Security innovation - RSA

vantage 

Special 

INsIghts oN the busINess of securIty 

RSA 

Conference 

edition 

Security 

that enables 

innovation 

Aligning investments 

to accelerate 

business goals 

Volume 5 | Number 2 | 2008 

also inside 

RSA Conference ’08 — a closer look 

Information risk management 

Update on the US strategy 

to secure cyberspace

opening notes 

Risk: Fear or Embrace? 

Risk is one of those things we as security 

professionals are supposed to avoid at all 

costs. Some would argue that our whole raison 

d’être is to keep the business as far removed 

from risk as possible — and make sure that the 

companies we serve do not achieve infamy in 

the Wall Street Journal. 

Today’s business leaders know, 

however, that perhaps the greatest 

risk of all is to take no risks. In fact, 

when the Boston Consulting Group 

surveyed 940 senior executives 

around the world on this topic, they 

agreed that increasing top line revenues 

through innovation has become 

essential to success in their industry. 

Innovations such as outsourcing, offshoring, 

M&A, supply chain and new 

customer service models all require 

inherent degrees of risk that need to 

be evaluated, mapped and addressed 

ahead of time, lest those risks undermine 

the success of a program. 

Spurred by the number of threats 

we face today and the huge burden 

of regulatory requirements, the commonly 

held view is that the goals of 

security and risk management are in 

direct conflict with many of these critical 

initiatives, and, more generally, 

with moves to grow the business and 

enhance the ability to compete. Innovation, 

in particular, is at risk from 

— well, risk. 

But there is another side to this: 

Where risk lies there also lies opportunity. 

Forward-looking CEOs, CIOs 

and CISOs with an eye on first-mover 

advantage in the market are seeking 

the means to safely embrace risk, to 

run with it, to tap it to full advantage. 

Security can provide that means. 

When risk is managed and mitigated 

Vol. 5, No. 1, 2008 RSA, The Security Division of EMC Vantage Magazine 

correctly, it becomes a unique enabler 

for innovation and other, dynamic 

new business behaviors. Starting on 

page 8, you can read more about our 

evolving understanding of information 

risk and RSA/EMC’s strategy for 

transforming information security 

from a business inhibitor to a force 

that accelerates innovation. 

In addition, you will find the following 

articles in this RSA Conference 

issue of Vantage: 

• A look at RSA Conference 2008 

and the must-see events at the show. 

• Five years after the National 

Strategy for Securing Cyber Space was 

created, we review security issues in 

the context of an election year. 

• A look at how Germany’s innovative 

quirin bank is implementing 

strong security for its customers. 

Sincerely, 

Arthur W. Coviello, Jr. 

President — RSA, 

The Security Division of EMC 

vantage 

program team 

RSA Editor 

PAUL JOYAL 

Contributing Editors 

MATT BUCKLEY 

BriTTA GLAdE 

editorial team 

Managing Editors 

ChrisTinE KAnE 

AndrEA E. sTiLL 

Design Director 

rOnn CAMPisi 

Contributing Writers 

sArAh JEnsEn 

ChrisTinE KAnE 

nAnCY LAnGMEYEr 

JAsOn M. rUBin 

Editorial content for Vantage 

is developed and managed by: 

Libretto 

560 Harrison Avenue, Suite 501 

Boston, MA 02118 

617.451.5113 

www.libretto-inc.com 

©2008 RSA Security Inc. 

All Rights Reserved 

RSA, SecurID, Key Manager and File Security 

Manager are either registered trademarks or 

trademarks of RSA Security Inc. in the United 

States and/or other countries. EMC is a registered 

trademark of EMC Corporation. All other 

products or services mentioned are trademarks 

of their respective companies. 

To subscribe to Vantage magazine, 

please go to 

www.rsa.com/go/vantage 

Postmaster: If undeliverable, notify 

RSA Marketing, 174 Middlesex Turnpike, 

Mail Stop 32A080, Bedford, MA 01730 

www.rsa.com 

Cover illustration by Marc Rosenthal

in this issue 

F E A T U R E S 

4 rsA ® Conference 2008 

A preview of the security industry’s premier 

event, including “5 hot tickets.” 

8 From brakes to breakthroughs 

Information security is evolving from its 

purely defensive role to the more strategic 

role of enabling innovation and growth. 

1 Banking on security 

Europe’s quirin bank deploys RSA 

SecurID® protection to ensure a high level 

of security for online banking. 

14 information risk management 

RSA offers a holistic approach to security 

based on the well-established discipline of 

risk management. 

18 Progress report on cybersecurity 

Five years after the release of the 

National Strategy to Secure Cyberspace, 

two experts weigh in on progress to date. 

D E P A R T M E N T S 

Opening notes 

By Art Coviello, Jr. 

6 Partner Profile 

The close, three-way partnership of RSA, 

EMC and Cisco is a win-win-win for their 

joint customers. 

inside rsA Labs 

Wouldn’t it be nice if you could securely 

log on to your PC as easily as you unlock 

your car door? WARP technology offers 

one possible approach. 

coming up 

EMC World, the ultimate forum for 

EMC customers, partners and industry 

watchers, will take place MAY 19– in 

LAs VEGAs. Attendees will have access 

to EMC’s portfolio of solutions and 

services. This year’s event will feature 

rsA ® Xchange, where technical end 

users can learn from RSA product 

experts and engineering teams. For 

more information and to register, 

visit www.emcworld2008.com. For 

information on RSA Xchange, visit 

www.rsaxchange.com. 

8 

5 

22 

18 

12 

6 

RSA, The Security Division of EMC Vantage Magazine Vol. 5, No. 1, 2008

at a glance april 7-11, san francisco 

rsa® conference 2008 

Entertaining, educational and thought-provoking, the 

annual RSA ® Conference is the place to learn about new 

information security trends and technologies, hear the 

experts debate hot topics and controversial issues, and 

connect or reconnect with colleagues. Whether you 

are attending or not, you can be part of the Conference 

experience – live or via the Web – even after it’s all over. 

For attendees, 

5 hot tickets 

There’s so much to see, hear and 

do at the RSA Conference, it’s wise 

to plan ahead. Here are five 

can’t-miss events. 

ThE ArT OF sECUriTY: rsA Presi- 

1 dent Art Coviello will kick off the 

event by discussing the role of security 

in business innovation. Be there 

Tuesday at 8 a.m. sharp! 

2 

PUT This in YOUr PdA: On 

Wednesday, Jeff hawkins — 

co-founder of Palm and handspring 

— will discuss his research on human 

intelligence and plans for developing 

machines with smarts. 

3 

dOn’T BLinK! or you might miss 

Thursday’s talk by Malcolm 

Gladwell, best-selling author of Blink: 

The Power of Thinking Without Thinking 

and The Tipping Point: How Little 

Things Make a Big Difference. 

