RSA Keynoters push for ID federation, harsher laws

By Anne Saita, News Director 15 Feb 2006 | SearchSecurity.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

SAN JOSE, Calif. -- Building on earlier appeals to shore up sagging consumer confidence, the CEOs of two prominent companies implored the industry not only to make security easy on e-commerce customers, but also to make it an imperative.

That means adopting widely used open standards that promote Web services federation and secure online transactions now constantly under threat.

"You can't convince consumers to have a different security model wherever they go," said VeriSign chairman and CEO Stratton Sclavos during Wednesday morning's keynote address at the RSA Conference.

For the first time, he noted, consumer confidence in down, with 42% of online shoppers in a recent nationwide survey admitting they are more nervous about Web attacks.

Immediately following Sclavos was a similar appeal to enterprises from Symantec chairman and CEO John W. Thompson to be more proactive in protecting consumer data. That includes pushing for federal legislation that covers all database security breaches and demands stiff penalties to restore trust.

"If we – as business leaders – want this digital economy to thrive, it is incumbent upon us to protect all aspects of it – from our enterprise infrastructures to the information created, transmitted and stored within it," Thompson said. "And, most importantly, we must protect the relationships, or digital interactions, that underpin this world."

For more information Gates calls for an end to passwords The customer loyalty costs of data breaches

Sclavos touted his company's new VeriSign Identity Protection services that use standards created by the Initiative for Open Authentication (OATH) founded two years ago at this conference. The consortium has grown to 60 corporate members and more than 15 standards released.

VIP's strengths in combating identity theft and fraudulent transactions, according to Sclavos, are in its device flexibility and its simplistic approach to two-authentication with a multitude of online service providers and enterprises.

This week, VeriSign announced VIP will be integrated with the online payment service PayPal, online auction site eBay and Internet service provider Yahoo. The technology also will appear in devices by Motorola and SanDisk USB flash devices.

In addition, VeriSign plans to partner with Microsoft to integrate VIP with its InfoCard initiative announced Tuesday. InfoCard essentially is a new online authentication system being offered with Internet Explorer 7.0.

The point, Sclavos said repeatedly, is to provide more security in Web services and mobile devices without adding to a consumers' burden through complexity.

"Stop dictating what your customers use and embrace what they are already carrying," he said.

Michael S. Rothman, president and principal analyst with Security Incite, tracks the identity management space and believes VeriSign might indeed succeed with its federated approach given its network's reach and the trust it has already branded into its SSL business.

"It seems right now there's no identity service provider that can compellingly provide a mechanism to share credentials among all different parties," he said. VIP, with its standards-based approach, "feels like something that has a chance."

Thompson also got in a few product plugs for his company, particularly its research lab's new Symantec Database and Audit Security that will monitor every database transaction. Along those lines, the CEO urged the industry to not wait for new laws or court battles to mandate better data protections.

"I don't think businesses should wait for regulators to tell them what to do. Instead, they should actively look for ways to protect personal or confidential data. From customer credit cards to medical records and company spreadsheets, databases hold the most critical information in the enterprise," he said.

If businesses don't act more proactively, online customers will turn to those that do take security and privacy seriously, perhaps in another country with stronger data protection laws.

Thompson echoed a familiar theme here that the only true way to restore consumer trust is through companies working collectively to better protect their networks and authenticate users.

That may also require some nudging from lawmakers.

"All of us in the IT industry and the business industry need to push for public policy to protect customers," he said. He called for one federal law that encompasses protection for all information, rather than the state-by-state piecemeal approach borne out of a long series of database thefts in the past year.

"To me, an effective data breach law would include notification to all users," he said. "And very, very harsh punishments."

This article originally appeared on SearchSecurity.com

Tags: Enterprise information security management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Information security and risk management guides for CIOs Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary