise scale, no-strings attached).
AI Didn’t Dominate Because Printers are Slow
By the time the big AI tsunami of 2023 hit most of the vendors on the show floor had long sent their booth designs to the printers. You could walk around the floor and just feel the seething frustration at not being able to prominently display new AI capabilities that are almost ready for development and look really cool on that napkin on booth walls and branded swag.
AI was a big topic of conversation, but most of the show floor was still stuck on Zero Trust and Attack Surface Management. Look, the lines between a trade show and a fashion show are slimmer than you might think. Every year some trend seems to dominate based on what’s hot in the press.
I had one of our SE’s ask me if I “saw anything new or exciting this year?” After 20 years of RSA I can confidently say I will never see anything new or exciting on the show floor again. Life works in increments, not leaps. Yes, new and exciting things in security do happen, but I hear about them in private conversations or even the occasional session, not on the show floor.
Containers are the Fourth Cloud
Kubernetes, AKA K8s, AKA Kubes may nearly always be the wrong choice for organizations not named Google, but that doesn’t stop anyone. Kubernetes is very complex to both implement effectively and secure correctly. Bear in mind, I am neither anti-containers nor anti-Kubernetes (we use it a bunch in our free Policy Analyzer tool). But I consistently see organizations increase costs, complexity, and risk by using Kubes when a simpler container option is a better fit, or poorly implementing the technology.
But after you topple me from my soapbox, it is abundantly clear that Kubernetes is here to stay and is effectively the Fourth Cloud Platform (after AWS, Azure, and GCP) due to scale, complexity, and the deep abstraction. Although I’m more likely to visit Rivendell than see a truly cloud agnostic application, adoption is high, benefits can be found, and Kubernetes is becoming ubiquitous in both datacenters and cloud. Security professionals need to get up to speed, understand the technology, and learn how to secure it.
Risk-Misaligned Security is a Great Way to Waste Money
Pro-tip: you don’t need to encrypt everything, you don’t need to apply the same security controls to every single environment, you can let dev teams have sandbox cloud accounts, and changing passwords every 90 days when you have MFA in place is just annoyingly pandering to auditors.
How does this rant relate to RSAC?
I saw two things at the show that triggered this observation. The first was the positioning of many products on the show floor. There was no shortage of FUD (and there will never be a shortage of FUD) and if you bought only one product in every represented category you would probably spend more money than someone recently lost buying and breaking a certain social media platform.
That said, I also had, heard, or overhear plenty of conversations where people were looking for products in categories without aligning it to the actual risk and threat models for their organization in general, and application stacks in particular. This has been a huge problem in cloud from the start- a focus on solutions before understanding the underlying problem.
You only have $10. What fraction on that do you want to spend encrypting everything in cloud vs. encrypting only the things that matter using the encryption technique that will stop the threat as defined in the threat model? And what’s left over for IAM defenses, which is maybe/probably the much higher risk?
The RSA Conference has absolutely improved since I started attending over 20 years ago. The content is generally much stronger, the attendees that go to sessions (and not just the show floor) represent the wide range of our profession, and it is absolutely a great opportunity to learn, exchange ideas with your peers, meet with existing partners and check out new vendors.
