SAN FRANCISCO—Attendance was down enough to dull what’s
usually a loud roar to a low buzz in the cavernous expo hall at the RSA
Security Conference last week. Yet, examples of innovation and security
maturation were still in abundance. In particular, there was a lot of
standards-based innovation around authentication, managing peoples’ online
identities, encryption and data management.
“What the market is moving toward
is end-to-end trust, both preventive and reactive,” said Scott Charney,
Microsoft’s corporate VP of Trustworthy Computing, during a Tuesday morning
keynote. “This includes root trust in the hardware store, and trust of the
people requesting access, and protection of personal and confidential data.”
Vista includes full volume
encryption with Trusted Bit Locker based on the Trusted Platform Module (chip
security) framework, and has a browser application to accept only digitally
signed data. For Windows 7, Microsoft has partnered with EMC/RSA for technology
to create secure, peer-to-peer IPV6 log-in sessions using IPsec (Internet
Protocol Security).
In another project, code-named
‘Sterling,’ Microsoft is developing an API for third parties to create an
“identity meta system” akin to how birth certificates are used in the real
world, according to Charney. (As I blogged previously, some security vendors are even looking at becoming the
overall vetting service for online identities, akin to what Verisign does with
digital certificates.)
There was also a lot of development
around OATH (Initiative for Open Authentication), an open standard for
two-factor authentication, which is happening on cards, tokens and phones, says
Don Malloy, business developer manager at NagraID and marketing chair for
OATH.
Integration between applications
and network security was also announced by security lifecycle management
startup, Tufin Technologies, which released TOP (Tufin Open Platform) open APIs
for developers. Already it partners with F5 and Blue Coat for policy
management, and is deeply integrated with Check Point, Juniper, Cisco and
Fortinet.
Also at the application level,
another leap in database security appears to have happened, with database
security vendor Secerno going beyond the external database firewall model we’re
seeing today to include access controls, encryption management, and filtering
at the database kernel level.
Improvements in Web and cloud
application security are also beginning to emerge that go beyond the traditional
Web application firewalls. Mykonos, at a classy reception atop the Sir Francis
Drake Hotel, launched a secure end to end framework for Ajax application
developers. It includes encryption, digital signatures, logging, and auditing
against SQL injections, session hijacking and other common problems associated
with Web applications.
Particularly during this economic
downturn, this type of unsexy, low-level, standards-based development is
exactly what the industry needs in order to emerge from the recession prepared
for customer demands, says Tom Corn, VP of marketing for RSA.
“We’ve got to stop playing
Whack-a-Mole with all these new security issues and solutions that come up,” he
says. “We need to decouple authentication from individual applications to
enforce policies that span identities, infrastructure and information
controls.”
Recent Comments