4 

sECUriTY sMACKdOWn: Face off 

against other attendees as you 

test your knowledge and hunt for website 

vulnerabilities. 

5 

BEhOLd ThE BLOGErATi: The 

security Bloggers Meet-Up is by 

invitation only, with more than 60 

bloggers expected to participate. For 

everyone else, there will be live podcasting, 

video streaming and Twitter 

feeds from the event. 

4 Vol. 5, No. 1, 2008 RSA, The Security Division of EMC Vantage Magazine 

Keynote Speaker 

ART COVIELLO 

rsA President 

As hE hAs in past years, Art Coviello will kick off the Conference with a 

keynote presentation. Asked to set the stage for his keynote, Art shared 

this thought: 

“When information security is viewed merely as a defensive strategy, 

it becomes a barrier to innovation. The key to enabling innovation is to 

become innovative about mitigating risk. As security leaders, we need 

to develop overarching and holistic security strategies that align with 

business goals and appropriately balance risk and reward. It’s a strategy 

that Burton refers to as risk optimization and it requires a change in 

mindset and behavior. During my keynote I’ll share the recommendations 

of 10 Fortune 500 CISOs on how to build information security programs 

that enable business innovation.” 

CAN’T ATTEND THE RSA CONFERENCE? 

Stay up to date on 

industry news, product 

launches, keynote 

addresses and panel 

discussions. Visit 

www.rsaconference. 

com/2008/US/home.aspx 

for live blogs, webcasts 

and podcasts of the 

April event, as well as 

rebroadcasts from past 

gatherings.

Sandra Toms LaPedis 

Area Vice President & General 

Manager, RSA Conference 

Noting that conference planners 

strive to “raise the bar” on the 

conference experience every year, 

LaPedis discussed key changes 

that will be reflected in this year’s 

event. 

“The RSA Conference content 

is ever expanding — reflecting attendee 

diversity and the expansive 

nature of the issues attendees are 

tackling. We’ve added a new class 

track, called Research Revealed, 

covering recent cutting—edge research 

on security vulnerabilities. 

We expanded the number of highly 

technical and in-depth sessions. 

And we continue to embrace Web 

2.0 tools on www.rsaconference. 

com to create a year-round resource 

and make content more 

accessible — not just for attendees 

but the whole industry.” 

emily nathan 

jen siska 

Keynote Speaker 

JIM BIDZOS 

Chairman of the Board, 

Verisign 

in 1999, Time 

magazine named 

Jim Bidzos to the 

“Digital 500,” citing 

his role in spurring 

adoption of public 

key cryptography. 

As a leadup to his 

keynote, Bidzos 

offered these 

thoughts to Vantage. 

“I’m often 

asked how it is 

that Internet use 

continues to grow 

so fast despite even 

faster-growing 

vulnerabilities 

— security breaches, 

stolen data, identity 

theft, online fraud 

and more. The 

short answer is 

that online security 

is ‘good enough’ 

— adequate for the 

risk represented 

by the value of 

the transactions. 

Consider credit 

cards — there is 

certainly theft and 

fraud. But various 

security measures — 

added over time to 

address new threats 

— kept losses at an 

acceptable level. 

Computer and 

online security seem 

to be following a 

similar path: The 

operating systems 

and browsers 

get new security 

features, patches 

and updates, often 

in response to some 

recently discovered 

or exploited 

vulnerability. 

We’ve long 

been saying 

that this cycle 

of vulnerability 

exploitation and 

patch will never 

really end, and 

everything we’ve 

seen to date only 

reinforces this 

belief. And the 

complexity of all 

those patches adds 

more vulnerabilities. 

But what if 

the patch efforts 

fall behind? What 

happens when 

“good enough” just 

isn’t good enough 

anymore? One could 

argue that identity 

theft is on the 

verge of becoming 

the manifestation 

of this risk; many 

will be surprised 

to learn that in 

2006, most identity 

theft was enabled 

by non-Internet 

data collection. 

Online exploitation 

on a grand scale 

might cause 

an exponential 

increase in what is 

already one of the 

fastest-growing 

consumer threats in 

the U.S. 

It will take a new 

way of thinking 

about security, and 

new offerings that 

can isolate and close 

off broad categories 

of threat, so that 

“good enough” is 

still good enough 

when the stakes go 

up. 

We have some 

ideas, and we’re 

doing more than 

just thinking about 

them.” 


When Bob Gleichauf thinks about the partnership 

among Cisco 

Systems, EMC and 

RSA, the Security 

Division of EMC, 

and how this 

triumvirate can 

serve their mutual 

customers, he says 

in his relaxed, 

humorous manner, 

“The propeller 

on my head starts 

to whirl.” 

Gleichauf, CTO of Enterprise Services 

and Security at Cisco Systems, 

adds, “As companies with great complementary 

technologies, we work together 

in exciting ways to provide collaborative 

solutions that help our customers with 

their end-to-end security challenges.” 

Gleichauf describes this threepronged 

partnership as trusted vendors 

working together to provide a number of 

security solutions from storage, through 

the servers, into the data center cloud, 

and then across the campus. “EMC is a 

great partner for storage and security 

encryption products and Cisco has a 

range of products crossing the enterprise, 

from the server to data in transit to 

firewalls and e-mail application-level security,” 

says Gleichauf. “RSA has a ‘bestof-breed’ 

offering in the identity access 

and key management space that fits well 

with Cisco’s own market-leading VPN, 

storage encryption, NAC and TrustSec 

offerings.” 

Add in the data loss prevention that 

RSA brings to the table with the acquisition 

of Tablus and the rich security and 

policy enforcement capabilities in Cisco’s 

Security Agent product, says Gleichauf, 

and it’s a huge win for customers. 

RSA’s CTO, Bret Hartman, agrees, 

adding that there is a natural synergy 

among the three companies. “It’s all 

about securing data at rest and in motion 

and that’s where our core competencies 

are,” says Hartman. “Very few other 

vendors can address enterprise security 

requirements like we can.” 

6 Vol. 5, No. 1, 2008 

By Nancy Langmeyer 

partner profile 

The power of three 

When Cisco, EMC and RSA join together, 

it’s win-win-win for customers

BOB GLEICHAUF cautions 

customers against trying to meet 

compliance regulations on their 

own, noting that attempts in one 

area may unintentionally create 

problems in another. 

Photograph by Mark Ostow 

A nEW APPrOACh TO sECUriTY 

According to Gleichauf, the business 

drivers for security are changing and 

that means the way Cisco, EMC and RSA 

work together is changing as well. “For 

the longest time, businesses focused on 

threat defense, meaning keeping the bad 

stuff, like worms and viruses, out,” he 

says. “Today, our industry has evolved to 

information protection, where keeping 

good things in is as important.” 

