RSA Keynoters push for ID federation, harsher laws

Top executives for two of the industry's biggest companies stressed working together to rebuild trust through open authentication standards and stiffer database breach laws.

SAN JOSE, Calif. -- Building on earlier appeals to shore up sagging consumer confidence, the CEOs of two prominent companies implored the industry not only to make security easy on e-commerce customers, but also to make it an imperative.

That means adopting widely used open standards that promote Web services federation and secure online transactions now constantly under threat.

"You can't convince consumers to have a different security model wherever they go," said VeriSign chairman and CEO Stratton Sclavos during Wednesday morning's keynote address at the RSA Conference.

For the first time, he noted, consumer confidence in down, with 42% of online shoppers in a recent nationwide survey admitting they are more nervous about Web attacks.

Immediately following Sclavos was a similar appeal to enterprises from Symantec chairman and CEO John W. Thompson to be more proactive in protecting consumer data. That includes pushing for federal legislation that covers all database security breaches and demands stiff penalties to restore trust.

"If we – as business leaders – want this digital economy to thrive, it is incumbent upon us to protect all aspects of it – from our enterprise infrastructures to the information created, transmitted and stored within it," Thompson said. "And, most importantly, we must protect the relationships, or digital interactions, that underpin this world."

For more information

Gates calls for an end to passwords

The customer loyalty costs of data breaches

Sclavos touted his company's new VeriSign Identity Protection services that use standards created by the Initiative for Open Authentication (OATH) founded two years ago at this conference. The consortium has grown to 60 corporate members and more than 15 standards released.

VIP's strengths in combating identity theft and fraudulent transactions, according to Sclavos, are in its device flexibility and its simplistic approach to two-authentication with a multitude of online service providers and enterprises.

This week, VeriSign announced VIP will be integrated with the online payment service PayPal, online auction site eBay and Internet service provider Yahoo. The technology also will appear in devices by Motorola and SanDisk USB flash devices.

In addition, VeriSign plans to partner with Microsoft to integrate VIP with its InfoCard initiative announced Tuesday. InfoCard essentially is a new online authentication system being offered with Internet Explorer 7.0.

The point, Sclavos said repeatedly, is to provide more security in Web services and mobile devices without adding to a consumers' burden through complexity.

"Stop dictating what your customers use and embrace what they are already carrying," he said.

Michael S. Rothman, president and principal analyst with Security Incite, tracks the identity management space and believes VeriSign might indeed succeed with its federated approach given its network's reach and the trust it has already branded into its SSL business.

"It seems right now there's no identity service provider that can compellingly provide a mechanism to share credentials among all different parties," he said. VIP, with its standards-based approach, "feels like something that has a chance."

Thompson also got in a few product plugs for his company, particularly its research lab's new Symantec Database and Audit Security that will monitor every database transaction. Along those lines, the CEO urged the industry to not wait for new laws or court battles to mandate better data protections.

"I don't think businesses should wait for regulators to tell them what to do. Instead, they should actively look for ways to protect personal or confidential data. From customer credit cards to medical records and company spreadsheets, databases hold the most critical information in the enterprise," he said.

If businesses don't act more proactively, online customers will turn to those that do take security and privacy seriously, perhaps in another country with stronger data protection laws.

Thompson echoed a familiar theme here that the only true way to restore consumer trust is through companies working collectively to better protect their networks and authenticate users.

That may also require some nudging from lawmakers.

"All of us in the IT industry and the business industry need to push for public policy to protect customers," he said. He called for one federal law that encompasses protection for all information, rather than the state-by-state piecemeal approach borne out of a long series of database thefts in the past year.

"To me, an effective data breach law would include notification to all users," he said. "And very, very harsh punishments."

This article originally appeared on

Dig Deeper on Enterprise information security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.