Speaking of Security – The RSA Blog and Podcast

I was in Munich last week, speaking at the European Identity and Cloud Conference in a panel on standards for mobile security. It was a very good session, not least because of the colleagues who joined me on the panel. John Sabo spoke about the work he’s doing in privacy frameworks.  Tony Nadalin spoke about [...]

So I’ve called the Help Desk before. I’ve been that person on the other end who becomes a statistic, a cost point in the never-ending battle to keep costs low, to stay more efficient. The reasons I’ve had to call the Help Desk are myriad, but more often than not it’s because I’ve locked myself out of something. It’s a pain point for all of us. If you ask organizations what common user issue their Help Desk staff is plagued with the most, it is password resets. In a recent research study we worked with the SANS Institute on, 42% of organizations stated that password reset requests were the number one reason users called most often – so at least I’m not alone.

Risk-based authentication is one of the simplest security technologies to understand while at the same time being one of the most intelligent and adaptable. The concept of risk-based authentication is very similar to the risk decisions we make in our daily life – from how we drive our car to where we invest our money.

Contributed by Lauren Horaist, Senior Product Marketing Manager, RSA Identity and Data Protection Group I sometimes find myself making strange comparisons between real life and work life.  One of those stream-of-consciousness moments happened a few weeks ago while I was driving home in a snowstorm.  I was minding my business driving along my normal route, [...]

Biometric authentication is all about something you are – it could be your fingerprint, your retina or iris pattern, your facial profile, a voiceprint or even the speed and pressure you apply when typing or signing. How long will it be before instead of passwords and PIN numbers, systems simply scan you or listen to your voice to know that you are who you say you are?

As I’ve said before, the best practical measure of security that I can think of is “cost-to-break.” It’s a good reflection of the relative difficulty that someone has to go through to overcome a particular measure or control. It also helps to deal in “currency” as a consistent unit (for a given economy) for a lot of modeling purposes, and of course you can even factor in things like “windows” of opportunity and risk with a financial-model for defining security.

Guest Blog Post by Dan Schiappa, Senior Vice President, Identity & Data Protection
As researchers from SensePost have recently demonstrated in their attack simulations on one type of RSA SecurID authenticator – the RSA SecurID Software Token for Windows – scrutiny of security methods, processes, and operating environments is a valuable exercise. It can deliver benefit to the software industry and its ecosystem of vendors, security practitioners, and the users they protect in their organizations. Ultimately it helps ensure better and safer products.

At the European Identity and Cloud (EIC) Conference 2012 last week, I finally got what Craig Burton has been saying for some time now: “Baking your core competency into an open API is an economic imperative.” What brought it home for me was the presentation by 3Scale’s Steven Willmott, focusing on what he called “turning [...]

Last week my colleague Matthew Gardiner and I, along with Kim Cameron of Microsoft and Edwin van der Wal of Everett Consulting, presented a panel on “Security Intelligence and IAM” at the European Identity and Cloud Conference in Münich. Prompted by questions from our moderator, Dr. Horst Walther, we had a lively discussion about the [...]

I was at the Gartner IAM Summit in London last week and had the chance to catch up with Robin Wilton, including attending his session on “High Identity Assurance in a Mobile World”. It was a great presentation, full of interesting ideas and insights. I was particularly struck by Robin’s discussion of personas, especially in the light of the keynote panel discussion of “the death of authentication” the day before.