This morning, I’m attending the gtsi Let’s talk security conference (part of their Technology Leadership Series) down at the Reagan building. It’s supposed to be about securing the datacenter, with speakers from Sun (although, I suppose it’s Oracle now), Cisco, gtsi (natch) and NRC. Details after the jump.

As it turns out, this is the third year of the series. I don’t know if I had heard of the series before, but I’ll try to keep an eye out for future ones. However, if the attendance of this morning is any indication, gtsi was expecting about twice as many people to show up as actually came.

Paul Tatum from Sun was up first. Some of the highlights:

  • Sun lives and breathes the ISO 27002 standard for securing their client systems.
  • When evaluating security, look at the 4 “P’s”:
    • Policy
    • Process
    • People
    • Products
  • Look to thin clients to eliminate the desktop as an issue. Sun pushes SunRay, which seems to me to be a descendant of the old Citrix, with all the good and bad associated with that. I’m still dubious of the value proposition.
  • About 85% of Fortune 500 companies are using some sort of Open Source in their enterprise.
    • The security argument with Open Source is basically “security through inspection,” which is a general restatement of Eric Raymond’s comment that with enough eyes, all bugs are shallow
    • The cost of owning Open Source is about ten cents on the dollars when compared to proprietary software (with regards to licensing & maintenance).
    • I won a book by getting closest to a security related question (which I’ll post later when the slides are made available).

Stephen Reed from Cisco went next. His highlights:

  • Most of Stephen’s time was spent on the Self Defending Network.
    • The upshot of this was embedding security into the fabric of the network.
    • Security becomes a service within the substrate of the network instead of a layer tacked on to the network
    • Cisco claims a reduction in operating expense (or OPEX) by 30-40%
  • Cisco is pushing their for a centralized security policy repository containing both privileges/roles and audit — but not authentication and/or provisioning. This also further builds on the idea of security as a service.
  • After the purchase of IronPoint, Cisco is using SenderBase as a way of validating acceptable content without inspecting the content itself.
    • Supposedly, SenderBase is white/black list compiled by a group of experts. However, I cannot find any of my personal domains listed in the database one way or the other, and the only domain from all of my current and former employers in SenderBase is Oracle. Decide for yourself, but that doesn’t fill me with confidence about the service.
    • Stephen talked about a way to appeal your status if you believe yourself to be miscategorized as a “bad” sender of email. I did some poking around looking for ways to appeal, and I didn’t see much of anything.
  • Stephen was recommending looking at the Open Web Application Security Project (or OWASP) as both a quality reference and repository of guidelines that Cisco uses — in particular the Testing Project. Cisco is implementing this in their Web Application Firewall, using a layer 7 focus on the data stream (which has the secondary benefit of supporting virtual application patching, something Cisco defines as the ability to prevent things like buffer overruns at the network layer by preventing transmission of data beyond the boundaries of individual fields within the web page, as an example)
  • Some trivia:
    • The majority of business transactions occur over ports 25, 80 & 443, which is a departure from the old way of registering new port numbers for a specific transmission type.
    • Spam traffic increases approximately 18% per month.

Representatives from both gtsi & NRC spoke in the second session, but l couldn’t quite hang around for it. gtsi will be posting video and the slides in the near future. When they’re available, I’ll post a link.

— Update —

The presentations are available here.