Open source software security

Educause Security 2009

30 November -0001

I'm currently attending Educause Security 2009 in Atlanta, GA. This year's Educause Security has, in my opinion, the strongest program in quite some time. There is a very heavy technical bent to many of the presentations and a lot of the fluff that I found present in last year's conference is absent. The persistent theme of this years conference seems to be PII, identity theft, notification, and privacy. It's interesting to see a security conference so heavily focused on privacy, but identity theft is the intersection of privacy and security.

I gave a presentation on the implementation of Identity Finder and it's use in locating and remediating PII at the University of Pennsylvania's School of Arts and Sciences. Interestingly enough Identity Finder came up in two other discussions - the panel discussion around DLP and later in the talk about forensic analysis of compromised hosts. They keynote this morning was delivered by Joanne McNabb, of California's Office of Privacy Protection, and highlighted the vast, and increasing amount of data that security professionals must deal with and the increasing privacy concerns derived from that data generation. PII is everywhere, and finding it is a huge challenge, making the task of protecting PII an even greater task. We've found at Penn that Identity Finder was a great tool to help us get a handle on the sea of data floating around our endpoints.

Overall the conference has been great - chock full of useful information. There are several different tracks, the advanced one being of the most benefit, in my opinion. I like the really hands on, real life examples that these talks give.

A couple of gripes about the conference so far. The venue has been extremely disappointing. The Westin Peachtree has been a disaster. First my room key wouldn't work, then when it was fixed my bed was unmade. They moved me to a new room that, I kid you not, has a prison cell sized window and makes me feel like I'm in a cave. The bathtub has mold and rust on it, the wired networking doesn't work, and for some reason the mini-bar is locked and I wasn't given a key. This is a huge step down from past venues.

The other gripe I have is with the format. The half day session on Monday followed by a half day on Wednesday makes it a strange time commitment. The meat of the conference is on Tuesday - an odd day to travel, and means that you waste full days to attend half day events. Especially with the economy the way it is you'd think Educause would want to be able to maximize content with minimal travel costs.

Other than that I've been thrilled. I think my talk went well and hearing other people has been great. I wish the happy hour went longer because people tend to become more social over time, but it was nice to meet people from other universities and colleges and trade some war stories. I'm looking forward to the concluding events tomorrow then it's back to the grind!