RSA 2014 was an exciting and exhausting experience filled with new partnerships, new technology and a general reset on what security means today (what works and what doesn’t). In our presentation at RSA we discussed the general assumption that password and certificate maximum age standards for compliance are now irrelevant. We now see password ages for privileged accounts limited to hours rather than the conventional 30 to 90 days maximum. In the case of certificate lifetimes of years or decades, we are now seeing certificate lifetimes in minutes to days. In both cases, there is a realization that privileged credentials and the components for encryption are being captured, and the goal is to limit the value of compromised credentials.

The general wisdom of a defense being 100% effective has come to an end. We see the realization of a new reality where at least one or more systems within an environment are compromised, and now the job of IT Security is to minimize damage, and to discover and neutralize intruders after they have entered the environment.

Target’s breach was also a common wake up call for many at the conference confirming that even at the largest companies in the world, the basics of simply having different random passwords on each device and server was not being done. The Target breach pointed out that many breaches are not from the lack of technology, but from the lack of corporate competence. Concurrent with the disclosure of the fundamental incompetence of IT security at Target, their CIO left in March 2014.

As a company we are pushing privileged identity management from a point solution that is used to remediate existing poor practices and implement a hard control into the realm of a privileged identity security platform. Our latest versions are being deployed in a headless configuration (no console or web GUI needed) and being driven by PowerShell and Web Service APIs. These APIs orchestrate the discovery, randomization and release of credentials for a limited amount of time as a baked in feature of each machine (virtual and physical) and application’s lifetime. In essence our product is becoming a platform for cloud providers, MSPs, and government projects that are seeking to secure identities as part of their offering stack.

We have also seen our product move from a compliance requirement to being part of a cyber-warfare strategy to minimize the surface area of the entire environment. The product is used by both Red (offence) and Blue (defense) cyber warriors to find weaknesses and to minimize them (depending on which team is using the platform). The evolution from basic compliance, to core security, and then to cyber-warfare/defense and what it means to product development has been one of the most interesting areas we have been working on these days.

The other evolution has been the requirement from many customers for a hard SLA for security coverage in strict periods of time, every day, with no down times or unscheduled outages. Certainly this is in line with the move from point-in-time compliance to handling real threats that are occurring every hour of every day (yes, hackers and nation states attack after the auditor leaves).

RSA was quite a show, and with it we have all seen that the worst case scenarios of the "future" are "today’s" reality. The general wisdom of compliance having any lasting value has been dropped as a valid concept, and those CIOs that cling to it should be looking for another job. RSA taught us that there are no perfect solutions, only mitigations to minimize risk and damage and the duration an intruder can move around in your environment.