IT to Endpoints: Who Are You?

SAN JOSE, Calif. — UPDATED: The network would like to know:
Who are you?

After a year of headlines about major data breaches at big-name data providers, IT managers and data sentinels in many networks are asking that question more aggressively.

With good reason. Security vendors say enterprises need to be a lot more picky about their network access protocols, Sarbanes-Oxley regulations notwithstanding, before taking into account the constant stream of data breaches that got Congress to propose a federal data-protection law.

Tech research firm IDC’s January survey of enterprise security issues noted that intellectual property siphoning and corporate espionage, as well as attempts to steal personal and company information, are increasing with the use of sophisticated attacks on business networks.

Social engineering remains a big part of the fraudsters’ toolkits.

While phishing attacks are still a growth industry, spearphishing attacks are the breakout trend, according to IDC’s survey of enterprise security.

Spearphishing means just what it suggests: a targeted approach to fool a specific end-user into turning over sensitive data that could enable the identity theft.

“Trusted employees deliberately or inadvertently distributing sensitive information are quickly becoming a major concern in many organizations,” IDC said, dubbing the concern outbound content compliance (OCC).

That helps explain the deluge of smart cards and a new generation of
authentication and audit technologies splashing down at the RSA conference in San Jose this week.

Microsoft Chairman and Chief Software Architect Bill Gates built on that theme during a keynote address here, telling attendees that the latest version of Windows, called Vista, is all about security and enabling authentication tools, such as smart cards and advanced levels of encryption.

Take the Security Center feature in the latest Vista build. With one
click, an end user can check security status across all levels of the
operating system and applications — from Outlook to the IE browser, which also has been hardened in the latest beta version with advanced levels of security.

Without deeper authentication and encryption features available across
enterprise networks, lots of people simply live with it, limiting their
activity, or they simply take risks, Gates said.

Across all these networks we live in, both in work and on a personal
level, “we have chains of trust, not just a single level. What we need here is the ability to track those trust relationships, grant permissions, and revoke those permissions” when necessary, Gates said.

“We’re really just at the beginning of the trust ecosystem.” Most companies are not even moving to federation in their deployments, he added.

“If you look under the covers, there’s a lot of insecurity and lost productivity as a result.”

Smart cards are moving into more widespread use, he said, as support for protocols across the industry are settled among standards bodies. This is a key part, so that enterprises don’t have to duplicate the same security code across different applications and platforms during authentication sessions.

One example among many at RSA is GeoTrust, one of the largest providers of digital certificates for online businesses.

On the heels of its acquisition of TC TrustCenter, a German provider of smart card technology, GeoTrust just announced a new suite of smart cards aimed at banks, corporate users and sectors such as utilities and governments that deploy two-factor authentication.

Neal Creighton, CEO of GeoTrust, said recent industry mandates and
government regulations such as Sarbanes-Oxley data retention rules are
driving more organizations to begin deploying smart cards and tokens, as well as adding new audit features to keep track of who has access to what.

GeoTrust said its True Credentials Enterprise ID technology is currently deployed across some of Europe’s largest financial institutions, utilities and government agencies.

It’s also offered as a managed service, designed to make it more simple for companies to manage, Creighton told

“My version, my belief of the future, is that every transaction online that can cause harm will have to be verified, from uploading code, e-mail, even verifying search results,” he said.

“People want to understand when they do something online that there is
security associated with that transaction.”

Microsoft is rolling out its usual spate of product announcements around security, especially partnering with vendors regarding its Network Access Protection initiatives.

In addition, the latest version of Internet Explorer (IE7), currently in beta, offers a new level of security features that help the end-user check the authentication of Web sites.

For example, the latest IE builds on limits to running ActiveX
unhindered in a browser, which keeps the
browser-scripting feature from being exploited to deposit malware on
computers when a Web surfer hits a malicious site.

Companies such as Enterasys Networks are part of the security
authentication ballyhoo with products that work in tandem with Windows and
Microsoft systems to ramp up authentication levels.

The Andover, Mass.-based Enterasys is among a flurry of vendors plying
RSA with demos that show a full range of advanced secure network
capabilities for intrusion defense, behavioral event detection and proactive
protection of enterprise networks.

Mike Schutz, group product manager for Windows Server at Microsoft, said
network admission control is becoming a key security requirement for
enterprise IT executives.

GeoTrust’s Creighton said that after years of adoption among key
infrastructures such as financial services and governments, smart cards are
heading for wider adoption among a wider swath of businesses.

After all, it’s all about building trust in endpoint access and who’s
getting past the gates of the kingdom.

As Art Coviello, CEO of security software provider RSA Security, put it,
“We all live in a crime-ridden neighborhood in the online world.” At a time
when we’re nearing a time of network connectivity ubiquity, we all need to
proceed to the logical next step of making sure we have better information,
and improve how we link transactions to our personal identity online.

News Around the Web