Security innovation - RSA
Security innovation - RSA
Security innovation - RSA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
vantage<br />
Special<br />
INsIghts oN the busINess of securIty<br />
<strong>RSA</strong><br />
Conference<br />
edition<br />
<strong>Security</strong><br />
that enables<br />
<strong>innovation</strong><br />
Aligning investments<br />
to accelerate<br />
business goals<br />
Volume 5 | Number 2 | 2008<br />
also inside<br />
<strong>RSA</strong> Conference ’08 — a closer look<br />
Information risk management<br />
Update on the US strategy<br />
to secure cyberspace
opening notes<br />
Risk: Fear or Embrace?<br />
Risk is one of those things we as security<br />
professionals are supposed to avoid at all<br />
costs. Some would argue that our whole raison<br />
d’être is to keep the business as far removed<br />
from risk as possible — and make sure that the<br />
companies we serve do not achieve infamy in<br />
the Wall Street Journal.<br />
Today’s business leaders know,<br />
however, that perhaps the greatest<br />
risk of all is to take no risks. In fact,<br />
when the Boston Consulting Group<br />
surveyed 940 senior executives<br />
around the world on this topic, they<br />
agreed that increasing top line revenues<br />
through <strong>innovation</strong> has become<br />
essential to success in their industry.<br />
Innovations such as outsourcing, offshoring,<br />
M&A, supply chain and new<br />
customer service models all require<br />
inherent degrees of risk that need to<br />
be evaluated, mapped and addressed<br />
ahead of time, lest those risks undermine<br />
the success of a program.<br />
Spurred by the number of threats<br />
we face today and the huge burden<br />
of regulatory requirements, the commonly<br />
held view is that the goals of<br />
security and risk management are in<br />
direct conflict with many of these critical<br />
initiatives, and, more generally,<br />
with moves to grow the business and<br />
enhance the ability to compete. Innovation,<br />
in particular, is at risk from<br />
— well, risk.<br />
But there is another side to this:<br />
Where risk lies there also lies opportunity.<br />
Forward-looking CEOs, CIOs<br />
and CISOs with an eye on first-mover<br />
advantage in the market are seeking<br />
the means to safely embrace risk, to<br />
run with it, to tap it to full advantage.<br />
<strong>Security</strong> can provide that means.<br />
When risk is managed and mitigated<br />
Vol. 5, No. 1, 2008 <strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine<br />
correctly, it becomes a unique enabler<br />
for <strong>innovation</strong> and other, dynamic<br />
new business behaviors. Starting on<br />
page 8, you can read more about our<br />
evolving understanding of information<br />
risk and <strong>RSA</strong>/EMC’s strategy for<br />
transforming information security<br />
from a business inhibitor to a force<br />
that accelerates <strong>innovation</strong>.<br />
In addition, you will find the following<br />
articles in this <strong>RSA</strong> Conference<br />
issue of Vantage:<br />
• A look at <strong>RSA</strong> Conference 2008<br />
and the must-see events at the show.<br />
• Five years after the National<br />
Strategy for Securing Cyber Space was<br />
created, we review security issues in<br />
the context of an election year.<br />
• A look at how Germany’s innovative<br />
quirin bank is implementing<br />
strong security for its customers.<br />
Sincerely,<br />
Arthur W. Coviello, Jr.<br />
President — <strong>RSA</strong>,<br />
The <strong>Security</strong> Division of EMC<br />
vantage<br />
program team<br />
<strong>RSA</strong> Editor<br />
PAUL JOYAL<br />
Contributing Editors<br />
MATT BUCKLEY<br />
BriTTA GLAdE<br />
editorial team<br />
Managing Editors<br />
ChrisTinE KAnE<br />
AndrEA E. sTiLL<br />
Design Director<br />
rOnn CAMPisi<br />
Contributing Writers<br />
sArAh JEnsEn<br />
ChrisTinE KAnE<br />
nAnCY LAnGMEYEr<br />
JAsOn M. rUBin<br />
Editorial content for Vantage<br />
is developed and managed by:<br />
Libretto<br />
560 Harrison Avenue, Suite 501<br />
Boston, MA 02118<br />
617.451.5113<br />
www.libretto-inc.com<br />
©2008 <strong>RSA</strong> <strong>Security</strong> Inc.<br />
All Rights Reserved<br />
<strong>RSA</strong>, SecurID, Key Manager and File <strong>Security</strong><br />
Manager are either registered trademarks or<br />
trademarks of <strong>RSA</strong> <strong>Security</strong> Inc. in the United<br />
States and/or other countries. EMC is a registered<br />
trademark of EMC Corporation. All other<br />
products or services mentioned are trademarks<br />
of their respective companies.<br />
To subscribe to Vantage magazine,<br />
please go to<br />
www.rsa.com/go/vantage<br />
Postmaster: If undeliverable, notify<br />
<strong>RSA</strong> Marketing, 174 Middlesex Turnpike,<br />
Mail Stop 32A080, Bedford, MA 01730<br />
www.rsa.com<br />
Cover illustration by Marc Rosenthal
in this issue<br />
F E A T U R E S<br />
4 rsA ® Conference 2008<br />
A preview of the security industry’s premier<br />
event, including “5 hot tickets.”<br />
8 From brakes to breakthroughs<br />
Information security is evolving from its<br />
purely defensive role to the more strategic<br />
role of enabling <strong>innovation</strong> and growth.<br />
1 Banking on security<br />
Europe’s quirin bank deploys <strong>RSA</strong><br />
SecurID® protection to ensure a high level<br />
of security for online banking.<br />
14 information risk management<br />
<strong>RSA</strong> offers a holistic approach to security<br />
based on the well-established discipline of<br />
risk management.<br />
18 Progress report on cybersecurity<br />
Five years after the release of the<br />
National Strategy to Secure Cyberspace,<br />
two experts weigh in on progress to date.<br />
D E P A R T M E N T S<br />
Opening notes<br />
By Art Coviello, Jr.<br />
6 Partner Profile<br />
The close, three-way partnership of <strong>RSA</strong>,<br />
EMC and Cisco is a win-win-win for their<br />
joint customers.<br />
inside rsA Labs<br />
Wouldn’t it be nice if you could securely<br />
log on to your PC as easily as you unlock<br />
your car door? WARP technology offers<br />
one possible approach.<br />
coming up<br />
EMC World, the ultimate forum for<br />
EMC customers, partners and industry<br />
watchers, will take place MAY 19– in<br />
LAs VEGAs. Attendees will have access<br />
to EMC’s portfolio of solutions and<br />
services. This year’s event will feature<br />
rsA ® Xchange, where technical end<br />
users can learn from <strong>RSA</strong> product<br />
experts and engineering teams. For<br />
more information and to register,<br />
visit www.emcworld2008.com. For<br />
information on <strong>RSA</strong> Xchange, visit<br />
www.rsaxchange.com.<br />
8<br />
5<br />
22<br />
18<br />
12<br />
6<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008
at a glance april 7-11, san francisco<br />
rsa® conference 2008<br />
Entertaining, educational and thought-provoking, the<br />
annual <strong>RSA</strong> ® Conference is the place to learn about new<br />
information security trends and technologies, hear the<br />
experts debate hot topics and controversial issues, and<br />
connect or reconnect with colleagues. Whether you<br />
are attending or not, you can be part of the Conference<br />
experience – live or via the Web – even after it’s all over.<br />
For attendees,<br />
5 hot tickets<br />
There’s so much to see, hear and<br />
do at the <strong>RSA</strong> Conference, it’s wise<br />
to plan ahead. Here are five<br />
can’t-miss events.<br />
ThE ArT OF sECUriTY: rsA Presi-<br />
1 dent Art Coviello will kick off the<br />
event by discussing the role of security<br />
in business <strong>innovation</strong>. Be there<br />
Tuesday at 8 a.m. sharp!<br />
2<br />
PUT This in YOUr PdA: On<br />
Wednesday, Jeff hawkins —<br />
co-founder of Palm and handspring<br />
— will discuss his research on human<br />
intelligence and plans for developing<br />
machines with smarts.<br />
3<br />
dOn’T BLinK! or you might miss<br />
Thursday’s talk by Malcolm<br />
Gladwell, best-selling author of Blink:<br />
The Power of Thinking Without Thinking<br />
and The Tipping Point: How Little<br />
Things Make a Big Difference.<br />
4<br />
sECUriTY sMACKdOWn: Face off<br />
against other attendees as you<br />
test your knowledge and hunt for website<br />
vulnerabilities.<br />
5<br />
BEhOLd ThE BLOGErATi: The<br />
security Bloggers Meet-Up is by<br />
invitation only, with more than 60<br />
bloggers expected to participate. For<br />
everyone else, there will be live podcasting,<br />
video streaming and Twitter<br />
feeds from the event.<br />
4 Vol. 5, No. 1, 2008 <strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine<br />
Keynote Speaker<br />
ART COVIELLO<br />
rsA President<br />
As hE hAs in past years, Art Coviello will kick off the Conference with a<br />
keynote presentation. Asked to set the stage for his keynote, Art shared<br />
this thought:<br />
“When information security is viewed merely as a defensive strategy,<br />
it becomes a barrier to <strong>innovation</strong>. The key to enabling <strong>innovation</strong> is to<br />
become innovative about mitigating risk. As security leaders, we need<br />
to develop overarching and holistic security strategies that align with<br />
business goals and appropriately balance risk and reward. It’s a strategy<br />
that Burton refers to as risk optimization and it requires a change in<br />
mindset and behavior. During my keynote I’ll share the recommendations<br />
of 10 Fortune 500 CISOs on how to build information security programs<br />
that enable business <strong>innovation</strong>.”<br />
CAN’T ATTEND THE <strong>RSA</strong> CONFERENCE?<br />
Stay up to date on<br />
industry news, product<br />
launches, keynote<br />
addresses and panel<br />
discussions. Visit<br />
www.rsaconference.<br />
com/2008/US/home.aspx<br />
for live blogs, webcasts<br />
and podcasts of the<br />
April event, as well as<br />
rebroadcasts from past<br />
gatherings.
