Overall, the conversations at RSA have been more focused this year than last. Most people came asking project focused questions. The most popular was two factor, of course. Many asked about auditing, some about SSO and the rest asked about controlling directory content and delegation for SoD. So I’ve been talking a lot about Defender, InTrust, Authentication Services and ActiveRoles Server, respectively. It also seems like there are more senior people here this year. Many titles with director, VP and executive in them are speaking to us. I think it’s a sign of how much more seriously identity and security are being taken now.
The biggest a-ha moment for me so far was sitting in the IDC breakfast yesterday. Sally Hudson from IDC was talking about the penetration of identity and access management technologies into applications. She mentioned how most of the technologies, SSO, TFA, etc, were not new but were only now starting to become part of the majority of applications. What occurred to me was only now is identity technology getting to the point where applications can easily consume its services. Pieces that are easy to use have great penetration, which accounts for the success of LDAP and products like Site Minder. But for more advanced identity that incorporates federation capabilities, provisioning integration, fine grained access control and other advanced functions, it’s only now that we’re seeing technologies deliver. And it’s not that applications don’t do these things now. Applications that need to federate do, applications that need access control have it. Those services are built on demand and typically without COTS help, though. With the rise of standards and the maturity of application ready toolkits and protocols, now the application teams themselves and business groups they aim to please are thinking about these things as features they would like to have for any application not just stuff with identified, immediate needs. My experience is that when the applications want it, that’s when the market is real. That time may have finally come.
Another cool thing for me was meeting some of our partners face to face. Especially cool was getting a new visual aid from our friends at NagraID Security. I’ve been pushing the idea of multi-function multi-facto devices for a long time. Now I have a working one to use as a visual aid in meetings. It has a smart card chip, OTP capabilities by pressing a button on the front, a picture printed and two different scan spots (barcode and box). I can’t wait to break it out in my next meeting with a client. I’ve already been showing it off on the show floor.
The coolest stuff I saw on the show floor at RSA:
1. Validus had an OTP card with a biometric built in all in the credit card form factor (http://validustech.com/index.cfm)
2. Aveksa, hiding out in the Novell booth, had a very slick entitlement audit and role management system with a nice demo (http://www.aveksa.com/)
3. The NSA had a booth and was giving away an awesome cipher game book. My daughter and I will be hacking away at that for a while, I’m sure.
4. Not technically on the show floor, but I got a chance to sit with someone from Bitarmor and they made me think encryption at rest could really be viable (http://www.bitarmor.com/)
5. Arcsight was giving away a smart car. And I thought our $5000 prize was big!