As preferred vendors in the security 

industry, Cisco, EMC and RSA are 

perfectly aligned to help customers 

protect their information, Gleichauf 

says. “When we combine Cisco’s 

policy enforcement and infrastructure 

controls with RSA’s identity and access 

management tools (identifying who you 

are, where you can and can’t go, and what 

you can access) and EMC’s storage tools, 

the result is one of the strongest, most 

viable information protection solutions 

available today.” 

Hartman explains, “It’s all about 

protecting the information directly, 

whether it’s at rest or traveling across 

the network.” Hartman cites a recent 

example where Cisco and RSA teamed 

to provide encryption for data-at-rest 

through the integration of Cisco’s Storage 

Media Encryption with the RSA Key 

Manager solution, a joint venture that 

Hartman says “is a way of helping protect 

data wherever it lives.” 

ThE ChALLEnGE OF COMPLiAnCE 

Gleichauf and Hartman feel the partnership 

is particularly strong when helping 

customers with regulatory compliance, 

one of today’s biggest security drivers. 

“Businesses recognize that security poses 

a systems problem, especially in relation 

to compliance,” says Gleichauf. “They’re 

trying to figure out how to allow visibility 

while at the same time keep data secure 

from prying eyes and comply with a wide 

variety of regulations.” 

Hartman adds that compliance is never 

going to be addressed by a single product. 

“It’s got to be a system-wide solution, 

addressed end-to-end,” he says. 

The issues become obvious once an 

auditor comes in, because a business 

is either compliant — or it’s not. “We 

absolutely understand the audit problems 

that arise from regulations such as 

Sarbanes-Oxley and HIPAA,” says 

Gleichauf. “We can help in an operational 

way that is workable for the customer.” 

Workable solutions may come from 

products and services already in the 

portfolios of these three vendors, or via 

a joint solution, such as the one Cisco 

and RSA recently developed for the retail 

sector. Cisco integrated several RSA 

products, including RSA Key Manager 

and RSA File Security Manager, in its 

Validated Network Designs to help retailers 

meet the Payment Card Industry Data 

Security Standard and simplify the protection 

of sensitive information. 

dOn’T GO iT ALOnE 

Gleichauf cautions customers about trying 

to meet compliance regulations on 

their own. “Bret and I often see customers 

attempt to meet regulatory requirements 

in one business area and then unintentionally 

create problems in another,” 

he says, adding that Cisco, EMC and RSA 

can help customers avoid such accidents. 

“Sometimes it’s as simple as asking 

the customer to gather the people from 

their data center, network, server, applications 

and security together in one 

meeting,” says Gleichauf. “They start exchanging 

business cards because they’ve 

never met.” By virtue of Cisco, EMC and 

RSA coming in and and asking questions 

about how things work end-to-end, suddenly 

they look at one another and understand. 

“Each of these constituencies 

most likely is responsible for different 

compliance needs,” says Hartman. 

“When we get the key players together, 

we help them boil the requirements 

down to common elements that can be 

solved one time.” The result, he says, is 

a much more productive, cost-effective 

and collaborative engagement. 

A Win-Win-Win 

“As vendors committed to working 

together,” says Gleichauf, “Cisco, 

EMC and RSA continually strive to 

understand our customers’ problems 

and align our products and services in a 

way that results in holistic end-to-end 

solutions.” Hartman adds, “It’s about 

listening to customers and connecting 

the dots — when we do that, it’s a win for 

everyone.” i 


Transforming the role of information 

security in business innovation 

By Kathleen Bowden 

cover story 

brakes to 

breakthroughs 

As a broader definition of 

business innovation takes 

hold in the executive 

suite, the longstanding 

friction between 

information security and 

business innovation has 

become an increasing 

liability. Within this 

landscape, security teams 

are working hard to 

transform security from 

a potential innovation 

barrier to a recognized 

innovation enabler. 

And the world’s most 

forward-looking security 

leaders see themselves as 

partners in the business 

innovation process 

who anticipate where 

their organizations are 

headed, and deliver 

security strategies that 

accelerate the journey. 


From

sECUriTY 

is BEinG 

TrAnsFOrMEd 

FrOM An 

innOVATiOn 

BArriEr TO An 

innOVATiOn 

EnABLEr. 

nAViGATinG ThE innOVATiOn GrAY ZOnE 

While few people would argue that 

innovation is a critical core competency 

of any 21st-century company, many would 

vigorously debate the true meaning of 

innovation. As Scott Berkun, author of 

the 2007 book The Myths of Innovation 

notes, “What’s interesting is that nobody 

seems to agree on an exact definition of 

innovation.” 

Given the importance of innovation 

to most companies, it’s striking that 

its definition still morphs dramatically 

depending on who is describing it. 

In spite of this undeniable gray 

area, in recent years, a broader and 

more consistent definition of business 

innovation has emerged in the executive 

suite. It is clear that more and more 

companies are viewing innovation as an 

enterprise strategy that positions them to 

enter new markets, launch new products 

or services, create new business models, 

establish new channels and partnerships 

or achieve operational transformation. 

ThE BUsinEss innOVATiOn BUCK 

sTOPs AT ThE TOP 

Industry research shows that more 

than ever, innovation is a top leadership 

concern. Increasingly, CEOs see 

themselves as owning innovation in 

their companies, and believe they must 

innovate to compete. 

In IBM’s 2006 innovation study, many 

of the 765 CEOs queried described a 

persistent push toward a more expansive 

view of innovation — a greater mix 

of innovation types, more external 

involvement and extensive demands on 

CEOs to bring it to fruition. Similarly, 

940 senior executives from around the 

world told the Boston Consulting Group 

(BCG) that increasing top-line revenues 

through innovation has become essential 

to success in their industry. The same 

BCG survey showed that more than half 

the execs were dissatisfied with the 

financial returns on their investments 

in innovation. And as more executives 

Illustrations by Marc Rosenthal 

look for ways to improve their innovation 

returns, information security is an 

escalating area of concern. 

sECUriTY And innOVATiOn: 

A TrOUBLEd rELATiOnshiP 

Unfortunately, in many organizations, 

the security function is still viewed as 

a necessary evil. In part this is because 

security teams are so committed to 

mitigating risk; their efforts often seem 

to constrain business-building behavior 

rather than encourage it. Too often, 

security practitioners are perceived as the 

people who say, “Nice idea, but it can’t be 

done.” 

Although well-intentioned, many 

information security teams are not seen 

as innovation enablers, but as innovation 

obstacles. 

The truth is that corporate leaders 

are not looking for the best security 

solution — they are looking for the best 

business solution. And because they are 

under increasing pressure to generate 

breakthrough innovations, executives 

are increasingly frustrated when their 

security teams don’t seem to “get it.” 