Sandra Toms LaPedis<br />
Area Vice President & General<br />
Manager, <strong>RSA</strong> Conference<br />
Noting that conference planners<br />
strive to “raise the bar” on the<br />
conference experience every year,<br />
LaPedis discussed key changes<br />
that will be reflected in this year’s<br />
event.<br />
“The <strong>RSA</strong> Conference content<br />
is ever expanding — reflecting attendee<br />
diversity and the expansive<br />
nature of the issues attendees are<br />
tackling. We’ve added a new class<br />
track, called Research Revealed,<br />
covering recent cutting—edge research<br />
on security vulnerabilities.<br />
We expanded the number of highly<br />
technical and in-depth sessions.<br />
And we continue to embrace Web<br />
2.0 tools on www.rsaconference.<br />
com to create a year-round resource<br />
and make content more<br />
accessible — not just for attendees<br />
but the whole industry.”<br />
emily nathan<br />
jen siska<br />
Keynote Speaker<br />
JIM BIDZOS<br />
Chairman of the Board,<br />
Verisign<br />
in 1999, Time<br />
magazine named<br />
Jim Bidzos to the<br />
“Digital 500,” citing<br />
his role in spurring<br />
adoption of public<br />
key cryptography.<br />
As a leadup to his<br />
keynote, Bidzos<br />
offered these<br />
thoughts to Vantage.<br />
“I’m often<br />
asked how it is<br />
that Internet use<br />
continues to grow<br />
so fast despite even<br />
faster-growing<br />
vulnerabilities<br />
— security breaches,<br />
stolen data, identity<br />
theft, online fraud<br />
and more. The<br />
short answer is<br />
that online security<br />
is ‘good enough’<br />
— adequate for the<br />
risk represented<br />
by the value of<br />
the transactions.<br />
Consider credit<br />
cards — there is<br />
certainly theft and<br />
fraud. But various<br />
security measures —<br />
added over time to<br />
address new threats<br />
— kept losses at an<br />
acceptable level.<br />
Computer and<br />
online security seem<br />
to be following a<br />
similar path: The<br />
operating systems<br />
and browsers<br />
get new security<br />
features, patches<br />
and updates, often<br />
in response to some<br />
recently discovered<br />
or exploited<br />
vulnerability.<br />
We’ve long<br />
been saying<br />
that this cycle<br />
of vulnerability<br />
exploitation and<br />
patch will never<br />
really end, and<br />
everything we’ve<br />
seen to date only<br />
reinforces this<br />
belief. And the<br />
complexity of all<br />
those patches adds<br />
more vulnerabilities.<br />
But what if<br />
the patch efforts<br />
fall behind? What<br />
happens when<br />
“good enough” just<br />
isn’t good enough<br />
anymore? One could<br />
argue that identity<br />
theft is on the<br />
verge of becoming<br />
the manifestation<br />
of this risk; many<br />
will be surprised<br />
to learn that in<br />
2006, most identity<br />
theft was enabled<br />
by non-Internet<br />
data collection.<br />
Online exploitation<br />
on a grand scale<br />
might cause<br />
an exponential<br />
increase in what is<br />
already one of the<br />
fastest-growing<br />
consumer threats in<br />
the U.S.<br />
It will take a new<br />
way of thinking<br />
about security, and<br />
new offerings that<br />
can isolate and close<br />
off broad categories<br />
of threat, so that<br />
“good enough” is<br />
still good enough<br />
when the stakes go<br />
up.<br />
We have some<br />
ideas, and we’re<br />
doing more than<br />
just thinking about<br />
them.”<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008
When Bob Gleichauf thinks about the partnership<br />
among Cisco<br />
Systems, EMC and<br />
<strong>RSA</strong>, the <strong>Security</strong><br />
Division of EMC,<br />
and how this<br />
triumvirate can<br />
serve their mutual<br />
customers, he says<br />
in his relaxed,<br />
humorous manner,<br />
“The propeller<br />
on my head starts<br />
to whirl.”<br />
Gleichauf, CTO of Enterprise Services<br />
and <strong>Security</strong> at Cisco Systems,<br />
adds, “As companies with great complementary<br />
technologies, we work together<br />
in exciting ways to provide collaborative<br />
solutions that help our customers with<br />
their end-to-end security challenges.”<br />
Gleichauf describes this threepronged<br />
partnership as trusted vendors<br />
working together to provide a number of<br />
security solutions from storage, through<br />
the servers, into the data center cloud,<br />
and then across the campus. “EMC is a<br />
great partner for storage and security<br />
encryption products and Cisco has a<br />
range of products crossing the enterprise,<br />
from the server to data in transit to<br />
firewalls and e-mail application-level security,”<br />
says Gleichauf. “<strong>RSA</strong> has a ‘bestof-breed’<br />
offering in the identity access<br />
and key management space that fits well<br />
with Cisco’s own market-leading VPN,<br />
storage encryption, NAC and TrustSec<br />
offerings.”<br />
Add in the data loss prevention that<br />
<strong>RSA</strong> brings to the table with the acquisition<br />
of Tablus and the rich security and<br />
policy enforcement capabilities in Cisco’s<br />
<strong>Security</strong> Agent product, says Gleichauf,<br />
and it’s a huge win for customers.<br />
<strong>RSA</strong>’s CTO, Bret Hartman, agrees,<br />
adding that there is a natural synergy<br />
among the three companies. “It’s all<br />
about securing data at rest and in motion<br />
and that’s where our core competencies<br />
are,” says Hartman. “Very few other<br />
vendors can address enterprise security<br />
requirements like we can.”<br />
6 Vol. 5, No. 1, 2008<br />
By Nancy Langmeyer<br />
partner profile<br />
The power of three<br />
When Cisco, EMC and <strong>RSA</strong> join together,<br />
it’s win-win-win for customers
BOB GLEICHAUF cautions<br />
customers against trying to meet<br />
compliance regulations on their<br />
own, noting that attempts in one<br />
area may unintentionally create<br />
problems in another.<br />
Photograph by Mark Ostow<br />
A nEW APPrOACh TO sECUriTY<br />
According to Gleichauf, the business<br />
drivers for security are changing and<br />
that means the way Cisco, EMC and <strong>RSA</strong><br />
work together is changing as well. “For<br />
the longest time, businesses focused on<br />
threat defense, meaning keeping the bad<br />
stuff, like worms and viruses, out,” he<br />
says. “Today, our industry has evolved to<br />
information protection, where keeping<br />
good things in is as important.”<br />
As preferred vendors in the security<br />
industry, Cisco, EMC and <strong>RSA</strong> are<br />
perfectly aligned to help customers<br />
protect their information, Gleichauf<br />
says. “When we combine Cisco’s<br />
policy enforcement and infrastructure<br />
controls with <strong>RSA</strong>’s identity and access<br />
management tools (identifying who you<br />
are, where you can and can’t go, and what<br />
you can access) and EMC’s storage tools,<br />
the result is one of the strongest, most<br />
viable information protection solutions<br />
available today.”<br />
Hartman explains, “It’s all about<br />
protecting the information directly,<br />
whether it’s at rest or traveling across<br />
the network.” Hartman cites a recent<br />
example where Cisco and <strong>RSA</strong> teamed<br />
to provide encryption for data-at-rest<br />
through the integration of Cisco’s Storage<br />
Media Encryption with the <strong>RSA</strong> Key<br />
Manager solution, a joint venture that<br />
Hartman says “is a way of helping protect<br />
data wherever it lives.”<br />
ThE ChALLEnGE OF COMPLiAnCE<br />
Gleichauf and Hartman feel the partnership<br />
is particularly strong when helping<br />
customers with regulatory compliance,<br />
one of today’s biggest security drivers.<br />
“Businesses recognize that security poses<br />
a systems problem, especially in relation<br />
to compliance,” says Gleichauf. “They’re<br />
trying to figure out how to allow visibility<br />
while at the same time keep data secure<br />
from prying eyes and comply with a wide<br />
variety of regulations.”<br />
Hartman adds that compliance is never<br />
going to be addressed by a single product.<br />
“It’s got to be a system-wide solution,<br />
addressed end-to-end,” he says.<br />
The issues become obvious once an<br />
auditor comes in, because a business<br />
is either compliant — or it’s not. “We<br />
absolutely understand the audit problems<br />
that arise from regulations such as<br />
Sarbanes-Oxley and HIPAA,” says<br />
Gleichauf. “We can help in an operational<br />
