March 2011 - Posts - CA on Security Management

This Blog

Home
Contact

Syndication

March 2011 - Posts

A Token Blog Post

Published: March 29 2011, 11:02 AM | 1 Comment(s)
by Merritt Maxim

We officially announced our RSA Token Trade-in program today. This program offers any current RSA SecurID^® token customers an opportunity to trade their RSA tokens for CA ArcotID secure software credentials in a one-for-one swap. This program was launched following RSA Security's March 18, 2011 disclosure that its widely-deployed RSA SecurID two-factor authentication solution has been victimized by a sophisticated cyber attack. This incident generated considerable media commentary and analysis, some of it excellent; some of it not so good. (For the record, SecurID has no second ‘e' in it, but that always been a problem.)

The bigger issue is not our announcement, but the reality that single-purpose separate hardware tokens are an anachronism in the 21^st century - a recognized issue even before the news of the SecurID breach. As my colleague Jim Reno blogged on these pages last week, hardware tokens are an end-user inconvenience. Ten years ago, many organizations were still relying on dial-up access for employees, and cell phones (not today's smart phones) were just starting to see widespread adoption. In this environment, hardware tokens served the need for strong authentication.

But today we live in an increasingly mobile broadband world with access from anywhere and from any device. This model does not align well with the single-function hardware token. Ultimately the need for convenience, flexibility and easier deployment is what is driving demand for secure software credentials like the CA ArcotID. The fact that the underlying security behind SecurID may have been compromised is certainly of concern, but any IT security technology is ultimately evaluated on multiple criteria (of which security is just one), and it is the sum of all benefits (security plus things like deployment cost, flexibility, etc.) that makes software-based authentication more compelling than hardware tokens.

In closing, the RSA incident reminds all IT security vendors that they need to be vigilant against potential breaches. We all hope that RSA can disclose more information about the breach so that everyone can learn from and apply appropriate counter-measures for these types of threats.

In the interest of full disclosure, I worked at SecurityDynamics (aka RSA Security) from 1997-2001 and was product manager of SecurID during some of that time and that my current employer CA Technologies competes with RSA Security in certain product areas.

Share this post:

Tags: advanced authentication, RSA , secure software credential

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Catalyzing an ID Verification Marketplace at EEMA’s eID Interoperability Conference

Published: March 25 2011, 03:00 PM | no comments
by Matthew Gardiner

In my last blog I gave a preview of my upcoming session at EEMA's eID Interoperability conference - "Catalyzing an ID Verification Marketplace." My session fit well into what was discussed in the conference. There were multiple sessions, most notably covering Germany's eID project, the Netherland's eRecognition project (uses third party Identity Providers to access government business-facing applications), and Denmark's WAYF project, that hit on many of the same themes and issues as my session.

The bottom line is this marketplace - where user's have a relatively small number of credentials which are provided and managed by trusted identity providers which then facilitate (via standards-based SSO) user access to sensitive relying party applications - is really starting to happen. In part, the market is strongly being pushed in Europe as a way of bridging and linking the countries of Europe into a common market - in this case a common online market.

One other item I want to report on from this event is the launch of a new European Commission funded projected known as SSEDIC - Scoping the Single European Digital Identity Community. This new initiative has as its clear objective to further catalyze the federated identity approach across industry and government, by helping to define what a large community of trust might look like. Can't you just sense this ID verification market is starting to happen now?

Share this post:

Tags: Identity and Access Management, eema, Identity Verification

By: Matthew Gardiner
Matthew Gardiner is a Director working in the Security business unit at CA Technologies. He is a recognized industry leader in the security & Identity and Access Management (IAM) markets worldwide. He is published, blogs, and is interviewed regularly in leading industry media on a wide range of IAM...
Read More..

Infosec Belgium

Published: March 25 2011, 05:40 AM | no comments
by Tim Dunn

This week I spoke at the Infosecurity Conference (infosec.be) in Belgium. The event took place between 23- 24 March and approximately 5,000 visitors were expected to have attended over the two days. The event caters for both technical and management delegates and as such the event was split into two tracks - management and technical.

The conference covers all aspects of Information Security from Firewalls and Anti Virus to Identity and Access Management and Public Key Infrastructure (PKI).

I was invited to present to delegates in the technical track on the subject of "The Evolution of Identity and Access Management for the Cloud". My presentation explored what changes are going to be required to Identity and Access Management to take into account the needs of virtualisation and Cloud models of service delivery/consumption by IT Departments.

As you can imagine, there was a heavy play on Cloud Security from most of the vendors at the event. There were vendors pitching both solutions for securing the cloud and security services from the cloud.

Whilst at the event I also undertook press interviews and met with some of our customers. In an interview with Datanews, which is Belgium's largest and oldest IT publication, we discussed whether companies were ready to go into the cloud securely. It is clear that companies are exploiting the cloud's benefits regardless of whether or not they have the correct security in place. There is therefore a high level of urgency in the security and IT departments to catch up with the wave.

The customers were taking a refreshingly business oriented approach to the cloud and security and the topics of how they can support mobile users and new devices such as IPads and Smartphones was a recurring theme. I will touch on this topic further in a future blog.

