I must confess that this year RSI show was one of the greatest to date. I send my felicitations to the organization team that, once again, did a great job.
I just wanted to present my though about the presentations I was able to attend. Please note that most, if not all, presentation should be released on the Tube shortly.
There was two (2) keynotes that's worth mentioning, the first presented by Roger Sullivan from Oracle about the Liberty Alliance (http://www.projectliberty.org
) , concern about developing standards for secure inter-systems identity transfer. SAML 2.0 should prove to be an important standard that will help allot reaching SSO through a multi-level identity assurance. Although the technical part of the problem space seems to be real strong, the issues concerning the adoption of "inter-business" SSO are now relayed in at the business process level. There's a long way to go before we start seeing business trusting authentication from other business, or even seeing eGov identity... But interesting stuff never the less.
The other keynote was from Graham Whitehead, a magnificent orator, preaching before an already sold audience about the issues of the modern information age. I did learn a lot from his oratory skills. An interesting question that he threw at this audience was: Do you know your information footprint? How much information about you, your family, your habits, and your jobs did you throw into the cloud?
I attended Harold Côté’s, from Loto-Québec, presentation on daily risks management. It was really valuable experience he shared with the attendees. Developing a risk management service is hard work. And even with the best method of assessing risks (MEHARI, OCTAVE) you have to build maturity and credibility by starting small. Start with incidents and change requests risks assessments and control information you release to avoid unnecessary challenges from, for example, project management and such. Your audience should want to challenge the content of the analysis, not the method. If you do not control the method they will jump to the opportunity to invalidate your reports.
I then attended, Alexandre Major’s, from the famed Ubisoft Montreal studio, presentation on “target production, without being the target”. I’m a long time fan of Ubisoft, even worked there for some time. It’s really interesting to see that they are still so different from the rest of the planet. Their challenges are so different from the banking, retails or pharmaceutical industries I worked for. There’s a couple quote I’ve noted in my book that’s worth mentioning… First, security must be part of the team. If no one’s there, they do not exist. If the security guy is in the field of view of a person, the later would be less likely to breach security rules
I might have a scoop, Ubisoft is now looking for staffing their anti-piracy department in Montreal, and are looking for another security analyst to assist production operations.
There was a set of vendor presentation that I must say I skipped. Well, mostly because I did already saw most of them, but I wanted to take some time to check the kiosk and meet some of the new comers there. As usual the main value to go to those events is really about networking. Meet people and chat with old friends…
I attended then a session on industrial spying. The speaker, Michel Juneau-Katsuya (ex-director of SCRS – Canadian’s secret services – don’t laugh) did a nice job at telling us there was issues about corporate industrial and government economic espionage. I must say I was left on my appetite as no avenue of resolution or ways to get intel on the impact for my current industry was presented. Well, it’s not his fault our government doesn’t produce or release metrics on the impact of such events… Was still an overall interesting session.
I’m sure the other presentations was quite interesting, if some EH reader did attends those not mentioned here, please give me your though…
Marc-André Bélanger, CISSP, C|EH