way that is workable for the customer.”<br />
Workable solutions may come from<br />
products and services already in the<br />
portfolios of these three vendors, or via<br />
a joint solution, such as the one Cisco<br />
and <strong>RSA</strong> recently developed for the retail<br />
sector. Cisco integrated several <strong>RSA</strong><br />
products, including <strong>RSA</strong> Key Manager<br />
and <strong>RSA</strong> File <strong>Security</strong> Manager, in its<br />
Validated Network Designs to help retailers<br />
meet the Payment Card Industry Data<br />
<strong>Security</strong> Standard and simplify the protection<br />
of sensitive information.<br />
dOn’T GO iT ALOnE<br />
Gleichauf cautions customers about trying<br />
to meet compliance regulations on<br />
their own. “Bret and I often see customers<br />
attempt to meet regulatory requirements<br />
in one business area and then unintentionally<br />
create problems in another,”<br />
he says, adding that Cisco, EMC and <strong>RSA</strong><br />
can help customers avoid such accidents.<br />
“Sometimes it’s as simple as asking<br />
the customer to gather the people from<br />
their data center, network, server, applications<br />
and security together in one<br />
meeting,” says Gleichauf. “They start exchanging<br />
business cards because they’ve<br />
never met.” By virtue of Cisco, EMC and<br />
<strong>RSA</strong> coming in and and asking questions<br />
about how things work end-to-end, suddenly<br />
they look at one another and understand.<br />
“Each of these constituencies<br />
most likely is responsible for different<br />
compliance needs,” says Hartman.<br />
“When we get the key players together,<br />
we help them boil the requirements<br />
down to common elements that can be<br />
solved one time.” The result, he says, is<br />
a much more productive, cost-effective<br />
and collaborative engagement.<br />
A Win-Win-Win<br />
“As vendors committed to working<br />
together,” says Gleichauf, “Cisco,<br />
EMC and <strong>RSA</strong> continually strive to<br />
understand our customers’ problems<br />
and align our products and services in a<br />
way that results in holistic end-to-end<br />
solutions.” Hartman adds, “It’s about<br />
listening to customers and connecting<br />
the dots — when we do that, it’s a win for<br />
everyone.” i<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008
Transforming the role of information<br />
security in business <strong>innovation</strong><br />
By Kathleen Bowden<br />
cover story<br />
brakes to<br />
breakthroughs<br />
As a broader definition of<br />
business <strong>innovation</strong> takes<br />
hold in the executive<br />
suite, the longstanding<br />
friction between<br />
information security and<br />
business <strong>innovation</strong> has<br />
become an increasing<br />
liability. Within this<br />
landscape, security teams<br />
are working hard to<br />
transform security from<br />
a potential <strong>innovation</strong><br />
barrier to a recognized<br />
<strong>innovation</strong> enabler.<br />
And the world’s most<br />
forward-looking security<br />
leaders see themselves as<br />
partners in the business<br />
<strong>innovation</strong> process<br />
who anticipate where<br />
their organizations are<br />
headed, and deliver<br />
security strategies that<br />
accelerate the journey.<br />
8 Vol. 5, No. 1, 2008 <strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine<br />
From
sECUriTY<br />
is BEinG<br />
TrAnsFOrMEd<br />
FrOM An<br />
innOVATiOn<br />
BArriEr TO An<br />
innOVATiOn<br />
EnABLEr.<br />
nAViGATinG ThE innOVATiOn GrAY ZOnE<br />
While few people would argue that<br />
<strong>innovation</strong> is a critical core competency<br />
of any 21st-century company, many would<br />
vigorously debate the true meaning of<br />
<strong>innovation</strong>. As Scott Berkun, author of<br />
the 2007 book The Myths of Innovation<br />
notes, “What’s interesting is that nobody<br />
seems to agree on an exact definition of<br />
<strong>innovation</strong>.”<br />
Given the importance of <strong>innovation</strong><br />
to most companies, it’s striking that<br />
its definition still morphs dramatically<br />
depending on who is describing it.<br />
In spite of this undeniable gray<br />
area, in recent years, a broader and<br />
more consistent definition of business<br />
<strong>innovation</strong> has emerged in the executive<br />
suite. It is clear that more and more<br />
companies are viewing <strong>innovation</strong> as an<br />
enterprise strategy that positions them to<br />
enter new markets, launch new products<br />
or services, create new business models,<br />
establish new channels and partnerships<br />
or achieve operational transformation.<br />
ThE BUsinEss innOVATiOn BUCK<br />
sTOPs AT ThE TOP<br />
Industry research shows that more<br />
than ever, <strong>innovation</strong> is a top leadership<br />
concern. Increasingly, CEOs see<br />
themselves as owning <strong>innovation</strong> in<br />
their companies, and believe they must<br />
innovate to compete.<br />
In IBM’s 2006 <strong>innovation</strong> study, many<br />
of the 765 CEOs queried described a<br />
persistent push toward a more expansive<br />
view of <strong>innovation</strong> — a greater mix<br />
of <strong>innovation</strong> types, more external<br />
involvement and extensive demands on<br />
CEOs to bring it to fruition. Similarly,<br />
940 senior executives from around the<br />
world told the Boston Consulting Group<br />
(BCG) that increasing top-line revenues<br />
through <strong>innovation</strong> has become essential<br />
to success in their industry. The same<br />
BCG survey showed that more than half<br />
the execs were dissatisfied with the<br />
financial returns on their investments<br />
in <strong>innovation</strong>. And as more executives<br />
Illustrations by Marc Rosenthal<br />
look for ways to improve their <strong>innovation</strong><br />
returns, information security is an<br />
escalating area of concern.<br />
sECUriTY And innOVATiOn:<br />
A TrOUBLEd rELATiOnshiP<br />
Unfortunately, in many organizations,<br />
the security function is still viewed as<br />
a necessary evil. In part this is because<br />
security teams are so committed to<br />
mitigating risk; their efforts often seem<br />
to constrain business-building behavior<br />
rather than encourage it. Too often,<br />
security practitioners are perceived as the<br />
people who say, “Nice idea, but it can’t be<br />
done.”<br />
Although well-intentioned, many<br />
information security teams are not seen<br />
as <strong>innovation</strong> enablers, but as <strong>innovation</strong><br />
obstacles.<br />
The truth is that corporate leaders<br />
are not looking for the best security<br />
solution — they are looking for the best<br />
business solution. And because they are<br />
under increasing pressure to generate<br />
breakthrough <strong>innovation</strong>s, executives<br />
are increasingly frustrated when their<br />
security teams don’t seem to “get it.”<br />
While this conflict has been simmering<br />
under the surface for many years, in many<br />
corporations it has reached a boiling<br />
point. Why now? In short, this friction is<br />
increasing because security now directly<br />
impacts the success or failure of many top<br />
business <strong>innovation</strong> drivers including:<br />
1<br />
OUTsOUrCinG/OFFshOrinG: In<br />
growing numbers, businesses are<br />
turning to low-cost sourcing and<br />
talent models to innovate how they deliver<br />
their services. This means that every day,<br />
more organizations need to securely share<br />
their intellectual property, technologies<br />
and infrastructure with third-party partners<br />
around the globe.<br />
2<br />
sUPPLY-ChAin innOVATiOn: The<br />
trend towards mass customization<br />
requires a more flexible, modern,<br />
global supply chain than ever before. Cor-<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008 9
cover story<br />
porate efforts to drive supply chain <strong>innovation</strong> are<br />
generating demand for equivalent <strong>innovation</strong>s in<br />
supply-chain security.<br />
3<br />
nEW JOinT VEnTUrEs, MErGErs & ACqUisi-<br />
TiOns: Businesses continue to strive to bring<br />
new business models, lines of business and<br />
skill sets to the table through the aggressive pursuit<br />
of joint ventures, mergers and acquisitions. To<br />
achieve success, these ventures require security<br />
strategies that maximize organizational synergies<br />
and mitigate risks.<br />
4<br />
CUsTOMEr sELF-sErViCE MOdELs: Capable of<br />
