The RSA Conference has gotten bigger and louder — not just because of the clamoring sounds of tens of thousands of attendees, but also due to the din of construction equipment as San Francisco works to rebuild the Moscone Center. Despite all the noise, this year’s attendees heard a number of key themes reverberating loud and clear throughout the conference as experts shared ideas about where the industry is heading and how security professionals can build strong foundations for the future.
Key Themes From the RSA Conference 2018
This year’s event featured a stronger emphasis on diversity in cybersecurity, a sharper focus on emerging technologies such as the Internet of Things (IoT), and too many captivating insights and discussions to sum up in a single recap. So let’s focus on some of the major highlights. Below are four key takeaways from this year’s RSA Conference.
1. RSA onDemand: The Gift That Keeps on Giving
This year, the conference organizers made a lot more recorded content available online, enabling attendees to catch up on presentations they had to miss. Given the number of concurrent sessions — not to mention the difficulty of navigating around heavy construction machinery — the online recordings certainly came in handy.
2. Promoting Inclusion and Diversity in Cybersecurity
The solid speaking lineup at the counter crowdsourced show, OURSA (get it?), and the all-female panels at the conference afforded attendees numerous opportunities to learn about underrepresented perspectives in cybersecurity. You can sneak a peek at the entire day’s OURSA activities by watching this video.
3. IoT Goes Mainstream
There were many IoT-related sessions at the conference and connected device vendors on the show floor. In fact, the IoT has gone so mainstream that the Target across the street from the Moscone Center set up a storefront to showcase smart home devices.
4. FIDO2 Announcements Abound
There are now millions of Fast Identity Online (FIDO) clients in the hands of real users. Yubico announced a new USB key that supports the latest extensions, and Microsoft and Google delivered a joint presentation on FIDO2 authentication.
Experts Discuss Cryptography, Blockchain, Leaky Clouds and More
One of the biggest attractions at RSAC is the annual “The Cryptographer’s Panel,” which featured two of RSA’s founders and other experts who have actually built cryptographic systems. This year’s session was punctuated by the usual humor but tempered with a dose of reality.
Avi Shamir complained that current academic research is often too mushy and imprecise, while his RSA co-founder, Ron Rivest, asserted that “blockchains can be a very bad database choice for keeping track of voting. It doesn’t matter if it is immutable if your vote isn’t recorded correctly.” During this session, Moxie Marlinspike, the founder of Signal, also noted that “the utopian narratives of connecting the world are coming to an end. The social media tools are now considered weapons when found in the wrong hands.”
Another popular panel featured a collection of experienced SANS teachers who talked about their favorite new attack types. Ed Skoudis explained the difference between having an accurate asset inventory and data inventory, and advised enterprises to appoint a data curator who knows where you data is and how it is distributed. Skoudis also complained about the many high-profile cloud storage data leaks. “When you are putting data in the cloud, you have to keep track of it carefully,” he implored. He also suggested numerous free and automated data discovery tools that organizations can use to improve cloud security.
More Highlights From RSAC 2018
The OURSA speaker lineup was a riveting program. Many of the speakers, including a large contingent of women, talked about very practical security implementations.
Eva Galperin, director of cybersecurity at EFF, led off the day. “If you think you understand what being part of a vulnerable population is, you don’t — not without doing your homework,” she said. Galperin also set the record straight on the common misconception that Tor and Signal are interchangeable.
Ashley Tolbert, who works at Stanford’s Linear Accelerator Center, noted that when she earned her computer science degree, she didn’t have to take any security classes whatsoever. In addition, Kate McKinley, a security engineer at Facebook, spoke about various memory hacking techniques and how to harden code to prevent these incidents.
Kelly Lum, now a security engineer at Spotify, gave an excellent talk about how she rolled out HTTPS certificates when she worked at Tumblr. She described the practical problem of having great crypto without infringing upon customers’ privacy. Elizabeth Zwicky, antispam and delivery engineer at Yahoo, then spoke about the economics of spam, the process of sorting good from bad email, and how she had to consider the wide range of email-enabled clients, including emails sent from copy shop printers and devices designed to help visually impaired users. “Mail is sent in many ways that you don’t expect, and the outliers are from disproportionately underserved communities,” she said.
Finally, I always enjoy listening to cryptography pioneer and IBM special advisor Bruce Schneier, who recorded a podcast with Flashpoint Editorial Director Mike Mimoso at the conference. “Nobody wants you to know how your data is being used, and the more that this debate brings this into the sunlight, the better,” Schneier said. “We are having our personalities dissected in order to sell us stuff. Is this the kind of society we want to build?”
Building a Stronger Foundation for Security
Overall, the RSA Conference 2018 featured a wide range of perspectives, a healthy dose of reality and a strong undercurrent of optimism about the future of cybersecurity. As the construction crews clamored about the Moscone Center, the speakers, vendors and attendees at the conference worked toward building a stronger foundation for security by sharing valuable insights and making solid connections. This exchange of ideas, camaraderie and collaborative spirit is the industry’s most powerful weapon against rapidly evolving cyberthreats.