RSA Conference 2001 Report

Facts

This years RSA Conference was held in the Moscone Center, San Francisco. The conference started April 8th and ended April 12th.

According to the organizer, 10'000 participants were present. We would estimate a maximum of 6000-7000, approximately the same attendance as last year. There were less non-US visitors present, the focus being more on North America. This could have been caused by the new RSA conferences in Europe and in Asia. For the first time there was a German delegation, presenting the German security industry at the exhibition.

The conference included 12! parallel tracks and additional general sessions in the afternoon. The RSA conference continues to be the most important security conference worldwide.

The exhibition also hosted a record of vendors, approximately 250. Some companies will have to prove that they can establish themselves in the security market; others will have to struggle as they show no specific core competence and/or strategy. It seems obvious that several companies got venture capital before the great Nasdaq downturn started. Sponsoring was not as present as last year, some companies obviously reducing their marketing budget.

Three receptions where included, the biggest was the nCipher gala taking place at the California Academy of Science.

General Trends

The following trends could be identified. There are six topics, which will dominate the industry in the near future:

a) PKI Enabled Services and Applications

b) Managed security services

c) Intrusion detection systems (IDS)

d) Secure E-mail delivery services

e) Privacy

f) Wireless security.

PKI Enabled Services and Applications

Gartner presented their PKI Hype cycle. The hype cycle basically describes the evolution of a new technology, starting with a hype after a short starting period. According to Gartner, the peak was reached in 1999. After this, demand sunk to rock bottom levels and is now growing again. We see the same development, but only for in house PKIs. We do not agree on the overall PKI trend. In our opinion, there was no explicit hype cycle, but a continuous slow demand for certificate based services. This includes internal and external services. The future developments will show which players will survive. But it was obvious that the "old" PKI companies were less present than in earlier shows. Although they still got a lot of sessions, the focus is obviously shifting to applications (for a comprehensive Report on PKI see our PKI update.

Managed security services

Outsourced services where a hot topic at the conference. This includes not only PKI services but also other services like Intrusion Detection (Managed Security Services). We assume that outsourcing security services will also become a more present business in Europe. However, this will happen in a reduced form and only for a specific group of customers.

Intrusion detection systems (IDS)

IDS was probably the most heard expression at the conference. Several vendors are trying to sell solutions in this area. This includes not only products but also services for continuous surveillance. IDS systems are only as good as people know their area of responsibility and are aware of the risk involved.

Secure E-mail delivery services

Many vendors tried to sell their secure E-Mail solutions. This is a tough field in general as competition is everywhere and good products are scarce. Low cost solutions with minimal authentication offer cost effective, but not very secure conditions. Basically these solutions have an intermediary between who will store the data until the user retrieves it. Once it is retrieved, the message will be deleted and the intermediary does not have access to the data. Such implementations have the advantage that an intermediate server could perform some content scanning on the secured messages controlled by centralized policies. Most of these systems are still in their primary stage of development. Whether the intermediary model will have success is questionable. This would increase cost in a system, which was planned to be cost efficient.

Privacy

Privacy has become an important issue in the US. Basically, the US tends to solve the problem technically wherever possible. Some interesting solutions where shown. Many will not make it into the real market, but some products have a high potential to succeed. The political situation seems unclear. Although president Bush has announced strong privacy rules in the healthcare sector, this could be a sign to the other industries saying that they were not in danger to get the same regulations. However this is mere speculation.

Wireless security

It seems that the main cellular phone manufacturers have agreed on using two chips in the next generation mobile phones (SIM & WAP Identity Module (WIM)). We can also assume that all future identification services requiring a high grade of authenticity will be based on digital signatures. This is the current strategy of Nokia, the most important driver in the standardization group. This will imply that the carriers must install PKI systems for carriers (was announced by Entrust and Nokia in March). However, the main issues are unresolved, e.g. whether the banks will be willing to give away some of their information to third parties (carriers!). The two chip approach could solve this issue.

Overall Conference Program Evaluation

The RSA conference has shown, that it still is THE No. 1 IT security event worldwide. Although other security conferences try to get pieces of the cake, there seems little concern that his could happen. For people who want to know what products and companies are on the market, this conference is still a MUST.

Compared to last year, many sessions where not detailed enough and sometimes even only touching the basics. This should not happen as the audience is an IT security literate group. Some (bad) speakers had several sessions, this is hard to understand as we heard that there were approximately 800 papers proposed for the conference.