This event is a key one for anyone looking to have a security presence in Belgium and given the attendance and networking opportunities at the show, we will definitely consider it in our future business development plans for the region.

Share this post:

Tags: Cloud Security, cloud compliance, Identity and Access Management

By: Tim Dunn
Tim Dunn has spent 13 of his 23-year career in Enterprise software focused on the security market in EMEA. Tim is currently responsible for the strategy and go to market approach for CA Technologies security solutions, ensuring that CA continually evolves technologies which meet customer requirements...
Read More..

That Lump in my Pocket

Published: March 24 2011, 09:46 AM | 2 Comment(s)
by Jim Reno

I was sitting parked in my car yesterday evening, waiting for a rather long conference call to end. I foolishly thought that, given my 45 minute commute, things would be wrapped up when I got home, but there was always one more question, so I ended up in my garage for 10 or 15 minutes. Since there's not much to look at in my garage, my eye went to my keys hanging from the ignition. These include:

three car keys, one of which is bulky from integrated buttons
a house key
office building outside door key and inside door proximity fob
a file cabinet key
micro button-battery flashlight because, alas, I can no longer read menus in dark restaurants without it
and one keepsake - a key to a DEC PDP-8/E, circa 1972, which also worked in just about any subsequent DEC system

In my pocket, where these keys usually live, they make a pretty good sized lump that I certainly don't want to get any bigger. So the thought of carrying anything else doesn't appeal to me.

This is relevant because I'm in the software authentication business, and lately there's been a lot of buzz about security and hardware tokens. The news illustrates that contrary to conventional wisdom, hardware is not always (or inherently) more secure than software. Security isn't that simple; it's part of a bigger equation that has to look at all the business impact of a technology. Even if we consider only security, and ignore all other business factors, we have to look deeper. Hardware tokens might be tamper-resistant, but that doesn't help you if the secrets they protect are also stored elsewhere, and can be stolen. Software tokens, such as CA Technologies ArcotOTP or CA ArcotID, use keys that are generated in the field by the customer. So no attack on our internal systems can compromise those keys, because we don't have them. And in the unlikely event that one is compromised or lost, it's easy and fast to replace.

But what comes home to me more is the inconvenience factor. When I talk to people that have to carry hardware OTP tokens, I find they are almost universally despised. I can't imagine my bank, say, calling and telling me I have to use a hardware token to access my account online. After I stopped laughing I'd change banks. And what if I have more than one account? One token is too big; two, absurd. The Internet is about modern technologies; it's about software; it's about services; it's about connecting and interacting. Not about 20-year-old-technology, especially not if it puts a bigger lump in my pocket.

Share this post:

Tags: authentication, security breaches, RSA , soft token, secure software credential

By: Jim Reno
Jim Reno is Chief Security architect at CA Technologies. He joined the company with the Arcot acquisition which was completed in October 2010. Jim is one of the inventors of the 3-D Secure protocol used in the Verified by Visa and MasterCard SecureCode programs and he holds multiple patents in the area...
Read More..

Thoughts from Gartner IAM Summit - London

Published: March 17 2011, 11:24 AM | no comments
by Tim Dunn

So here we are again. Another Gartner Identity and Access (IAM) Management Summit behind us and this year's event saw a swell in the number of delegates as well as a palpable increase in interest and excitement around IAM.

This year's main theme was Identity Intelligence, which explored how identity information could add value to corporate decision making when combined with other Business Intelligence information types.

It was an interesting theme and one CA Technologies has been promoting through our "Power of Know" briefings and presentations, and it was a key theme at the RSA Show in San Francisco

It also added weight to our primary assertion, that IAM should be viewed as a business discipline and not just relegated to Security or an IT domain. The IAM Summit is always an excellent opportunity to talk with senior decision makers within our customers as well as catch up with the analysts and compare notes on industry trends and drivers.

I participated in a Keynote Panel along with Oracle and Gartner Analyst Ant Allen. We discussed a number of IAM topics and had interactive involvement from the audience.

Some of the media who attended also had interesting viewpoints.

Computing: ‘Gartner summit: ID management key to cloud success'.
Computer Weekly: IAM failures will shift focus to intelligence by 2014, says Gartner
InfoSecurity: IAM failures will shift focus to intelligence by 2014, says Gartner.

Tim Dunn views are included.
Computing: Better to start ID management with a clean slate, say experts

The good news is that the business users are starting to have expectations and involvement in IAM and are putting pressure on the IAM project teams to ensure IAM directly helps the business become more competitive and agile. This will be a significant factor in ensuring a business sponsor for IAM and increased success of IAM deployments.

The cloud was a common subject again this year. What I found most encouraging is that the discussions were around practical implementation issues / considerations, rather than, whether or not the cloud is secure enough for enterprise adoption.

I hope we have seen as much progress in IAM adoption by next year's summit, as we did between this year's and last years.

Share this post:

Tags: Identity Management, Gartner, Identity and Access Management

CA Community

March 2011 - Posts

A Token Blog Post

Leave a comment

Catalyzing an ID Verification Marketplace at EEMA’s eID Interoperability Conference

Leave a comment

Infosec Belgium

Leave a comment

That Lump in my Pocket

Leave a comment

Thoughts from Gartner IAM Summit - London

Leave a comment