While this conflict has been simmering 

under the surface for many years, in many 

corporations it has reached a boiling 

point. Why now? In short, this friction is 

increasing because security now directly 

impacts the success or failure of many top 

business innovation drivers including: 

1 

OUTsOUrCinG/OFFshOrinG: In 

growing numbers, businesses are 

turning to low-cost sourcing and 

talent models to innovate how they deliver 

their services. This means that every day, 

more organizations need to securely share 

their intellectual property, technologies 

and infrastructure with third-party partners 

around the globe. 

2 

sUPPLY-ChAin innOVATiOn: The 

trend towards mass customization 

requires a more flexible, modern, 

global supply chain than ever before. Cor- 

RSA, The Security Division of EMC Vantage Magazine Vol. 5, No. 1, 2008 9

cover story 

porate efforts to drive supply chain innovation are 

generating demand for equivalent innovations in 

supply-chain security. 

3 

nEW JOinT VEnTUrEs, MErGErs & ACqUisi- 

TiOns: Businesses continue to strive to bring 

new business models, lines of business and 

skill sets to the table through the aggressive pursuit 

of joint ventures, mergers and acquisitions. To 

achieve success, these ventures require security 

strategies that maximize organizational synergies 

and mitigate risks. 

4 

CUsTOMEr sELF-sErViCE MOdELs: Capable of 

simultaneously reducing costs while increasing 

customer satisfaction, self-service models 

allow customers to drive their own transactions and 

A conversation about innovation 

Members of the Security for Business Innovation Council 

will take part in an ongoing dialogue about the role of information 

security vs. IT security in driving business growth. 

Anish BhiMAni Managing 

Director, IT Risk Management, 

JP Morgan Chase 

BiLL BOni Corporate Vice 

President and Corporate 

Information Security Officer, 

Motorola 

dAVE CULLinAnE Vice 

President and Chief 

Information Security Officer 

rOLAnd CLOUTiEr Vice 

President, Chief Security 

Officer, EMC Corporation 

dr. PAUL dOrEY Enterprise 

Security & Continuity 

Vice President and Chief 


BP 

rEnEE GUTTMAnn Vice 

President, Information 

Security and Privacy Officer, 

Time Warner Inc. 

dAVid KEnT Vice President, 

Security, Genzyme 

dr. CLAUdiA nATAnsOn 

Chief Information Security 

Officer, Diageo 

CrAiG shUMArd Chief 


Cigna Corporation 

AndrEAs WUChnEr Head IT 

Risk Management, Security & 

Compliance, Novartis 


manage their own personal information via the Web. 

Successfully capitalizing on this powerful business 

strategy requires implicit customer trust, which is 

dependent upon a company’s information security 

performance. 

5 

WEB-BAsEd COLLABOrATiOn: In today’s global 

economy, companies need their worldwide 

internal employees and external partners 

to participate in their business with greater ease, 

frequency and depth than ever before. This means 

companies are continually adding external resources 

to their internal business systems, and determining 

who to trust and how far to open the door. 

6 

OPEn innOVATiOn: In the past, companies 

cooked up their innovations in an airtight 

laboratory and moved them into production 

when they were fully baked. Needless to say, those 

days are long gone. Innovation in a global marketplace 

requires unstructured, multi-disciplined, 

multi-organizational collaboration. 

7 

WOrKFOrCE MOBiLiTY: In spite of the security 

risks, the benefits of ubiquitous connectivity, 

continuous communications and mobile 

access have made workforce mobility a corporate 

priority. 

It’s clear that each of these key business 

innovation levers must be supported by a 

progressive security strategy. As a result, senior 

executives are beginning to realize that information 

security is absolutely critical to how effectively their 

companies innovate and compete — today and for 

years to come. 

A siGniFiCAnT BUsinEss COsT 

There’s no doubt that the dysfunctional relationship 

between security and innovation is taking a 

significant business toll. In some cases, security 

concerns are preventing the realization of important 

business goals. In the worst scenarios, business 

results fall short of what is achievable because 

security worries hold companies back. 

On the other end of the spectrum, ignoring 

security concerns can produce very bad 

risk decisions. Under the pressure of urgent 

requirements and ever-diminishing budgets, the 

business sometimes fails to engage the security team

WiTh ThE 

riGhT 

sECUriTY 

in PLACE, 

innOVATiOn 

CAn BLOOM 

And 

FLOUrish. 

or fund the necessary security. Business owners go 

to market, quietly assuming the business risk and 

hoping nothing happens on their watch. 

These decisions have a range of negative 

repercussions. They may result in unsatisfactory 

audit results after a “go live.” Security and 

compliance may need to be “bolted on” after the 

fact, adding enormous cost and complexity to the 

project. And of course, there is the ultimate risk to 

corporate reputation. No CEO wants to see their 

company’s name in the headlines because customer 

data was compromised and shareholder value was 

lost. 

FindinG A BETTEr WAY 

So where do we go from here? Today’s security leaders 

agree that companies that innovate with security 

in mind will avoid stalled innovation processes and 

poor innovation outcomes. 

The 2006 Ernst & Young report “Achieving 

Success in a Globalized World” 1 notes: “Our 

experience tells us that when companies involve 

information security early and substantially in 

acquiring or divesting assets, and in other business 

initiatives, they dramatically reduce the risks and 

tangibly enhance the benefits of strategic changes.” 

It seems a simple enough mission: Make security 

an essential component of the innovation process. 

But, making this happen will require the removal of 

longstanding roadblocks, and answers to complex 

questions including: 

• How do you convince business managers 

to engage the security team at the start of the 

innovation process? 

• What are the best metrics to show how an action 

in security impacts the business’s bottom line? 

• How can security leaders inspire their teams to 

shift away from saying “I’m afraid the answer is no” 

and toward “This is how”? 

• How can security teams simplify how they 

communicate with business owners and how they 

assess security risks? 

• What is the best way to learn about innovative 

business initiatives on the horizon and proactively 

create security strategies that will remove business 

inhibitors and accelerate desired outcomes? 

At RSA, we believe security can be transformed 

from a “necessary evil” that stifles innovation, to a 

1 Source: www.ey.com/Global/download.nsf/International/TSRS_-_GISS_ 

2006/$file/EY_GISS2006.pdf 

business strategy that accelerates it. 

We realize we are not alone in our thinking, and 

that joining forces with like-minded security leaders 

will allow us to drive a more rapid and meaningful 

change. With this goal in mind, RSA has convened 

a team of accomplished security leaders to explore 

security’s role in business innovation and identify 

ways to move the industry forward. 