simultaneously reducing costs while increasing<br />
customer satisfaction, self-service models<br />
allow customers to drive their own transactions and<br />
A conversation about <strong>innovation</strong><br />
Members of the <strong>Security</strong> for Business Innovation Council<br />
will take part in an ongoing dialogue about the role of information<br />
security vs. IT security in driving business growth.<br />
Anish BhiMAni Managing<br />
Director, IT Risk Management,<br />
JP Morgan Chase<br />
BiLL BOni Corporate Vice<br />
President and Corporate<br />
Information <strong>Security</strong> Officer,<br />
Motorola<br />
dAVE CULLinAnE Vice<br />
President and Chief<br />
Information <strong>Security</strong> Officer<br />
rOLAnd CLOUTiEr Vice<br />
President, Chief <strong>Security</strong><br />
Officer, EMC Corporation<br />
dr. PAUL dOrEY Enterprise<br />
<strong>Security</strong> & Continuity<br />
Vice President and Chief<br />
Information <strong>Security</strong> Officer,<br />
BP<br />
rEnEE GUTTMAnn Vice<br />
President, Information<br />
<strong>Security</strong> and Privacy Officer,<br />
Time Warner Inc.<br />
dAVid KEnT Vice President,<br />
<strong>Security</strong>, Genzyme<br />
dr. CLAUdiA nATAnsOn<br />
Chief Information <strong>Security</strong><br />
Officer, Diageo<br />
CrAiG shUMArd Chief<br />
Information <strong>Security</strong> Officer,<br />
Cigna Corporation<br />
AndrEAs WUChnEr Head IT<br />
Risk Management, <strong>Security</strong> &<br />
Compliance, Novartis<br />
10 Vol. 5, No. 1, 2008 <strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine<br />
manage their own personal information via the Web.<br />
Successfully capitalizing on this powerful business<br />
strategy requires implicit customer trust, which is<br />
dependent upon a company’s information security<br />
performance.<br />
5<br />
WEB-BAsEd COLLABOrATiOn: In today’s global<br />
economy, companies need their worldwide<br />
internal employees and external partners<br />
to participate in their business with greater ease,<br />
frequency and depth than ever before. This means<br />
companies are continually adding external resources<br />
to their internal business systems, and determining<br />
who to trust and how far to open the door.<br />
6<br />
OPEn innOVATiOn: In the past, companies<br />
cooked up their <strong>innovation</strong>s in an airtight<br />
laboratory and moved them into production<br />
when they were fully baked. Needless to say, those<br />
days are long gone. Innovation in a global marketplace<br />
requires unstructured, multi-disciplined,<br />
multi-organizational collaboration.<br />
7<br />
WOrKFOrCE MOBiLiTY: In spite of the security<br />
risks, the benefits of ubiquitous connectivity,<br />
continuous communications and mobile<br />
access have made workforce mobility a corporate<br />
priority.<br />
It’s clear that each of these key business<br />
<strong>innovation</strong> levers must be supported by a<br />
progressive security strategy. As a result, senior<br />
executives are beginning to realize that information<br />
security is absolutely critical to how effectively their<br />
companies innovate and compete — today and for<br />
years to come.<br />
A siGniFiCAnT BUsinEss COsT<br />
There’s no doubt that the dysfunctional relationship<br />
between security and <strong>innovation</strong> is taking a<br />
significant business toll. In some cases, security<br />
concerns are preventing the realization of important<br />
business goals. In the worst scenarios, business<br />
results fall short of what is achievable because<br />
security worries hold companies back.<br />
On the other end of the spectrum, ignoring<br />
security concerns can produce very bad<br />
risk decisions. Under the pressure of urgent<br />
requirements and ever-diminishing budgets, the<br />
business sometimes fails to engage the security team
WiTh ThE<br />
riGhT<br />
sECUriTY<br />
in PLACE,<br />
innOVATiOn<br />
CAn BLOOM<br />
And<br />
FLOUrish.<br />
or fund the necessary security. Business owners go<br />
to market, quietly assuming the business risk and<br />
hoping nothing happens on their watch.<br />
These decisions have a range of negative<br />
repercussions. They may result in unsatisfactory<br />
audit results after a “go live.” <strong>Security</strong> and<br />
compliance may need to be “bolted on” after the<br />
fact, adding enormous cost and complexity to the<br />
project. And of course, there is the ultimate risk to<br />
corporate reputation. No CEO wants to see their<br />
company’s name in the headlines because customer<br />
data was compromised and shareholder value was<br />
lost.<br />
FindinG A BETTEr WAY<br />
So where do we go from here? Today’s security leaders<br />
agree that companies that innovate with security<br />
in mind will avoid stalled <strong>innovation</strong> processes and<br />
poor <strong>innovation</strong> outcomes.<br />
The 2006 Ernst & Young report “Achieving<br />
Success in a Globalized World” 1 notes: “Our<br />
experience tells us that when companies involve<br />
information security early and substantially in<br />
acquiring or divesting assets, and in other business<br />
initiatives, they dramatically reduce the risks and<br />
tangibly enhance the benefits of strategic changes.”<br />
It seems a simple enough mission: Make security<br />
an essential component of the <strong>innovation</strong> process.<br />
But, making this happen will require the removal of<br />
longstanding roadblocks, and answers to complex<br />
questions including:<br />
• How do you convince business managers<br />
to engage the security team at the start of the<br />
<strong>innovation</strong> process?<br />
• What are the best metrics to show how an action<br />
in security impacts the business’s bottom line?<br />
• How can security leaders inspire their teams to<br />
shift away from saying “I’m afraid the answer is no”<br />
and toward “This is how”?<br />
• How can security teams simplify how they<br />
communicate with business owners and how they<br />
assess security risks?<br />
• What is the best way to learn about innovative<br />
business initiatives on the horizon and proactively<br />
create security strategies that will remove business<br />
inhibitors and accelerate desired outcomes?<br />
At <strong>RSA</strong>, we believe security can be transformed<br />
from a “necessary evil” that stifles <strong>innovation</strong>, to a<br />
1 Source: www.ey.com/Global/download.nsf/International/TSRS_-_GISS_<br />
2006/$file/EY_GISS2006.pdf<br />
business strategy that accelerates it.<br />
We realize we are not alone in our thinking, and<br />
that joining forces with like-minded security leaders<br />
will allow us to drive a more rapid and meaningful<br />
change. With this goal in mind, <strong>RSA</strong> has convened<br />
a team of accomplished security leaders to explore<br />
security’s role in business <strong>innovation</strong> and identify<br />
ways to move the industry forward.<br />
<strong>RSA</strong> is conducting a series of in-depth interviews<br />
with the members of the <strong>Security</strong> for Business<br />
Innovation Council, and as the sponsor of this<br />
industry conversation, will publish a number of<br />
reports based on these discussions. We look forward<br />
to releasing the first of these reports at the April<br />
2008 <strong>RSA</strong> Conference.<br />
In his <strong>RSA</strong> conference keynote speech, “The Role<br />
of <strong>Security</strong> in Business Innovation: From Villain to<br />
Hero,” <strong>RSA</strong> president and CEO Art Coviello will<br />
share findings from the first <strong>Security</strong> for Business<br />
Innovation Council report, and reveal the results of<br />
a new IDC research study on this important topic. In<br />
the meantime, to learn more about the relationship<br />
between security and business <strong>innovation</strong>, please<br />
visit the <strong>RSA</strong> Business Innovation website at www.<br />
rsa.com/<strong>innovation</strong>/. i<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008 11
case study<br />
Redefining banking, redefining security<br />
Avant-garde German financier Karl<br />
Matthäus Schmidt deviated from European<br />
banking standards when he chose a<br />
customer-centric approach for his asset<br />
management firm. Schmidt also broke the<br />
norms when it came to online banking<br />
security, as he chose <strong>RSA</strong> SecurID®<br />
two-factor authentication over the<br />
widely accepted PIN/TAN system<br />
used throughout Europe.<br />
