RSA Show 2013: Cryptography is dead and a fresh approach to security is needed

Last week rather than follow the crowd to Mobile World Congress in Barcelona I headed out to the other major conference on at the time: RSA Conference in San Francisco.  After a few years in the doldrums this year's show was bigger, brighter and had some interesting things to say.

Away from the keynotes the theme of the show was Big Data, so there were lots of Cloud exhibits of course, but the topics of mobility, device security and identity were also high on the agenda.   

The keynotes are where the most headlines are generated of course, and this year one scored above all others: Adi Shamir's revlation that we have to prepare for a "post-crypto world".  But despite what you might have read in other press - and sorry for the sensationalist title to this post -  he didn't actually say Crypto is dead.  The main thrust of this exchange was rather to point out how adversaries have changed and evolved their techniques to infiltrate computer systems in other ways.  The last thing we want to do is stop encrypting things...his point is only that it's no longer enough.

The same theme was sprinkled throughout the conference: Wednesday’s keynote speakers, including Internet visionary Vint Cerf, talked about our modern world: a different world that calls for a fresh approach to security where the security elements know more about their operating context, and a world where many more online devices call for a more online design.  The root of all this, says Cerf, is to "insert trust and authentication into the core of the devices we use".  Cisco and McAfee keynote speakers echoed this with the need for "security by design thought processes", "programmable defence" and "use-case led security architecture".

But it was perhaps best expressed in the Cloud Security Alliance Summit ahead of the show on Monday, where one panel suggested: "The perimeter is dead.  The mobile device is the new perimeter." (later refined to "mobile identity" and then "trusted mobile identity").  Now, I've been arguing for some years that the perimeter is dead but the fact that the show has finally picked it up as a major theme represents a welcome step forward in the security industry this year.

All of this points towards the need for designed-in, context aware trusted processing on mobile devices...which sounds pretty good to me.