RSA is conducting a series of in-depth interviews 

with the members of the Security for Business 

Innovation Council, and as the sponsor of this 

industry conversation, will publish a number of 

reports based on these discussions. We look forward 

to releasing the first of these reports at the April 

2008 RSA Conference. 

In his RSA conference keynote speech, “The Role 

of Security in Business Innovation: From Villain to 

Hero,” RSA president and CEO Art Coviello will 

share findings from the first Security for Business 

Innovation Council report, and reveal the results of 

a new IDC research study on this important topic. In 

the meantime, to learn more about the relationship 

between security and business innovation, please 

visit the RSA Business Innovation website at www. 

rsa.com/innovation/. i 


case study 

Redefining banking, redefining security 

Avant-garde German financier Karl 

Matthäus Schmidt deviated from European 

banking standards when he chose a 

customer-centric approach for his asset 

management firm. Schmidt also broke the 

norms when it came to online banking 

security, as he chose RSA SecurID® 

two-factor authentication over the 

widely accepted PIN/TAN system 

used throughout Europe. 


For a revolutionary European bank with high 

standards, traditional online security systems 

just weren’t enough. By NaNcy LaNgmeyer

Schmidt first made a name for 

himself when he founded the 

Consors discount brokerage 

firm at age 25, took it public 

five years later in 1999, and 

then sold it to BNP Paribas 

two years after that for half 

a billion euros (US$725 

million). 

Schmidt then founded the 

Berlin-based quirin bank, a 

specialized asset management 

firm for institutional and 

private investors, which he 

took public in October 2006. 

In March 2007, the German 

business publication, Manager 

Magazin, ranked the quirin 

bank second behind the 

venerable Deutsche Bank 

for the performance of its 

investments. 

An UnCOMMOn APPrOACh 

TO BAnKinG 

Today quirin bank manages 

assets of €690 million 

(US$1 billion) and, as CEO, 

Schmidt has a philosophy 

quite unlike any other in 

Germany: The bank only 

makes money if its customers 

do. The compensation of 

the bank’s financial advisors 

depends solely on the value 

added to their customers’ 

investments. Their customers 

— ranging from small clients 

with modest investments to 

wealthy individuals with large 

portfolios — pay a flat rate 

asset management fee, with 

commissions or markups from 

their investments credited 

to their accounts. With 

JKArL MATThäUs sChMidT 

founded the ground-breaking 

quirin bank, ranked 

second behind Deutsche Bank 

for asset performance. 

Illustration by James Yang 

an interest in growing the 

customers’ assets, Schmidt’s 

simple yet revolutionary 

concept is working. 

An UnCOMMOn APPrOACh 

TO sECUriTY 

When quirin bank decided 

to offer online banking 

capabilities in the spring of 

2007, Schmidt decided once 

again to be unconventional 

and raise the bar for online 

security. For Schmidt, the 

PIN/TAN system used by 

most German banks was not 

good enough for his bank. The 

PIN/TAN system is prone 

to complacency; personal 

identification numbers are 

often written down, and lists 

of one-time-use transaction 

authorization numbers are 

sent to customers only to be 

lost or misplaced. Schmidt 

and his colleagues also looked 

at high-end customized 

security systems, but found 

them too cumbersome and 

complicated. 

BALAnCinG EAsE OF UsE And 

“WATErTiGhT” sECUriTY 

The bank wanted a solution 

that provided both ease of 

use and, as the president of 

banking operations, Stefan 

Spannagl notes, “watertight” 

security. 

The bank also wanted 

a solution that would be 

cost-effective, easy to install 

and maintain and quickly 

implemented. Another 

requirement was a solution 

that was future-proof, 

scalable, and able to meet 

the bank’s aggressive growth 

plans. 

ITREXS, a banking 

software and services 

provider whose modular 

portfolio management 

AsTEFAn sPAnnAGL 

president of banking operations, 

notes that RSA SecurID 

combines advanced technology 

with ease of use. 

solution is installed at 

quirin bank, came up 

with an effective solution: 

RSA SecurID® two-factor 

authentication. ITREXS, 

an RSA partner which has 

integrated RSA solutions with 

other banking and portfolio 

management customers, 

assured quirin bank that 

integrating an RSA two-factor 

authentication token with 

the bank’s existing customer 

front end and their ITREXS 

solution could be done easily 

and quickly. 

MEETinG ThE BAnK’s 

hiGh sTAndArds 

After testing two-factor 

authentication, quirin bank 

was quickly convinced. 

In mid-2007, ITREXS 

customized RSA SecurID, 

tailoring it to quirin bank’s 

exact requirements, including 

a SecurID key fob token 

branded with the bank’s 

logo. ITREXS installed and 

implemented RSA SecurID 

with minimal disruption of 

the bank’s operations during 

deployment. 

With RSA two-factor 

authentication, quirin bank 

customers now can log into 

their accounts using a known 

entity — their PIN number 

— combined with the onetime 

token code generated 

by their quirin bank key fob. 

This provides the high level 

of security that Schmidt was 

looking for. 

RSA SecurID has been 

fully integrated with the 

bank’s Web portal for all 

the bank’s customers and 

staff, with overwhelmingly 

positive feedback. “Not only 

is RSA SecurID significantly 

safer than conventional PIN/ 

TANs,” says Spannagl, “it also 

combines the most advanced 

technology use with ease of 

use.” 

Schmidt sees the solution 

as adding value to the bank’s 

image. “The quirin bank 

offers its customers secure, 

innovative online banking,” he 

says. “With RSA two-factor 

authentication, our customers 

can conduct their bank 

business flexibly and securely 

— and with confidence.” 

PrEPArinG FOr GrOWTh 

In the future, quirin bank 

plans to offer business 

process outsourcing services. 

The users of these services 

— typically other banks and 

financial institutions wishing 

to outsource part or all of 

their business processes 

— will also be using RSA 

SecurID. In addition, the 

bank anticipates growing its 

regular customer base from 

the current level in 

the low thousands to more 

than 10,000 by 2010, and 

is quite confident that RSA 

SecurID will grow with 

them. i 


solutions 

RSA’s strategy for 

information risk management 

Taking a holistic, risk-based 

approach to IT security 

By Christine Kane 

After years of viewing information security as a defensive 

strategy, designed to prevent bad things from happening, 

enterprises are starting to demand more from their 

security investments. They recognize that security can 

also contribute to an organization’s success by helping 

drive key business initiatives, such as accelerating 

innovation and collaboration and reducing compliance 

costs. (See “From Brakes to Breakthroughs”, page 8.) 

But before this transformation 

can take hold, says RSA’s Steve 

Preston, organizations must surmount 

the shortcomings of today’s 

fragmented approaches to security. 

“Most organizations are in a reactive 

mode when it comes to security 

threats and industry regulations, 

and they struggle to manage security 

with point solutions.” says Preston, 

senior director, Solutions Marketing, 

RSA. “The problem with 

this ‘silo’ approach is that good 

efforts in one area can be quickly 

nullified by failures in another.” 