1 Vol. 5, No. 1, 2008 <strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine<br />
For a revolutionary European bank with high<br />
standards, traditional online security systems<br />
just weren’t enough. By NaNcy LaNgmeyer
Schmidt first made a name for<br />
himself when he founded the<br />
Consors discount brokerage<br />
firm at age 25, took it public<br />
five years later in 1999, and<br />
then sold it to BNP Paribas<br />
two years after that for half<br />
a billion euros (US$725<br />
million).<br />
Schmidt then founded the<br />
Berlin-based quirin bank, a<br />
specialized asset management<br />
firm for institutional and<br />
private investors, which he<br />
took public in October 2006.<br />
In March 2007, the German<br />
business publication, Manager<br />
Magazin, ranked the quirin<br />
bank second behind the<br />
venerable Deutsche Bank<br />
for the performance of its<br />
investments.<br />
An UnCOMMOn APPrOACh<br />
TO BAnKinG<br />
Today quirin bank manages<br />
assets of €690 million<br />
(US$1 billion) and, as CEO,<br />
Schmidt has a philosophy<br />
quite unlike any other in<br />
Germany: The bank only<br />
makes money if its customers<br />
do. The compensation of<br />
the bank’s financial advisors<br />
depends solely on the value<br />
added to their customers’<br />
investments. Their customers<br />
— ranging from small clients<br />
with modest investments to<br />
wealthy individuals with large<br />
portfolios — pay a flat rate<br />
asset management fee, with<br />
commissions or markups from<br />
their investments credited<br />
to their accounts. With<br />
JKArL MATThäUs sChMidT<br />
founded the ground-breaking<br />
quirin bank, ranked<br />
second behind Deutsche Bank<br />
for asset performance.<br />
Illustration by James Yang<br />
an interest in growing the<br />
customers’ assets, Schmidt’s<br />
simple yet revolutionary<br />
concept is working.<br />
An UnCOMMOn APPrOACh<br />
TO sECUriTY<br />
When quirin bank decided<br />
to offer online banking<br />
capabilities in the spring of<br />
2007, Schmidt decided once<br />
again to be unconventional<br />
and raise the bar for online<br />
security. For Schmidt, the<br />
PIN/TAN system used by<br />
most German banks was not<br />
good enough for his bank. The<br />
PIN/TAN system is prone<br />
to complacency; personal<br />
identification numbers are<br />
often written down, and lists<br />
of one-time-use transaction<br />
authorization numbers are<br />
sent to customers only to be<br />
lost or misplaced. Schmidt<br />
and his colleagues also looked<br />
at high-end customized<br />
security systems, but found<br />
them too cumbersome and<br />
complicated.<br />
BALAnCinG EAsE OF UsE And<br />
“WATErTiGhT” sECUriTY<br />
The bank wanted a solution<br />
that provided both ease of<br />
use and, as the president of<br />
banking operations, Stefan<br />
Spannagl notes, “watertight”<br />
security.<br />
The bank also wanted<br />
a solution that would be<br />
cost-effective, easy to install<br />
and maintain and quickly<br />
implemented. Another<br />
requirement was a solution<br />
that was future-proof,<br />
scalable, and able to meet<br />
the bank’s aggressive growth<br />
plans.<br />
ITREXS, a banking<br />
software and services<br />
provider whose modular<br />
portfolio management<br />
AsTEFAn sPAnnAGL<br />
president of banking operations,<br />
notes that <strong>RSA</strong> SecurID<br />
combines advanced technology<br />
with ease of use.<br />
solution is installed at<br />
quirin bank, came up<br />
with an effective solution:<br />
<strong>RSA</strong> SecurID® two-factor<br />
authentication. ITREXS,<br />
an <strong>RSA</strong> partner which has<br />
integrated <strong>RSA</strong> solutions with<br />
other banking and portfolio<br />
management customers,<br />
assured quirin bank that<br />
integrating an <strong>RSA</strong> two-factor<br />
authentication token with<br />
the bank’s existing customer<br />
front end and their ITREXS<br />
solution could be done easily<br />
and quickly.<br />
MEETinG ThE BAnK’s<br />
hiGh sTAndArds<br />
After testing two-factor<br />
authentication, quirin bank<br />
was quickly convinced.<br />
In mid-2007, ITREXS<br />
customized <strong>RSA</strong> SecurID,<br />
tailoring it to quirin bank’s<br />
exact requirements, including<br />
a SecurID key fob token<br />
branded with the bank’s<br />
logo. ITREXS installed and<br />
implemented <strong>RSA</strong> SecurID<br />
with minimal disruption of<br />
the bank’s operations during<br />
deployment.<br />
With <strong>RSA</strong> two-factor<br />
authentication, quirin bank<br />
customers now can log into<br />
their accounts using a known<br />
entity — their PIN number<br />
— combined with the onetime<br />
token code generated<br />
by their quirin bank key fob.<br />
This provides the high level<br />
of security that Schmidt was<br />
looking for.<br />
<strong>RSA</strong> SecurID has been<br />
fully integrated with the<br />
bank’s Web portal for all<br />
the bank’s customers and<br />
staff, with overwhelmingly<br />
positive feedback. “Not only<br />
is <strong>RSA</strong> SecurID significantly<br />
safer than conventional PIN/<br />
TANs,” says Spannagl, “it also<br />
combines the most advanced<br />
technology use with ease of<br />
use.”<br />
Schmidt sees the solution<br />
as adding value to the bank’s<br />
image. “The quirin bank<br />
offers its customers secure,<br />
innovative online banking,” he<br />
says. “With <strong>RSA</strong> two-factor<br />
authentication, our customers<br />
can conduct their bank<br />
business flexibly and securely<br />
— and with confidence.”<br />
PrEPArinG FOr GrOWTh<br />
In the future, quirin bank<br />
plans to offer business<br />
process outsourcing services.<br />
The users of these services<br />
— typically other banks and<br />
financial institutions wishing<br />
to outsource part or all of<br />
their business processes<br />
— will also be using <strong>RSA</strong><br />
SecurID. In addition, the<br />
bank anticipates growing its<br />
regular customer base from<br />
the current level in<br />
the low thousands to more<br />
than 10,000 by 2010, and<br />
is quite confident that <strong>RSA</strong><br />
SecurID will grow with<br />
them. i<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008 1
solutions<br />
<strong>RSA</strong>’s strategy for<br />
information risk management<br />
Taking a holistic, risk-based<br />
approach to IT security<br />
By Christine Kane<br />
After years of viewing information security as a defensive<br />
strategy, designed to prevent bad things from happening,<br />
enterprises are starting to demand more from their<br />
security investments. They recognize that security can<br />
also contribute to an organization’s success by helping<br />
drive key business initiatives, such as accelerating<br />
<strong>innovation</strong> and collaboration and reducing compliance<br />
costs. (See “From Brakes to Breakthroughs”, page 8.)<br />
But before this transformation<br />
can take hold, says <strong>RSA</strong>’s Steve<br />
Preston, organizations must surmount<br />
the shortcomings of today’s<br />
fragmented approaches to security.<br />
“Most organizations are in a reactive<br />
mode when it comes to security<br />
threats and industry regulations,<br />
and they struggle to manage security<br />
with point solutions.” says Preston,<br />
senior director, Solutions Marketing,<br />
<strong>RSA</strong>. “The problem with<br />
this ‘silo’ approach is that good<br />
efforts in one area can be quickly<br />
nullified by failures in another.”<br />
Preston offers the example of a<br />
bank that has effectively deployed<br />
technology to protect its online<br />
banking portal from fraud only to<br />
have a privileged user copy confidential<br />
customer data to an unsecured<br />
laptop which is eventually<br />
stolen. The loss has to be disclosed,<br />
and the customer trust that has<br />
been gained with anti-fraud technology<br />
is completely undone by a<br />
lack of policy enforcement in the<br />
back office. Preston likens this situation<br />
to the carnival game Whaca-Mole.<br />
“You hammer the problem<br />
down over here and it pops up<br />
again over there. IT needs to engage<br />
the business in a way that not only<br />
puts security into relevant business<br />
context but also helps IT prioritize<br />
where to invest in security.”<br />
AdVOCATinG A nEW APPrOACh<br />
Faced with these realities, industry<br />
watchers and thinkers have called<br />
for a more holistic approach to information<br />
security and compliance,<br />
