"Some of the move to real-time compliance is motivated by perceived changes in threat landscape," said Scott Crawford, research director at Enterprise Management Associates Inc., at the conference. "Dealing with threats has become a lot more of a challenge. There's concern about advanced persistent threats, though not quite in the sense of the Air Force's [situational awareness] reference.
"Compliance officers are really wondering what to do," he said. "This issue, however, is that they often aren't taking advantage of what could be done right now, including change management and log management, and then acting on that information."
Buzzword or not, understanding cloud compliance will be an important area for CISOs and CIOs in the year ahead. Scott Charney, corporate vice president of trustworthy computing at Microsoft, observed in his keynote that the requirements for identity management are amplified by cloud computing.
According to Charney, enterprises will need identity management that includes privacy, minimal disclosure and in-person proofing. Microsoft announced that it released its U-Prove algorithms for identity management under an open specification promise, including two reference toolkits under an open source license.
RSA Security Inc., along with Intel Corp. and VMware Inc., unveiled its own proof of concept for creating secure and compliant cloud services.
Social networking security
The explosion of social media in and outside of enterprise environments has presented new security and compliance challenges for enterprise IT professionals. Malcolm Harkins, Intel's CISO, received the Executive Security Action Forum award for "excellence in the field of security practices" for integrating social media securely at his enterprise.
The official adoption of a policy for the secure use of social media at the Department of Defense sheds light on the question many security officers are asking: How do you move from risk avoidance to risk management?
As SearchSecurity.com senior site editor Eric Parizo wrote, social networking threats are putting new pressure on health care CSOs. Allowing access to social networking and Web 2.0 technologies has created new concerns about keeping IT environments secure.
Evolving cybersecurity threats
Rob Westervelt published an article at SearchSecurity.com on security themes to watch at the RSA Conference, focusing on evolving Google attacks, private and public cloud models and critical infrastructure protection. That first topic is central to many conversations, given the wake-up call that the Google Aurora cyberattacks delivered to enterprise security.
Officials from the federal government focused on the need for better private-public partnerships. The FBI is seeking more help from the private sector when it comes to reporting cybercrime. The White House declassified a Comprehensive National Cybersecurity Initiative summary, revealing more information about its cybersecurity initiatives. The Department of Justice urged companies to share data breach information.
Homeland Security Secretary Janet Napolitano challenged the audience to raise awareness, announcing a National Cybersecurity Challenge. "A secure cyberenvironment is as much about people and habits and culture as it is about machines," she said. In the Quadrennial Homeland Security Review, Napolitano said that for the first time, a major mission area will focus on cyberspace. She asked the private sector with help in three areas of IT: automation, interoperability and privacy-enhancing authentication.
Napolitano also said that the DHS is moving to the third phase of "Einstein," a federal intrusion prevention system that will "detect malicious activity and disable it before it does harm."