Preston offers the example of a 

bank that has effectively deployed 

technology to protect its online 

banking portal from fraud only to 

have a privileged user copy confidential 

customer data to an unsecured 

laptop which is eventually 

stolen. The loss has to be disclosed, 

and the customer trust that has 

been gained with anti-fraud technology 

is completely undone by a 

lack of policy enforcement in the 

back office. Preston likens this situation 

to the carnival game Whaca-Mole. 

“You hammer the problem 

down over here and it pops up 

again over there. IT needs to engage 

the business in a way that not only 

puts security into relevant business 

context but also helps IT prioritize 

where to invest in security.” 

AdVOCATinG A nEW APPrOACh 

Faced with these realities, industry 

watchers and thinkers have called 

for a more holistic approach to information 

security and compliance, 

one that is based on the established 

discipline of risk management. 

In the study “Information Risk 

Management in Financial Services,” 

TowerGroup Senior Analyst Rodney 

Nelsestuen writes: “Practicing 

a holistic approach to security 

and information risk assures that 

business information contributes to 

achieving marketplace and business 

goals. … Policy, practices, and 

technologies that provide a defense 

for information also can support 

the business’s offensive strategy.” 

EnLiGhTEnMEnT sTArTs hErE 

Making the transition from today’s 

“silo security” represents a significant 

shift for organizations, says 

Bob Blakely of the Burton Group. 

14 Vol. 5, No. 1, 2008 RSA, The Security Division of EMC Vantage Magazine

Illustration by Greg Mably 

“There is a process of enlightenment 

that organizations need to go 

through to effectively manage any 

kind of risk, including information 

risk,” says Blakely. “This process 

starts with understanding that 

risks have to be consciously managed 

and processes have to be put 

in place to assess an organization’s 

risk appetite, current risks and vulnerability. 

You then need to design 

controls that mitigate risk within 

one’s appetite. And you have to 

assess the effectiveness of those 

controls to be sure you’re operating 

within your tolerance while also 

achieving regulatory compliance. 

“The finance industry — and, 

to a lesser extent, the healthcare 

and energy industries — are the 

first industries to have reached this 

point of enlightenment,” he says. 

“With the rollout of its Information 

Risk Management strategy, RSA is 

helping organizations evolve to this 

stage of awareness and put in compensating 

controls using tools such 

as data loss prevention, encryption 

and authentication.” 

ThrEE COrE PrinCiPLEs 

Introduced last fall for the financial 

services industry and now being offered 

to other industries, RSA’s Information 

Risk Management strategy 

provides an end-to-end, holistic 

approach for protecting a business’s 

most critical information assets. 

(See sidebar, “RSA’s Comprehensive 

Approach.”) 

“There are three pillars to our 

strategy,” says Preston. “The first is 

RSA’s information-centric approach 

to security, where you begin by 

understanding what information is 

critical to key business initiatives, 

such as growth through acquisitions 

or expanding partnerships. 

Then you diligently ‘follow the data’ 

to gain a more holistic view of all 

the places where it exists across the 

organization, where the points of 

vulnerability are, and what events 

“Many people think risk 

management is about 

risk minimization, and 

it’s not. It’s about risk 

optimization. There are 

some risks you want 

to take because the 

payoff is so great; the 

challenge is to mitigate 

your risk to a tolerable 

level. A good risk 

management program 

allows you to take risks 

that your competitors 

can’t.” 

BoB BLakLey 

aNaLyst, BurtoN group 

could put your business at risk.” 

This is a very complex task. Data 

resides in many places, it’s mobile, 

it’s constantly being transformed, 

and it’s at the center of collaborative 

processes. “Tools for data 

discovery and classification are a 

critical part of our solution because 

they make our strategy actionable,” 

says Preston, explaining that the 

tools provide a basis for applying 

policy consistently across the universe 

of corporate information. 

PriOriTiZinG inVEsTMEnTs 

The second core concept behind 

RSA’s strategy is the idea that 

security investments should be 

prioritized, based on the amount 

of risk a given activity entails 

relative to the potential business 

reward, and in keeping with the 

organization’s appetite for risk. In 

this context, risk is defined as the 

likelihood an event will occur and 

the consequences if it does. 

“The first thing a lot of people 

want to talk about is tape encryption,” 

says Preston. “In other words, 

many companies are putting locks 


solutions 

on doors that almost no one is walking 

through. This results in over-scoping and 

misaligned investment in security. What 

organizations need to do is enable their 

highest priority business initiatives by 

protecting the information that is most 

valuable at the points where it is most 

vulnerable.” 

Many analysts agree, including Blakley. 

“Many people think risk management 

is about risk minimization, and it isn’t,” 

he says. “It’s about risk optimization. 

There are some risks you want to take because 

the payoff is so great; the challenge 

is to mitigate your risk to a tolerable 

level. A good risk management program 

allows you to take risks that your competitors 

can’t.” 

EnsUrinG rEPEATABiLiTY 

Once enterprise information has been 

located and a risk assessment performed, 

the next step is to implement controls 

— including policies, technologies, and 

tools — to mitigate that risk. Here, repeatability 

and reuse of security controls 

is central to RSA’s strategy. 

“You get repeatability from using 

rsA’s COMPrEhEnsiVE APPrOACh 


BrYAn PALMA of EDS says 

that many enterprises 

are ready to embrace 

information risk management. 

common, standards-based frameworks 

and best practices,” says Preston. 

“Frameworks like ISO 27002 and the 

PCI Data Security Standard let you build 

to the gold standard, get you 80 to 95 

percent of the way toward building your 

controls, and help eliminate unnecessary 

RSA brings together all the components an organization needs to plan and implement an 

Information Risk Management strategy. The five main aspects to RSA’s approach include: 

1 A GlobAl Risk FRAmewoRk Security is aligned with key business initiatives. For critical 

data, a risk assessment provides a holistic view of risk across lines of business and operations. 

Policy is developed based on best practices. 

offerings include: Risk Assessment Services, Policy Review and Development, Security 

Assessments. 

2 inFoRmAtion ClAssiFiCAtion And disCoveRy Information is classified so appropriate 

policies and protections can be systematically applied. Data and application discovery tools 

are used to locate all instances of sensitive information across the enterprise. 

offerings include: Information Classification, Information and Application Discovery. 

3 ContRols on PeoPle Policy is automatically enforced by implementing controls such 

as authentication and access management that enable users to securely access enterprise 

resources and perform transactions while balancing risk, cost and convenience. Controls are 

based on standard frameworks, such as ISO 27002 and PCIDSS, enabling repeatability. 

offerings include: Credentials Management and Credentials, Authentication, Access 

Management, and Integrated Intelligence (transaction monitoring and adaptive authentication). 

4 ContRols on dAtA Automated controls are implemented to protect structured and unstructured 

data, whether it is in use, in motion or at rest on endpoints, networks and servers. 

offerings include: Data Loss Prevention, Encryption and Key Management, Information 

Rights Management. 

5 RePoRtinG, Audit And ComPliAnCe Compliance with security regulations and policies is 

validated by auditing controls and documenting their effectiveness. 

offerings include: Event Management, Compliance Reporting. 

or redundant controls.” 

Preston says his group 

has been systematically 

documenting how RSA and 

EMC products map to key 

frameworks so customers 

can be apprised of built-in 

controls that are already 

compliant. 

Gartner Group has 

pointed out that the number 

of security controls 

an organization deploys 

is a good proxy for the 

complexity and cost of its 

compliance program. Some 

companies using a risk-oriented 

approach to compliance 

report that they have 

eliminated 30 to 70 percent 

of their controls, which 

contributes to lower costs, reduced complexity 

and improved reliability. 

TAKinG sTOCK OF rsA’s sTrATEGY 

Are people ready to embrace security as 

a business accelerator? “I’d say roughly 

20 percent of enterprises already ‘get it’,” 

says Bryan Palma, vice president, Global 

Information Security for EDS, which 

partners closely with EMC/RSA on many 

outsourcing and systems integration 

opportunities. “Another 60 percent are 

ready for that message but are not fully 

on board, and the remaining 20 percent 

are still back in the mindset that security 

is an inhibitor.” 

Palma believes that RSA is well positioned 

to help companies move to the 

next stage of understanding and enablement. 

“On the tactical side, RSA has 

strengths that align with where the market 

is heading. These strengths include 

their expertise around data security, their 

focus on application security from an 

encryption standpoint, and their work 

in identity assurance and credentialing 

— both in consumer and enterprise markets. 

These are real differentiators. 

“On the strategic side, RSA has 

benefited from being acquired by EMC, 

in terms of how well they work with 

enterprise customers, how they understand 

the business side of security, and 

their openness to partnering with 

integrators, service providers and technology 

vendors.” i 

Photograph by Charles Ford 

C 

M 

Y 

CM 

MY 

CY 

CMY 

K

© © 2008 2008 Juniper Juniper Networks Networks 

>> Got the trinket & trash blues? Stop seeing red, just visit with Juniper Networks. We’ll show you how 

Juniper’s purpose-built, high-performance IP platforms support all services and applications at scale — 

and how Juniper helps service providers, enterprises and governments excel in the most demanding 

network environments, with a proven portfolio of networking, security and application acceleration 

solutions. The switch is on to Juniper Networks: www.juniper.net 

Visit us at booth #1541. 

1 . 8 8 8 . J U N I P E R

government update 

“We’re worried 

about the 

survival of 

our economy 

because 

of cyber 

vulnerabilities. 

We know the 

electrical 

generating 

system in the 

United States is 

at risk, and the 

economy can’t 

survive without 

electricity.” 

ALAn PALLEr 

the SANS 

Institute 

18 

By Sarah Jensen 

A 

progress 

report 

on 

cybersecurity

Five years after the release of the National Strategy to 

Secure Cyberspace, the threat of cyber attack remains real, 

but today we better understand who the attackers are and 

what we must do to thwart them. Nationally recognized 

information security experts assess our progress to date, 

actions that remain to be taken and the challenges the next 

president of the United States faces in this area. >> 

“The 

presidential 

hopefuls all 

have some 

very sharp 

cybersecurity 

advisors, so I 

believe they’ll 

be in a position 

to take action 

when they get 

into office, no 

matter which 

becomes 

president.” 

JAMEs LEWis 

Center for 

Strategic and 

International 

Studies 


government update 

computer systems. In its 

first implementation, at the 

U.S. Air Force, FDCC cut 

patch time from 57 days to 

72 hours and reduced costs 

by $100 million. By February 

4, all federal agencies were 

required to implement 

FDCC, which standardizes 

the configuration of 

approximately 300 settings 

on Windows XP and Vista 

computers. 

ThE EinsTEin PrOGrAM 

A traditionally voluntary 

program, Einstein has since 

2004 kept watch on federal 

agencies’ networks for the 

presence of computer worms 

and other unwanted traffic, 

correlating cross-agency 

security incidents. Already, 

Einstein sensors have 

identified malicious packets 

indicating Department of 

Agriculture systems had been 

penetrated and infected, 

allowing swift elimination of 

the infection. 

One problem Einstein 

targets is spear phishing, an 

e-mail spoofing fraud that 

seeks unauthorized access to 

an organization’s confidential 

data. “Spear phishers are 

already inside and they 

burrow deep,” says Paller. 

“The National Cyber Initiative 

will watch traffic at such a 

high fidelity with so much 

analysis that there’s a chance 

those burrowing worms will 

get flagged.” 

Other recent guidance 

by the government includes 

the President’s Strategic 

Plan for Combating Identity 

Theft, released in April 2007. 

Led by the Federal Trade 

Commission and the Justice 

Department, the plan focuses 

on educating the public to 

be cautious about divulging 

personal information and 

altering the way businesses 

obtain that information. In 

the corporate sector, the 

Payment Card Industry Data 

Security Standard requires 

merchants, banks and other 

members of the payment card 

industry to protect consumer 

data by implementing security 

best practices and proven 

tools such as firewalls, data 

encryption and access control. 

A nEW COMMissiOn 

LOOKs AhEAd 

In response to last summer’s 

outbreak of cyber attacks, 

CSIS brought together 

security experts to create the 

Commission on Cybersecurity 

for the 44th Presidency, 

a strategy and set of 

recommendations for the next 

administration to utilize in its 

effort to secure cyberspace. 

Intended as an update of 

the National Strategy, the 

Commission focuses on 

actions the next president 

should take in his or her first 

year in office. “To its credit, 

this administration has made 

inroads in cybersecurity, but 

the next president will have to 

do even more,” says Lewis. 

“The current campaign initiative 

illustrates that 

cybersecurity is not something 

we can ignore anymore,” 

he continues. “The presidential 

hopefuls all have some 

very sharp cybersecurity advisors, 

so I believe they’ll be in 

a position to take action when 

they get into office, no matter 

which becomes president.” 

A sAFE CYBErFUTUrE 

A 2007 Consumer Reports 

study found that one in 

four users faces a chance 

of becoming a cyberfraud 

victim, and that 17 percent 

of respondents had no 

antivirus software installed. 

In the absence of federal 

mandates requiring vendors 

to include high-level security 

in every system, vendors 

must be encouraged to do 

so voluntarily. “The most 

important thing we must do 

is provide incentives for 

vendors to bake security 

into the system,” says Paller. 

“We need software that is 

configured securely when 

we buy it. We don’t want to 

buy it and then have to worry 

about whether we’re secure 

enough.” 