one that is based on the established<br />
discipline of risk management.<br />
In the study “Information Risk<br />
Management in Financial Services,”<br />
TowerGroup Senior Analyst Rodney<br />
Nelsestuen writes: “Practicing<br />
a holistic approach to security<br />
and information risk assures that<br />
business information contributes to<br />
achieving marketplace and business<br />
goals. … Policy, practices, and<br />
technologies that provide a defense<br />
for information also can support<br />
the business’s offensive strategy.”<br />
EnLiGhTEnMEnT sTArTs hErE<br />
Making the transition from today’s<br />
“silo security” represents a significant<br />
shift for organizations, says<br />
Bob Blakely of the Burton Group.<br />
14 Vol. 5, No. 1, 2008 <strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine
Illustration by Greg Mably<br />
“There is a process of enlightenment<br />
that organizations need to go<br />
through to effectively manage any<br />
kind of risk, including information<br />
risk,” says Blakely. “This process<br />
starts with understanding that<br />
risks have to be consciously managed<br />
and processes have to be put<br />
in place to assess an organization’s<br />
risk appetite, current risks and vulnerability.<br />
You then need to design<br />
controls that mitigate risk within<br />
one’s appetite. And you have to<br />
assess the effectiveness of those<br />
controls to be sure you’re operating<br />
within your tolerance while also<br />
achieving regulatory compliance.<br />
“The finance industry — and,<br />
to a lesser extent, the healthcare<br />
and energy industries — are the<br />
first industries to have reached this<br />
point of enlightenment,” he says.<br />
“With the rollout of its Information<br />
Risk Management strategy, <strong>RSA</strong> is<br />
helping organizations evolve to this<br />
stage of awareness and put in compensating<br />
controls using tools such<br />
as data loss prevention, encryption<br />
and authentication.”<br />
ThrEE COrE PrinCiPLEs<br />
Introduced last fall for the financial<br />
services industry and now being offered<br />
to other industries, <strong>RSA</strong>’s Information<br />
Risk Management strategy<br />
provides an end-to-end, holistic<br />
approach for protecting a business’s<br />
most critical information assets.<br />
(See sidebar, “<strong>RSA</strong>’s Comprehensive<br />
Approach.”)<br />
“There are three pillars to our<br />
strategy,” says Preston. “The first is<br />
<strong>RSA</strong>’s information-centric approach<br />
to security, where you begin by<br />
understanding what information is<br />
critical to key business initiatives,<br />
such as growth through acquisitions<br />
or expanding partnerships.<br />
Then you diligently ‘follow the data’<br />
to gain a more holistic view of all<br />
the places where it exists across the<br />
organization, where the points of<br />
vulnerability are, and what events<br />
“Many people think risk<br />
management is about<br />
risk minimization, and<br />
it’s not. It’s about risk<br />
optimization. There are<br />
some risks you want<br />
to take because the<br />
payoff is so great; the<br />
challenge is to mitigate<br />
your risk to a tolerable<br />
level. A good risk<br />
management program<br />
allows you to take risks<br />
that your competitors<br />
can’t.”<br />
BoB BLakLey<br />
aNaLyst, BurtoN group<br />
could put your business at risk.”<br />
This is a very complex task. Data<br />
resides in many places, it’s mobile,<br />
it’s constantly being transformed,<br />
and it’s at the center of collaborative<br />
processes. “Tools for data<br />
discovery and classification are a<br />
critical part of our solution because<br />
they make our strategy actionable,”<br />
says Preston, explaining that the<br />
tools provide a basis for applying<br />
policy consistently across the universe<br />
of corporate information.<br />
PriOriTiZinG inVEsTMEnTs<br />
The second core concept behind<br />
<strong>RSA</strong>’s strategy is the idea that<br />
security investments should be<br />
prioritized, based on the amount<br />
of risk a given activity entails<br />
relative to the potential business<br />
reward, and in keeping with the<br />
organization’s appetite for risk. In<br />
this context, risk is defined as the<br />
likelihood an event will occur and<br />
the consequences if it does.<br />
“The first thing a lot of people<br />
want to talk about is tape encryption,”<br />
says Preston. “In other words,<br />
many companies are putting locks<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008 1
solutions<br />
on doors that almost no one is walking<br />
through. This results in over-scoping and<br />
misaligned investment in security. What<br />
organizations need to do is enable their<br />
highest priority business initiatives by<br />
protecting the information that is most<br />
valuable at the points where it is most<br />
vulnerable.”<br />
Many analysts agree, including Blakley.<br />
“Many people think risk management<br />
is about risk minimization, and it isn’t,”<br />
he says. “It’s about risk optimization.<br />
There are some risks you want to take because<br />
the payoff is so great; the challenge<br />
is to mitigate your risk to a tolerable<br />
level. A good risk management program<br />
allows you to take risks that your competitors<br />
can’t.”<br />
EnsUrinG rEPEATABiLiTY<br />
Once enterprise information has been<br />
located and a risk assessment performed,<br />
the next step is to implement controls<br />
— including policies, technologies, and<br />
tools — to mitigate that risk. Here, repeatability<br />
and reuse of security controls<br />
is central to <strong>RSA</strong>’s strategy.<br />
“You get repeatability from using<br />
rsA’s COMPrEhEnsiVE APPrOACh<br />
16 Vol. 5, No. 1, 2008 <strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine<br />
BrYAn PALMA of EDS says<br />
that many enterprises<br />
are ready to embrace<br />
information risk management.<br />
common, standards-based frameworks<br />
and best practices,” says Preston.<br />
“Frameworks like ISO 27002 and the<br />
PCI Data <strong>Security</strong> Standard let you build<br />
to the gold standard, get you 80 to 95<br />
percent of the way toward building your<br />
controls, and help eliminate unnecessary<br />
<strong>RSA</strong> brings together all the components an organization needs to plan and implement an<br />
Information Risk Management strategy. The five main aspects to <strong>RSA</strong>’s approach include:<br />
1 A GlobAl Risk FRAmewoRk <strong>Security</strong> is aligned with key business initiatives. For critical<br />
data, a risk assessment provides a holistic view of risk across lines of business and operations.<br />
Policy is developed based on best practices.<br />
offerings include: Risk Assessment Services, Policy Review and Development, <strong>Security</strong><br />
Assessments.<br />
2 inFoRmAtion ClAssiFiCAtion And disCoveRy Information is classified so appropriate<br />
policies and protections can be systematically applied. Data and application discovery tools<br />
are used to locate all instances of sensitive information across the enterprise.<br />
offerings include: Information Classification, Information and Application Discovery.<br />
3 ContRols on PeoPle Policy is automatically enforced by implementing controls such<br />
as authentication and access management that enable users to securely access enterprise<br />
resources and perform transactions while balancing risk, cost and convenience. Controls are<br />
based on standard frameworks, such as ISO 27002 and PCIDSS, enabling repeatability.<br />
offerings include: Credentials Management and Credentials, Authentication, Access<br />
Management, and Integrated Intelligence (transaction monitoring and adaptive authentication).<br />
4 ContRols on dAtA Automated controls are implemented to protect structured and unstructured<br />
data, whether it is in use, in motion or at rest on endpoints, networks and servers.<br />
offerings include: Data Loss Prevention, Encryption and Key Management, Information<br />
Rights Management.<br />
5 RePoRtinG, Audit And ComPliAnCe Compliance with security regulations and policies is<br />
validated by auditing controls and documenting their effectiveness.<br />
offerings include: Event Management, Compliance Reporting.<br />
or redundant controls.”<br />
Preston says his group<br />
has been systematically<br />
documenting how <strong>RSA</strong> and<br />
EMC products map to key<br />
frameworks so customers<br />
can be apprised of built-in<br />
controls that are already<br />
compliant.<br />
Gartner Group has<br />
pointed out that the number<br />
of security controls<br />
an organization deploys<br />
is a good proxy for the<br />
complexity and cost of its<br />
compliance program. Some<br />
companies using a risk-oriented<br />
approach to compliance<br />
report that they have<br />
eliminated 30 to 70 percent<br />
of their controls, which<br />
contributes to lower costs, reduced complexity<br />
and improved reliability.<br />
TAKinG sTOCK OF rsA’s sTrATEGY<br />
Are people ready to embrace security as<br />
a business accelerator? “I’d say roughly<br />
20 percent of enterprises already ‘get it’,”<br />
says Bryan Palma, vice president, Global<br />
Information <strong>Security</strong> for EDS, which<br />
partners closely with EMC/<strong>RSA</strong> on many<br />
outsourcing and systems integration<br />
opportunities. “Another 60 percent are<br />
ready for that message but are not fully<br />
on board, and the remaining 20 percent<br />
are still back in the mindset that security<br />
is an inhibitor.”<br />
Palma believes that <strong>RSA</strong> is well positioned<br />
to help companies move to the<br />
next stage of understanding and enablement.<br />
“On the tactical side, <strong>RSA</strong> has<br />
strengths that align with where the market<br />
is heading. These strengths include<br />
their expertise around data security, their<br />
focus on application security from an<br />
encryption standpoint, and their work<br />
in identity assurance and credentialing<br />
— both in consumer and enterprise markets.<br />
These are real differentiators.<br />
“On the strategic side, <strong>RSA</strong> has<br />
benefited from being acquired by EMC,<br />
in terms of how well they work with<br />
enterprise customers, how they understand<br />
the business side of security, and<br />
their openness to partnering with<br />
integrators, service providers and technology<br />
vendors.” i<br />
Photograph by Charles Ford<br />
C<br />
M<br />
Y<br />
CM<br />
MY<br />
CY<br />
CMY<br />
K
© © 2008 2008 Juniper Juniper Networks Networks<br />
>> Got the trinket & trash blues? Stop seeing red, just visit with Juniper Networks. We’ll show you how<br />
Juniper’s purpose-built, high-performance IP platforms support all services and applications at scale —<br />
and how Juniper helps service providers, enterprises and governments excel in the most demanding<br />
network environments, with a proven portfolio of networking, security and application acceleration<br />
solutions. The switch is on to Juniper Networks: www.juniper.net<br />
Visit us at booth #1541.<br />
1 . 8 8 8 . J U N I P E R
government update<br />
“We’re worried<br />
about the<br />
survival of<br />
our economy<br />
because<br />
of cyber<br />
vulnerabilities.<br />
We know the<br />
electrical<br />
generating<br />
system in the<br />
United States is<br />
at risk, and the<br />
economy can’t<br />
survive without<br />
electricity.”<br />
ALAn PALLEr<br />
the SANS<br />
Institute<br />
18<br />
By Sarah Jensen<br />
A<br />
progress<br />
report<br />
on<br />
cybersecurity
Five years after the release of the National Strategy to<br />
Secure Cyberspace, the threat of cyber attack remains real,<br />
but today we better understand who the attackers are and<br />
what we must do to thwart them. Nationally recognized<br />
information security experts assess our progress to date,<br />
actions that remain to be taken and the challenges the next<br />
president of the United States faces in this area. >><br />
“The<br />
presidential<br />
hopefuls all<br />
have some<br />
very sharp<br />
cybersecurity<br />
advisors, so I<br />
believe they’ll<br />
be in a position<br />
to take action<br />
when they get<br />
into office, no<br />
matter which<br />
becomes<br />
president.”<br />
JAMEs LEWis<br />
Center for<br />
Strategic and<br />
International<br />
Studies<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008 19
government update<br />
computer systems. In its<br />
first implementation, at the<br />
U.S. Air Force, FDCC cut<br />
patch time from 57 days to<br />
72 hours and reduced costs<br />
by $100 million. By February<br />
4, all federal agencies were<br />
required to implement<br />
FDCC, which standardizes<br />
the configuration of<br />
approximately 300 settings<br />
on Windows XP and Vista<br />
computers.<br />
ThE EinsTEin PrOGrAM<br />
A traditionally voluntary<br />
program, Einstein has since<br />
2004 kept watch on federal<br />
agencies’ networks for the<br />
presence of computer worms<br />
and other unwanted traffic,<br />
correlating cross-agency<br />
security incidents. Already,<br />
Einstein sensors have<br />
identified malicious packets<br />
indicating Department of<br />
Agriculture systems had been<br />
penetrated and infected,<br />
allowing swift elimination of<br />
the infection.<br />
One problem Einstein<br />
targets is spear phishing, an<br />
e-mail spoofing fraud that<br />
seeks unauthorized access to<br />
an organization’s confidential<br />
data. “Spear phishers are<br />
already inside and they<br />
burrow deep,” says Paller.<br />
“The National Cyber Initiative<br />
will watch traffic at such a<br />
high fidelity with so much<br />
analysis that there’s a chance<br />
those burrowing worms will<br />
get flagged.”<br />
Other recent guidance<br />
by the government includes<br />
the President’s Strategic<br />
Plan for Combating Identity<br />
Theft, released in April 2007.<br />
Led by the Federal Trade<br />
Commission and the Justice<br />
Department, the plan focuses<br />
on educating the public to<br />
be cautious about divulging<br />
personal information and<br />
altering the way businesses<br />
obtain that information. In<br />
the corporate sector, the<br />
Payment Card Industry Data<br />
<strong>Security</strong> Standard requires<br />
merchants, banks and other<br />
members of the payment card<br />
industry to protect consumer<br />
data by implementing security<br />
best practices and proven<br />
tools such as firewalls, data<br />
encryption and access control.<br />
A nEW COMMissiOn<br />
LOOKs AhEAd<br />
In response to last summer’s<br />
outbreak of cyber attacks,<br />
CSIS brought together<br />
security experts to create the<br />
Commission on Cybersecurity<br />
for the 44th Presidency,<br />
a strategy and set of<br />
recommendations for the next<br />
administration to utilize in its<br />
effort to secure cyberspace.<br />
Intended as an update of<br />
the National Strategy, the<br />
Commission focuses on<br />
actions the next president<br />
should take in his or her first<br />
year in office. “To its credit,<br />
this administration has made<br />
inroads in cybersecurity, but<br />
the next president will have to<br />
do even more,” says Lewis.<br />
“The current campaign initiative<br />
illustrates that<br />
cybersecurity is not something<br />
we can ignore anymore,”<br />
he continues. “The presidential<br />
hopefuls all have some<br />
very sharp cybersecurity advisors,<br />
so I believe they’ll be in<br />
a position to take action when<br />
they get into office, no matter<br />
which becomes president.”<br />
A sAFE CYBErFUTUrE<br />
A 2007 Consumer Reports<br />
study found that one in<br />
four users faces a chance<br />
of becoming a cyberfraud<br />
victim, and that 17 percent<br />
of respondents had no<br />
antivirus software installed.<br />
In the absence of federal<br />
mandates requiring vendors<br />
to include high-level security<br />
in every system, vendors<br />
must be encouraged to do<br />
so voluntarily. “The most<br />
important thing we must do<br />
is provide incentives for<br />
vendors to bake security<br />
into the system,” says Paller.<br />
“We need software that is<br />
configured securely when<br />
we buy it. We don’t want to<br />
buy it and then have to worry<br />
about whether we’re secure<br />
enough.”<br />
Shannon Kellogg, director<br />
of Information <strong>Security</strong><br />
Policy in EMC’s Office of<br />
Government Relations<br />
and a member of the CSIS<br />
Cyber <strong>Security</strong> Commission<br />
for the 44th Presidency,<br />
agrees that vendors should<br />
be building more security<br />
into their products. “When<br />
you compare where the IT<br />
industry was in 2003 when<br />
the National Strategy came<br />
out to where we are today, it’s<br />
really night and day,” Kellogg<br />
says. “Platform companies<br />
like EMC have invested<br />
substantial resources in<br />
building in more security and<br />
setting up software assurance<br />
processes based on effective<br />
best practices.” In fact, to<br />
