RealTime IT News

IT to Endpoints: Who Are You?

SAN JOSE, Calif. -- UPDATED: The network would like to know: Who are you?

After a year of headlines about major data breaches at big-name data providers, IT managers and data sentinels in many networks are asking that question more aggressively.

With good reason. Security vendors say enterprises need to be a lot more picky about their network access protocols, Sarbanes-Oxley regulations notwithstanding, before taking into account the constant stream of data breaches that got Congress to propose a federal data-protection law.

Tech research firm IDC's January survey of enterprise security issues noted that intellectual property siphoning and corporate espionage, as well as attempts to steal personal and company information, are increasing with the use of sophisticated attacks on business networks.

Social engineering remains a big part of the fraudsters' toolkits.

While phishing attacks are still a growth industry, spearphishing attacks are the breakout trend, according to IDC's survey of enterprise security.

Spearphishing means just what it suggests: a targeted approach to fool a specific end-user into turning over sensitive data that could enable the identity theft.

"Trusted employees deliberately or inadvertently distributing sensitive information are quickly becoming a major concern in many organizations," IDC said, dubbing the concern outbound content compliance (OCC).

That helps explain the deluge of smart cards and a new generation of authentication and audit technologies splashing down at the RSA conference in San Jose this week.

Microsoft Chairman and Chief Software Architect Bill Gates built on that theme during a keynote address here, telling attendees that the latest version of Windows, called Vista, is all about security and enabling authentication tools, such as smart cards and advanced levels of encryption.

Take the Security Center feature in the latest Vista build. With one click, an end user can check security status across all levels of the operating system and applications -- from Outlook to the IE browser, which also has been hardened in the latest beta version with advanced levels of security.

Without deeper authentication and encryption features available across enterprise networks, lots of people simply live with it, limiting their activity, or they simply take risks, Gates said.

Across all these networks we live in, both in work and on a personal level, "we have chains of trust, not just a single level. What we need here is the ability to track those trust relationships, grant permissions, and revoke those permissions" when necessary, Gates said.

"We're really just at the beginning of the trust ecosystem." Most companies are not even moving to federation in their deployments, he added.

"If you look under the covers, there's a lot of insecurity and lost productivity as a result."

Smart cards are moving into more widespread use, he said, as support for protocols across the industry are settled among standards bodies. This is a key part, so that enterprises don't have to duplicate the same security code across different applications and platforms during authentication sessions.

One example among many at RSA is GeoTrust, one of the largest providers of digital certificates for online businesses.

On the heels of its acquisition of TC TrustCenter, a German provider of smart card technology, GeoTrust just announced a new suite of smart cards aimed at banks, corporate users and sectors such as utilities and governments that deploy two-factor authentication.

Neal Creighton, CEO of GeoTrust, said recent industry mandates and government regulations such as Sarbanes-Oxley data retention rules are driving more organizations to begin deploying smart cards and tokens, as well as adding new audit features to keep track of who has access to what.

GeoTrust said its True Credentials Enterprise ID technology is currently deployed across some of Europe's largest financial institutions, utilities and government agencies.

It's also offered as a managed service, designed to make it more simple for companies to manage, Creighton told internetnews.com.

"My version, my belief of the future, is that every transaction online that can cause harm will have to be verified, from uploading code, e-mail, even verifying search results," he said.

"People want to understand when they do something online that there is security associated with that transaction."

Microsoft is rolling out its usual spate of product announcements around security, especially partnering with vendors regarding its Network Access Protection initiatives.

In addition, the latest version of Internet Explorer (IE7), currently in beta, offers a new level of security features that help the end-user check the authentication of Web sites.

For example, the latest IE builds on limits to running ActiveX unhindered in a browser, which keeps the browser-scripting feature from being exploited to deposit malware on computers when a Web surfer hits a malicious site.

Companies such as Enterasys Networks are part of the security authentication ballyhoo with products that work in tandem with Windows and Microsoft systems to ramp up authentication levels.

The Andover, Mass.-based Enterasys is among a flurry of vendors plying RSA with demos that show a full range of advanced secure network capabilities for intrusion defense, behavioral event detection and proactive protection of enterprise networks.

Mike Schutz, group product manager for Windows Server at Microsoft, said network admission control is becoming a key security requirement for enterprise IT executives.

GeoTrust's Creighton said that after years of adoption among key infrastructures such as financial services and governments, smart cards are heading for wider adoption among a wider swath of businesses.

After all, it's all about building trust in endpoint access and who's getting past the gates of the kingdom.

As Art Coviello, CEO of security software provider RSA Security, put it, "We all live in a crime-ridden neighborhood in the online world." At a time when we're nearing a time of network connectivity ubiquity, we all need to proceed to the logical next step of making sure we have better information, and improve how we link transactions to our personal identity online.