Shannon Kellogg, director 

of Information Security 

Policy in EMC’s Office of 

Government Relations 

and a member of the CSIS 

Cyber Security Commission 

for the 44th Presidency, 

agrees that vendors should 

be building more security 

into their products. “When 

you compare where the IT 

industry was in 2003 when 

the National Strategy came 

out to where we are today, it’s 

really night and day,” Kellogg 

says. “Platform companies 

like EMC have invested 

substantial resources in 

building in more security and 

setting up software assurance 

processes based on effective 

best practices.” In fact, to 

advance these types of efforts 

throughout the industry, EMC 

joined forces with Microsoft 

and other leading IT vendors 

to found SAFECode (www. 

safecode.org) in 2007. 

nEXT UP: rEEnGinEErinG 

ThE inTErnET? 

Even so, Paller and Lewis 

agree, such defenses are not 

enough. 

“We’re going to have 

to actually reengineer 

the Internet,” says Paller. 

“Eventually, there will be 

two Internets. Right now, 

no one knows who you are 

on the Internet. You can 

sell pornography, you can 

make anonymous political 

statements, you can attack 

other people.” 

The future configuration, 

he suggests, will be a 

cyberspace made up of an 

open Internet and a second 

Internet where every person’s 

and every computer’s identity 

is known. “If you’re a bank, 

you want to know someone 

“We must provide incentives for vendors to bake 

security into the system.We need software that 

is configured securely when we buy it.” 

claiming to be your customer 

really is your customer,” he 

says. Such a configuration 

would require substantial 

changes to every router on 

the Internet and cost in the 

billions of dollars. 

“But we’re in an arms 

race,” Paller stresses. “Nation 

states will spend anything 

to control other nations’ 

computers, anything. You can 

never completely solve the 

problem, so we’ve got a lot of 

work to do just to keep up. But 

long term, I am hopeful.” 

Lewis shares Paller’s 

optimism. “We have a very 

inventive set of opponents,” 

he admits. “We recognize 

our vulnerabilities and 

have developed operable 

initiatives. What we’re doing 

now goes beyond the National 

Strategy.” i 


sa labs 

Getting into 

your Pc at 

WarP speed 

inside 

When RSA SecurID meets Wi-Fi 

By JasoN m. ruBiN 

ChAnCEs ArE YOU pushed 

a button on your key fob this 

morning and the doors of your 

car immediately unlocked. 

An ordinary act, to be sure, 

and yet fairly extraordinary as 

well. After all, why isn’t it that 

quick and easy to get into your 

computer? 

Such was the inspiration 

Vol. 5, No. 1, 2008 RSA, The Security Division of EMC Vantage Magazine 

for the Wireless Authentication 

Research Project 

(WARP). According to RSA 

Labs Consulting Technologist 

John Brainard, “The goal 

of WARP was to develop a 

solution that would enable a 

user to quickly yet securely 

log on to his or her computer 

without typing. This would 

eliminate input errors and 

make it easier to access network 

resources while on the 

phone or otherwise manually 

engaged.” 

Think of it as an RSA SecurID 

token with a Wi-Fi antenna 

attached. The original 

prototype, about the size of 

a cigarette case, was a plastic 

box containing three AAA 

batteries, an antenna, and an 

entire Linux computer in a 

board smaller than a stick of 

chewing gum. 

Though effective, the unit 

was rather clunky and less 

convenient to carry than a 

regular SecurID token. Furthermore, 

the box had limited 

functionality. “We knew we 

could do a lot more if we 

had an electronic interface,” 

Brainard says. “For example, 

if there was a screen where 

you could see a message or a 

file, you could use the unit as 

a smart card and confirm and 

electronically sign transactions 

or decrypt documents.” 

qUiCK, CLEAn, And 

COnVEniEnT 

The solution RSA Labs 

hit upon — to implement 

WARP functionality in software 

within a smart phone 

— worked on a number of levels. 

First, it utilized powerful, 

existing technology. And, if it 

wasn’t much smaller, at least 

it was something users would 

be sure to keep on hand. 

“With a phone you have 

something people will use and 

keep with them,” says Brainard. 

“It’s also a good native 

environment for Wi-Fi. We 

could have used Bluetooth, 

but it’s not as well supported 

in PCs.” 

Since PCs are only open 

to one Wi-Fi channel at a 

time, the WARP unit identifies 

itself as a network access 

point so it can be used anytime. 

Because it never actually 

connects to a network 

and no hardware needs to be 

installed on the user’s PC, the 

unit and its embedded token 

code can be used on any computer. 

Currently, there are four 

main applications for the 

WARP device: 

• UnLOCK A PC WiTh PUsh- 

BUTTOn EAsE. This would be 

particularly useful in medical 

settings, where as many as 

15 doctors may share a single 

computer and need to quickly 

and securely access patient 

and other information, or 

digitally sign orders. 

• EAsY WEBsiTE LOGOn. Users 

can access their retail or 

online bank accounts quickly. 

They may need to manually 

enter a PIN if two-factor authentication 

is used. 

• ACCEss EnCrYPTEd FiLEs. 

Users can create a separate 

volume on their hard drive 

for sensitive files they have 

encrypted. The WARP unit 

would enable them to access 

this volume. 

• rECEiVE TrAnsACTiOn VEri- 

FiCATiOn rEqUEsTs. Before 

a transaction is completed, 

users can receive an SMS 

message on the smart phone 

asking them to verify the 

terms and contents of the 

transaction. 

“By demonstrating WARP 

at the RSA Conference, we 

hope to generate customer 

interest,” says Brainard. “If we 

can, then we’ll work to further 

refine the technology and 

perhaps it will be productized 

someday.” i 

Illustration by Stuart Bradford

In a flat world, 

information risk is global. 

Now more than ever, information is the centerpiece of innovation that gives your business a competitive edge. RSA, the 

Security Division of EMC, and Wipro have developed a powerful alliance that simplifies the adoption of information risk 

management practices in complex enterprise environments. Let RSA’s information-centric solutions become your accelerator 

into the global marketplace, and let Wipro cut costs without cutting corners. Learn more at www.rsa.com and www.wipro.com. 

Information discovery & classification 

Security information and event management 

Visit Wipro at the 

RSA Conference, Booth 1717 

RSA 

Secure identities and access 

Data security 

WIPRO 

Strong security consulting; global clientele implementation experience 

Cost-effective SOC solutions through a proven global delivery model 

In-depth skills in RSA products; a dedicated Center of Excellence for RSA technology 

Integrated solutions for FFIEC, ISO and PCI compliance 

©2008 RSA Security Inc. All rights reserved. RSA and the RSA logo are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. Wipro is a trademark of Wipro Ltd.

�� 

�� 

�� 

�� 

�� 

�� 

� �� 

� �� 

�� 

� �� 

�� 

�� 

�� 

�� 

��

Security innovation - RSA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?