advance these types of efforts<br />
throughout the industry, EMC<br />
joined forces with Microsoft<br />
and other leading IT vendors<br />
to found SAFECode (www.<br />
safecode.org) in 2007.<br />
nEXT UP: rEEnGinEErinG<br />
ThE inTErnET?<br />
Even so, Paller and Lewis<br />
agree, such defenses are not<br />
enough.<br />
“We’re going to have<br />
to actually reengineer<br />
the Internet,” says Paller.<br />
“Eventually, there will be<br />
two Internets. Right now,<br />
no one knows who you are<br />
on the Internet. You can<br />
sell pornography, you can<br />
make anonymous political<br />
statements, you can attack<br />
other people.”<br />
The future configuration,<br />
he suggests, will be a<br />
cyberspace made up of an<br />
open Internet and a second<br />
Internet where every person’s<br />
and every computer’s identity<br />
is known. “If you’re a bank,<br />
you want to know someone<br />
“We must provide incentives for vendors to bake<br />
security into the system.We need software that<br />
is configured securely when we buy it.”<br />
claiming to be your customer<br />
really is your customer,” he<br />
says. Such a configuration<br />
would require substantial<br />
changes to every router on<br />
the Internet and cost in the<br />
billions of dollars.<br />
“But we’re in an arms<br />
race,” Paller stresses. “Nation<br />
states will spend anything<br />
to control other nations’<br />
computers, anything. You can<br />
never completely solve the<br />
problem, so we’ve got a lot of<br />
work to do just to keep up. But<br />
long term, I am hopeful.”<br />
Lewis shares Paller’s<br />
optimism. “We have a very<br />
inventive set of opponents,”<br />
he admits. “We recognize<br />
our vulnerabilities and<br />
have developed operable<br />
initiatives. What we’re doing<br />
now goes beyond the National<br />
Strategy.” i<br />
<strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine Vol. 5, No. 1, 2008 1
sa labs<br />
Getting into<br />
your Pc at<br />
WarP speed<br />
inside<br />
When <strong>RSA</strong> SecurID meets Wi-Fi<br />
By JasoN m. ruBiN<br />
ChAnCEs ArE YOU pushed<br />
a button on your key fob this<br />
morning and the doors of your<br />
car immediately unlocked.<br />
An ordinary act, to be sure,<br />
and yet fairly extraordinary as<br />
well. After all, why isn’t it that<br />
quick and easy to get into your<br />
computer?<br />
Such was the inspiration<br />
Vol. 5, No. 1, 2008 <strong>RSA</strong>, The <strong>Security</strong> Division of EMC Vantage Magazine<br />
for the Wireless Authentication<br />
Research Project<br />
(WARP). According to <strong>RSA</strong><br />
Labs Consulting Technologist<br />
John Brainard, “The goal<br />
of WARP was to develop a<br />
solution that would enable a<br />
user to quickly yet securely<br />
log on to his or her computer<br />
without typing. This would<br />
eliminate input errors and<br />
make it easier to access network<br />
resources while on the<br />
phone or otherwise manually<br />
engaged.”<br />
Think of it as an <strong>RSA</strong> SecurID<br />
token with a Wi-Fi antenna<br />
attached. The original<br />
prototype, about the size of<br />
a cigarette case, was a plastic<br />
box containing three AAA<br />
batteries, an antenna, and an<br />
entire Linux computer in a<br />
board smaller than a stick of<br />
chewing gum.<br />
Though effective, the unit<br />
was rather clunky and less<br />
convenient to carry than a<br />
regular SecurID token. Furthermore,<br />
the box had limited<br />
functionality. “We knew we<br />
could do a lot more if we<br />
had an electronic interface,”<br />
Brainard says. “For example,<br />
if there was a screen where<br />
you could see a message or a<br />
file, you could use the unit as<br />
a smart card and confirm and<br />
electronically sign transactions<br />
or decrypt documents.”<br />
qUiCK, CLEAn, And<br />
COnVEniEnT<br />
The solution <strong>RSA</strong> Labs<br />
hit upon — to implement<br />
WARP functionality in software<br />
within a smart phone<br />
— worked on a number of levels.<br />
First, it utilized powerful,<br />
existing technology. And, if it<br />
wasn’t much smaller, at least<br />
it was something users would<br />
be sure to keep on hand.<br />
“With a phone you have<br />
something people will use and<br />
keep with them,” says Brainard.<br />
“It’s also a good native<br />
environment for Wi-Fi. We<br />
could have used Bluetooth,<br />
but it’s not as well supported<br />
in PCs.”<br />
Since PCs are only open<br />
to one Wi-Fi channel at a<br />
time, the WARP unit identifies<br />
itself as a network access<br />
point so it can be used anytime.<br />
Because it never actually<br />
connects to a network<br />
and no hardware needs to be<br />
installed on the user’s PC, the<br />
unit and its embedded token<br />
code can be used on any computer.<br />
Currently, there are four<br />
main applications for the<br />
WARP device:<br />
• UnLOCK A PC WiTh PUsh-<br />
BUTTOn EAsE. This would be<br />
particularly useful in medical<br />
settings, where as many as<br />
15 doctors may share a single<br />
computer and need to quickly<br />
and securely access patient<br />
and other information, or<br />
digitally sign orders.<br />
• EAsY WEBsiTE LOGOn. Users<br />
can access their retail or<br />
online bank accounts quickly.<br />
They may need to manually<br />
enter a PIN if two-factor authentication<br />
is used.<br />
• ACCEss EnCrYPTEd FiLEs.<br />
Users can create a separate<br />
volume on their hard drive<br />
for sensitive files they have<br />
encrypted. The WARP unit<br />
would enable them to access<br />
this volume.<br />
• rECEiVE TrAnsACTiOn VEri-<br />
FiCATiOn rEqUEsTs. Before<br />
a transaction is completed,<br />
users can receive an SMS<br />
message on the smart phone<br />
asking them to verify the<br />
terms and contents of the<br />
transaction.<br />
“By demonstrating WARP<br />
at the <strong>RSA</strong> Conference, we<br />
hope to generate customer<br />
interest,” says Brainard. “If we<br />
can, then we’ll work to further<br />
refine the technology and<br />
perhaps it will be productized<br />
someday.” i<br />
Illustration by Stuart Bradford
In a flat world,<br />
information risk is global.<br />
Now more than ever, information is the centerpiece of <strong>innovation</strong> that gives your business a competitive edge. <strong>RSA</strong>, the<br />
<strong>Security</strong> Division of EMC, and Wipro have developed a powerful alliance that simplifies the adoption of information risk<br />
management practices in complex enterprise environments. Let <strong>RSA</strong>’s information-centric solutions become your accelerator<br />
into the global marketplace, and let Wipro cut costs without cutting corners. Learn more at www.rsa.com and www.wipro.com.<br />
Information discovery & classification<br />
<strong>Security</strong> information and event management<br />
Visit Wipro at the<br />
<strong>RSA</strong> Conference, Booth 1717<br />
<strong>RSA</strong><br />
Secure identities and access<br />
Data security<br />
WIPRO<br />
Strong security consulting; global clientele implementation experience<br />
Cost-effective SOC solutions through a proven global delivery model<br />
In-depth skills in <strong>RSA</strong> products; a dedicated Center of Excellence for <strong>RSA</strong> technology<br />
Integrated solutions for FFIEC, ISO and PCI compliance<br />
©2008 <strong>RSA</strong> <strong>Security</strong> Inc. All rights reserved. <strong>RSA</strong> and the <strong>RSA</strong> logo are either registered trademarks or trademarks of <strong>RSA</strong> <strong>Security</strong> Inc. in the United States and/or other countries. Wipro is a trademark of Wipro Ltd.
������ ����� �������<br />
������� ������������ ��� ������������� ������� ������������ ����<br />
��������<br />
����� ������ ������� ������ ��� ������ ��� ����������� ������� � �������� ����� �������<br />
���� ������� ��� ���������� �� �������������� ��� ������ ����������� ������� ����<br />
����� ������� ��� ��� ���� �������� ���� ��������<br />
� ������� � ������ ������ ��� ����� ������������ ������ ����� ��� �������� ���������<br />
� �������� ������� ������ ��� ������� ������������� ������� ���������� �������� ���<br />
�������<br />
� ����������� ����� ������ ���������� ��� ������ ����������� ������ ����� ���<br />
�������� ���������<br />
��� ������ ��� ��������� �������� ��������� ����� �� ������� ������ ��� ��������� �����<br />
�� ������ ��� �� ���������� ������ ���� � ������� �� ���������� ��� ����� ����������<br />
������� �� ���� ���� ������<br />
����� �� �� ����� ����