Vendors Prepare For The March of RSA


Last year, the computing world reached a flashpoint. A prevalence of data breaches, lost and stolen laptops and zero-day attacks ushered in new and ominous threats to Web users’ personal information.


What’s a security vendor to do? Take advantage of this free publicity wave
and ride it, which is what the vendors will aim to do at the RSA Conference
2007 in San Francisco next week.


Microsoft kicks off the keynotes


Who better to kick off the conference’s keynote sessions but Microsoft
Chairman Bill Gates? In 2006, Microsoft
 doubled down on security software, and Gates and
other company officials are expected to discuss how those efforts have paid
off.


Expect to hear Gates boast about the heightened security in Windows Vista,
which includes BitLocker Drive Protection, CardSpaces and other technologies
for shoring up data.


“It will be interesting to see how quickly Vista is adopted and how
staunchly it stands up to any cracking attempts that will inevitably be made
against it,” said Burton Group analyst Dan Blum.


Oh and you might hear a thing or two about ForeFront, the company’s security software portfolio aimed at breaking into a market
for anti-malware protection dominated by Symantec , EMC’s
 RSA, McAfee  and others.


ISA Server and the Intelligent Application Gateway Microsoft acquired with
Whale Communications last year will be among the talking points.


Blum said ForeFront has helped Microsoft broaden its onslaught into the IT
security market, so much so that Symantec and the other security software
makers have had to shy away from the point product approach and deliver more
unified client protection.


“It will be interesting to see how the security market reacts to Microsoft
becoming a major player here,” Blum said. “The days are numbered when
[incumbent security vendors] can just make a living entirely by filling the
deficiencies of Windows, as those deficiencies grow less and Microsoft gets
more proactive about shipping products to remediate them.”


ForeFront, Blum said, basically ensures that customers don’t have to wait
five years for a new release because Microsoft can improve it every year.


That’s a lot of licensing revenue that Symantec, McAfee and the other antivirus
guys could normally book. Look for Symantec to go toe-to-toe with Microsoft
and announce products that will shore up defenses of Windows Vista.


“What we offer is to encrypt that credit card number after it gets to that
database or when it’s captured in the application.”


Ingrian plans to expand its coverage, encrypting unstructured information in
file and e-mail systems with File System Connector. The Ingrian File System
tool will run on the company’s DataSecure Platform appliance.


Zero day doesn’t have to mean zero chance


Last year also saw the rise of the so-called zero-day attack, which is the
name given to any attack for which there is no patch available or deployed.


To counter this, CA next week plans to unveil CA Host-Based Intrusion
Prevention System (CA HIPS), a piece of software cobbled from the assets of
Tiny Software, which CA bought two years ago, and home cooking in CA’s
software engineering group.


CA HIPS monitors incoming and outgoing traffic and determines who can access
what on a Windows-based computer network, said Sam Curry, vice president of
security management at CA .


CA HIPS aims to check zero-day attacks at the network door by detecting
anomalies in system behavior. IT administrators can define rules for
responding to these anomalies, such as blocking suspicious application
activity with the rest of the network until a threat can be tested. Threat
events are then logged to support compliance and reporting requirements.


“The bad guys have gone from hacking for notoriety to hacking for profits,
and there’s a lot of crimeware, so the rate of mutation for threats out
there is very, very high,” Curry said, explaining the impetus for HIPS.


“They are innovating very quickly, mixing and matching attack types, so it’s
important to provide defense in depth and cover the multiple ways things can
get onto a computer to affect business.


CA HIPS will cost businesses $40 per seat.

Next page: Smart cards, USB tokens and data leakage

Page 2 of 2


Smart cards and tokens


As the number of remote offices and remote Web-based workers grows, the
business world will need to access the Web securely anytime, anywhere and on
any device.


That’s why some vendors, such as Microsoft and IBM , are throwing
their weight behind software that powers smart cards or secure USB tokens.


But the devices need to get a little smarter before they reach that
usability sweet spot businesses require for their workers. Consumer adoption
is even farther away.


However, Gemalto Monday will release Network Identity
Manager, a USB token that features its own software, processor and storage,
making it a cinch for consumers to plug it into any PC and access their
corporate Web applications.


You won’t need to load drivers, readers, or middleware. Just plug in and log
on.


Other smart card and token vendors are pre-announcing their wares to avoid
the RSA news crush — and their emphasis is on one-time password (OTP) tokens, which make it more difficult to gain unauthorized access
to computers.


Aladdin Knowledge Systems  this week unveiled eToken
PASS, a one-time password token for temporary use. Entrust  is launching IdentityGuard, a five-dollar, OTP token;
Expedia will become the first to deploy the new Entrust token.

Entrust token

Entrust’s bargain token.

Source: Entrust


The Dual Output Token from nCryptone and Inteligensa will transmit
simultaneously an OTP on a screen, an OTP password in an acoustic signal,
and, as an option, radio frequencies enabling identification or contact-less
payment.


This allows users to enter the password displayed on the token’s screen on
their computers to access confidential information on a Web site, use the
acoustic signature to be identified and authenticated over the phone, and
even open a door or make a contact-less payment with the RFID signal.


Burton Group analyst Mark Diodati said he also expects to see products that
talk about how to bolt a smart card infrastructure into an ID management
infrastructure: expect a meeting of the minds and technologies between ID
provisioning vendors such as IBM, Sun and CA and smart card vendors such as
ActiveIdentity and Microsoft.


“You have the provisioning vendors reaching in and trying to better
interface with smart card management systems. Then you have smart card
system vendors reaching out to the provisioning guys,” Diodati said in a
recent interview.


“You don’t want two islands of identity. You want to use the provisioning
tool to drive the card management system and make it easier to issue cards
and revoke certificates.”


In the future, Diodati said we should expect smart cards with LCD screens
that enable workers contactless access into buildings — a reader will just
scan the person’s picture form the LCD.


If it proves a viable solution for corporate employees, Diodati said we
could see some trickle down into the consumer world where users might
use the smart cards for banking privileges.

Keeping data in the company


Tokens, smart cards, software solutions for zero-day attacks are all fine
and well. But enterprises need to focus on keeping data in the
company, too.


Rest assured, data-leakage prevention and data-at-rest (when data sits in a
repository such as a database) encryption will garner its due attention at
RSA.


“No one wants to be the next TJX, CardSystems or ChoicePoint,” Burton
Group’s Blum said, referring to businesses that suffered data breaches
that exposed thousands of credit card numbers and other customers’ personal
information.


These companies didn’t have sufficient computer protection to keep
perpetrators from prying into their networks.


At RSA, several vendors will step forward to offer software or hardware that
encrypts the private data, keeping it from being read in the event of a
breach or lost computing device.


Ingrian Networks can vouch for the rising interest protecting data sitting
in repositories, buttering its bread by making software that secures
structured information in applications and databases.


“I know that while credit card data is transmitting from my PC to the
back-end of a transaction, it’s secure,” said Erich Baumgartner, vice president of sales and marketing at Ingrian. “But how do I know the database my
credit card goes into is secure?”

News Around the Web