“What the market is moving toward is end-to-end trust, both preventive and reactive,” said Scott Charney, Microsoft’s corporate VP of Trustworthy Computing, during a Tuesday morning keynote. “This includes root trust in the hardware store, and trust of the people requesting access, and protection of personal and confidential data.”
Vista includes full volume encryption with Trusted Bit Locker based on the Trusted Platform Module (chip security) framework, and has a browser application to accept only digitally signed data. For Windows 7, Microsoft has partnered with EMC/RSA for technology to create secure, peer-to-peer IPV6 log-in sessions using IPsec (Internet Protocol Security).
In another project, code-named ‘Sterling,’ Microsoft is developing an API for third parties to create an “identity meta system” akin to how birth certificates are used in the real world, according to Charney. (As I blogged previously, some security vendors are even looking at becoming the overall vetting service for online identities, akin to what Verisign does with digital certificates.)
There was also a lot of development around OATH (Initiative for Open Authentication), an open standard for two-factor authentication, which is happening on cards, tokens and phones, says Don Malloy, business developer manager at NagraID and marketing chair for OATH.
Integration between applications and network security was also announced by security lifecycle management startup, Tufin Technologies, which released TOP (Tufin Open Platform) open APIs for developers. Already it partners with F5 and Blue Coat for policy management, and is deeply integrated with Check Point, Juniper, Cisco and Fortinet.
Also at the application level, another leap in database security appears to have happened, with database security vendor Secerno going beyond the external database firewall model we’re seeing today to include access controls, encryption management, and filtering at the database kernel level.
Improvements in Web and cloud application security are also beginning to emerge that go beyond the traditional Web application firewalls. Mykonos, at a classy reception atop the Sir Francis Drake Hotel, launched a secure end to end framework for Ajax application developers. It includes encryption, digital signatures, logging, and auditing against SQL injections, session hijacking and other common problems associated with Web applications.
Particularly during this economic downturn, this type of unsexy, low-level, standards-based development is exactly what the industry needs in order to emerge from the recession prepared for customer demands, says Tom Corn, VP of marketing for RSA.
“We’ve got to stop playing Whack-a-Mole with all these new security issues and solutions that come up,” he says. “We need to decouple authentication from individual applications to enforce policies that span identities, infrastructure and information controls.”
