Two things to take away from RSA expo this year: 1) no one is really sure what this cloud computing thing is, but everyone wants a piece and 2) security technology may not be evolving as rapidly as it once was (or at all?), but vendors are no less intent on dazzling the crowds.

While RSA attendance overall was down, the Alert Logic booth seemed to be buzzing. Several weeks ago we did a first public demo of the Log Manager 2.0 beta at the Log Management Summit in DC. The response was so positive that we went further and set up two demo stations running LM2 demos right in the booth on the show floor.

In the midst of the cloud feeding frenzy at RSA this year, we may have been one of the only vendors running live product demos and showing the power of applications designed natively to run in the cloud. Being able to burn through hundreds of millions of log messages in seconds on the trade show flow was a lot of fun. Expect to see even more live demo madness next year.

Is cloud the new hotness?

It’s no surprise that cloud messaging popped up all over the RSA show floor this year. It’s the best way to sell security products since compliance came along to save the security industry from irrelevance and everyone wants a piece. What was surprising is that none of the major cloud providers bothered to show up. Big mistake.

Ignoring the security geeks has major implications for the cloud computing “industry” (I am using the term loosely until the hype dies down a little). Exhibit I: guidance released by Cloud Security Alliance at RSA, which aims to provide a set of recommendations on how to ensure the security of cloud providers in an 83 page document that covers no less than 15 domains.

Cloud Security Alliance briefing at RSA

I had a very cursory look at the document and it’s an impressive effort, with especially thoughtful definition of the cloud computing space, which still a major source of confusion even for industry analysts that cover this space (see McKinsey). But it’s also laden the same type of pitfalls that plagued the First Continental Congress, which succeeded only in preserving the status quo in the pre-revolutionary America (really geeky reference, but it fits).

With numerous constituencies and many mouths to feed, the guidelines could have a negative effect on adoption of cloud computing. I am sure this is not the intent of the people who worked on this guide, who appear to genuinely care about cloud adoption, but it’s entirely possible with recommendations such as negotiating a right to audit and insistence on contracts that specify the type of encryption cloud providers must use.

I still need to review the document in depth and I am hopeful that I am wrong, but I am concerned this is a wrong approach to securing cloud computing.

Any 83 page document is at risk of being too ambitious to play a role a significant role in anyone’s decision making process, but judging by the turnout at the CSA session at RSA, I’d advise cloud computing vendors to pay attention and get involved.

Not all cloud happenings at RSA were as meaningful as the CSA briefing. Numerous booths included messaging that ranged from confusing to misleading. Netgear’s pitch of UTM appliances built on something called a “hybrid-in-the-cloud Security Architecture” (HITCSA has a nice ring to it) was my personal favorite. The guy working the booth got slightly agitated when I asked him what that meant and explained that their appliances receive web and virus definitions from the cloud. Really?

A company called Prevx had a similar “the future is now” riff on cloud security, promising that their endpoint agent stays up to date using the power of the cloud, while others went the route of promising cloud security without any other clue as to what their products really did.

Ironically enough, the real cloud security players often times had the most restrained cloud messaging of all.

Sideshows and Luminaries

I didn’t find a lot of interesting technology at RSA, but I did have a good time walking the floor. Here’s what I saw.

My favorite sideshow act was this booth with a pair of guys doing a Vegas-style variety show (sadly, no tigers) and using the audience as a prop. Check out this expression on this guy’s face as he is about to come dangerously close to the business end of the whip.

The guy trying to get out of a straight jacket while balancing himself on a unicycle was terribly amusing. I think the vendor had some sort of  point here, but I thought it was a perfect metaphor for buying a security product in 2009.

The Oracle guy had a flashy suit, but didn’t do any tricks. Art imitating life?

The guy at the Narus booth did do tricks, however. I have always thought Narus had some very interesting technology and it has been fascinating to watch their marketing message change over the years as they try to explain what it is they do to people who own security budgets. So the latest from RSA 2009: Narus does magic and something called “traffic intelligence”. But mostly magic.

I couldn’t figure out what this German company did (something about federated identity malware management protection), but they had a wicked cool robot that could pour beer. I think they should have gone all the way and dressed up their sales people as Cylons.

Radware people played doctor. I am sure there is a NSFW metaphor in there somewhere, but I am staying away from it.

It wasn’t all fun and games at RSA this year. I didn’t get to see Jeremiah Grossman do a talk at his Whitehat booth, but I did spot Dan Kaminsky preaching to the faithful. Real security topics right on the trade show floor? Say it isn’t so.

Nir Zuk, a self described security visionary, talked about dispensing with the usual semantics of controlling network access through blocking service ports that hamper traditional firewalls and finally being able to control applications and malware of any type at wire speeds. I may not agree with Nir on everything (he and I got into about cloud security at a recent Whitehat World webcast), but I do I think Palo Alto had what may be the most promising company on the show floor this year. Maybe once everyone has one of these, people can stop spending money on perimeter IPS products that cover up just how badly broken firewalls are, and finally focus on dealing with intrusions deep in the core of their network.

But then things got silly again with this content filtering vendor packing in the crowds using a dazed and confused theme. It worked. In a building chock full of stiff security vendors, the whacky atmosphere in this booth was winning people over. Most important, it zeroed in on the one theme that most vendors at RSA missed out on – the sensitivity IT organizations have to declining economy.

Everyone’s budget is getting pinched and yet more vendors were still selling the same old security voodoo, rather than focus on value. Why is that?

Maybe we’ll find out next year….