Subscribe to the RSA blogs and podcasts for the latest posts and security updates!
At the European Identity and Cloud (EIC) Conference 2012 last week, I finally got what Craig Burton has been saying for some time now: “Baking your core competency into an open API is an economic imperative.” What brought it home for me was the presentation by 3Scale’s Steven Willmott, focusing on what he called “turning [...]
Last week my colleague Matthew Gardiner and I, along with Kim Cameron of Microsoft and Edwin van der Wal of Everett Consulting, presented a panel on “Security Intelligence and IAM” at the European Identity and Cloud Conference in Münich. Prompted by questions from our moderator, Dr. Horst Walther, we had a lively discussion about the [...]
I was at the Gartner IAM Summit in London last week and had the chance to catch up with Robin Wilton, including attending his session on “High Identity Assurance in a Mobile World”. It was a great presentation, full of interesting ideas and insights. I was particularly struck by Robin’s discussion of personas, especially in the light of the keynote panel discussion of “the death of authentication” the day before.
In Securing Enterprise Use of Mobile Devices, I wrote about my participation as a panelist in the “Mobile Security Show”, aired on the AT&T video channel in November 2011. We talked about a lot of things, from the drivers behind bring-your-own-device strategies to the technologies supporting enterprise security for personal devices and the policy implications, for enterprises and society as a whole, for the privacy of individual and enterprise information. Towards the end of the evening, we got into a discussion of whether homogeneous technical environments are more risky than heterogeneous ones. Ed Amoroso, the CSO of AT&T, had particularly interesting thoughts on the complexity of this issue for IT departments, ending with the remark: “Count me in as favoring the diverse ecosystem.”
The problem that RSA and Zscaler are taking on is a fundamental one for the new dynamic of user interaction with enterprise information. User access increasingly comes from outside corporate networks, using devices not controlled by the enterprise IT teams. Connectivity with IT systems is increasingly in short duration bursts and employs many different approaches: HTTPS, VPNs, VDI. The security posture of the user device changes continuously as the user accesses different resources from different locations, and I don’t mean just between home and office, or between different cities as we travel. It’s being connected via our home wireless at 8 a.m, via the office LAN at 9, the Starbucks wireless at 10 and so on. We are all out in the cloud a lot of the time!
Over the past 6+ years at RSA I’ve seen a lot of changes at RSA from acquisitions to new product launches to the dreaded “end of life” of a product. I’ve seen the group I originally start in grow from less than a dozen people to one of the largest segments of the company. I’ve [...]
In September I was invited to be a panelist on the AT&T Mobile Security Show, videotaped at Stevens Institute of Technology in New Jersey. They have just posted the show on their website (http://techchannel.att.com/play-video.cfm/2011/11/4/The-Mobile-Security-Show-Episode-2) and you can also watch it here.
The new FFIEC Supplemental Guidance on Authentication in an Online Banking Environment is a lengthy document, attempting to tackle an already large yet continually growing problem of malware, identity theft, and cybercrime threatening the very usefulness of online banking. I see no need to get into a detailed explanation of the problem… What I think is worth some effort at the moment is thinking about the next steps of addressing the guidance – financial institutions need to stick with the theme of “Keep It Simple.”
For years we have been using challenge questions (aka challenge/response questions or secret questions) as a way to authenticate users. Lately I’ve been hearing more chatter that challenge questions are dead. I wouldn’t totally agree with that statement. Challenge questions are not dead …. but some of them should really be killed off. So often the questions we are “challenged” with are not particularly secure and not particularly usable and it’s giving the good challenge questions a bad name.
RSA announced the availability of Authentication Manager Express. This is a breakthrough for SMBs for simplicity, affordability and efficiency. Get the results with an optimal use of resources and little to no overkill*.
