I’m just back from attending the Gartner Security Summit in DC. I know several industry folks were there, but for those who weren’t, a few reflections on the conference.
John Pescatore kicked off the event with his “Security 3.0” talk. I didn’t react negatively to that title the way Rothman did. Pescatore was just using that scheme to call out a third era of security. He defined Security 1.0 as when everything was under lock down in the mainframe era, 2.0 was when we were perennially trying to catch security up with user activities, and 3.0 is about trying to get ahead of the game.
What I object to with that title is posing this concept as something new - I think most people thinking about security have been trying to "get ahead" vs. "just react" for a while now. That aside, though, I do believe that thinking about what you can do to get security built in vs. layered on later is a really helpful exercise. One, you get more security, period – you get it built into the network, the application, the PC, etc.
And two - and here's the really interesting angle - the more you get security “built in” to stuff, the more you can shift capital costs to hit budgets other than the security budget. I love this idea, in large part because we’re seeing it today here at ConSentry with our secure switch. We have customers who have a switch upgrade already on the books. They use that money to upgrade to secure switches instead of plain ol’ vanilla switches and presto – even with no separate NAC or other security line item, they get a massive new security layer built into the edge of the LAN. Another argument for why it’s got to be built right into the infrastructure.
In another session, Gartner analyst Rich Mogull hosted a panel on vulnerability research and ethical disclosure, with Thomas Ptacek, Chris Wysopal, and David Maynor. All three guys had interesting perspectives and experiences to share. I’m not sure the average conference attendee got too much out of it – what these researchers do is usually a bit removed from the average enterprise, even if it shouldn’t be. But having read those guys’ blogs for a while, it made for fun listening. And it was good to meet Ptacek in person – maybe he’ll find another way to call ConSentry “committed” to security now that we’ve met face to face!
The highlight, though, was the Lawrence Orans session on NAC. Parts of it demonstrated the “when you have a hammer, everything looks like a nail” phenomenon – lots of pre-admission focus, which is no surprise given Cisco’s dominance in general and especially within the Gartner client set. But in the entire hour’s talk, he shared just one customer case study – and it was a ConSentry customer! Very, very cool to see our application, and the customer’s need for role-based control, as his one example of an interesting deployment.
All in all, a good two days, especially meeting other bloggers, talking with several of the analysts one-on-one, seeing other industry folks like Richard Stiennon, and best of all chatting with enterprise users in between sessions.
--Michelle McLean
mmclean-at-consentry-dot-com
nice review Michelle. Sorry I did not make it down, but we had not gotten a lot out of these in the past. Lawrence usually does a nice job with NAC stuff.
Posted by: ashimmy | June 07, 2007 at 04:32 AM
Great to see you there Michelle! Can't wait for the year Gartner will combine the security and re-born networking conferences!
-Richard
Posted by: Stiennon | June 16, 2007 at 09:07 AM
That was an informative report, particularly to the many of us who couldn't make it to Washington at that time. Keep up the good work.
Posted by: David | April 08, 2008 at 02:25 PM