13th Infosecurity Europe show off to a cracking start
The 2008 Infosecurity Europe show opened on Tuesday at Kensington Olympia in London. Among over 320 exhibitors, 34 are offering anti-virus, 41 are offering anti-spam products and 69 specialising in application security, which are the three main areas that have recently caught the public eye. By far the largest single service sector represented turns out however to be compliance, with 109 vendors offering services and products.
The seminar programme started with a keynote review of the 2008 Information Security Breaches Survey, prepared by Price Waterhouse Coopers on behalf of the Department for Business, Enterprise and Regulatory Reform (BERR, formerly the DTI). Overall, the security picture seems to have improved, with awareness at senior level on the rise, but there are still big discrepancies between expectations and deliverables. It was emphasised that trust is a critical component in reducing this gap. Gerry O'Neill, CEO of the Institute of Information Security Professionals (IISP) told heise online that although trust is not a control in its own right, it is an essential component of information security and is gained fundamentally by social and process measures.
This position was largely confirmed in a SANS Institute keynote entitled "Five Keys to Effective Application Security and Secure Coding", at which five blue-chip software delivery professionals discussed a seldom-aired topic: ways to improve the security standards of web application developers' output. They all stressed the need for whole-lifecycle security validation, excellent communication and relations between front line developers and software specifiers and procurers, and for strong incentives to developers, including, in one panellist's experience, provision of specialist training and certification to staff about to embark on major projects.
A Jericho Forum mini-conference turned out to be a lively event. Amid much debate, evidence was provided that several corporations are already well on the way to operational deperimeterisation, countering the long-voiced claim that the Jericho model is merely hypothetical. Some details were broadly outlined, offering a view of an architecture based on distributed intrinsically secured web services coupled by secure communication protocols across the internet and capable of authenticating users and data requests before granting access to the service. Ultimately it appears that the controlling hub of the corporate network should cease to be necessary. However the debate ranged widely. Much attention was paid to data classification, and numerous examples were offered of the pitfalls. The concept of information ownership and classification by notional owners was challenged as being primarily appropriate to structured data. It was pointed out that as an increasing proportion of business information is now unstructured, inconsistencies are impossible to manage when every member of staff classifies their own data using their own criteria. On a lighter note, a delegate mentioned that NATO has some 13 networks in Afghanistan that are mutually segregated for reasons of classification. The intercommunication problem is apparently solved by suspending a USB stick on a piece of elastic between the segregated terminals.
The rest of the show and seminar programme promises to be equally interesting, not least a session on risk led by Howard Schmidt tomorrow (Wednesday) lunchtime and a mock trial of A.N. Corporation for data leakage from their web site (Thursday, 12.45).
See also from InfoSec: