RSA Look-Back: Security Takes Integrated Turn

San Francisco -- When the first RSA Conference convened 15 years ago, the hottest topic was public- vs. private-key encryption. Fewer than 100 partners of the company then known as RSA Data Security debated how to get corporate clients interested in enterprise security. Secure communications for consumers was a nonissue.

To say things have changed would be an understatement. Even as the RSA Conference opened here last week, authorities were reporting that the 13 servers that help manage worldwide Internet traffic were hit by a denial-of-service attack that nearly took down three of them. The hack went largely unnoticed by the public, thanks to the efforts to fortify the Internet's "root" servers since the last infrastructure attack in 2002.

Over roughly the same period, identity theft has advanced to the point where directional antennas and high-powered 802.11 RF cards can be used by "deep phishers" a mile away from a Wi-Fi access point. Hackers create false Web sites several pages deep to replicate financial institutions. They use distant Wi-Fi connections to snare the "holy trinity" of sensitive personal ID information--a victim's Social Security number, date of birth and address--without leaving a trace of phishing activity with an Internet service provider.

Within today's fragmented security industry, there are hardware specialists focused on intrusion prevention and detection, software specialists looking to expand diversified firewalls, and networking and OS specialists proposing centralized access-policy approaches such as Cisco Systems Inc.'s Network Access Control (NAC). Last week, more than 300 exhibitors were on hand to show integrated security systems to the RSA Conference's 15,000 attendees.

Seven-layer security
In the 1990s, standards bodies ranging from the IEEE to the National Security Agency's Information Assurance Office attempted to create end-to-end standards for access, authentication and encryption, but most of those efforts fell victim to overambition. Now, corporate users and institutions serving consumers are trying to cobble together seven-layer security systems combining elements of crypto, identity management and AAA (authentica- tion, authorization and accounting).

Industry consolidation can solve part of the security proliferation problem. RSA, which merged with Security Dynamics four years ago, was itself acquired last year by storage specialist EMC Corp. Checkpoint Software Technologies Inc., the leader in software firewalls, has acquired several small companies to move into such areas as hardware-based unified threat management.

But integrating dissimilar access- and network-control products is only half the battle. John Gray, security portfolio marketing leader at Nortel Networks Inc., predicted that network equipment OEMs and operating system specialists will be best positioned to establish security frameworks because "control must be embedded in the network infrastructure. The standalone-hardware-appliance world can't stand on its own much longer."

Indeed, "the standalone security industry will end within three years," Art Coviello, president of the RSA Security division of EMC, declared matter-of-factly in his keynote address here. Appliance-based strategies creating fortresses of information must give way to dynamic, adaptive security systems that focus on the data being protected, not the network infrastructure, Coviello said. Thus, security must be integrated directly in OSes, databases and network equipment.

The morphing of hacking activity into a lucrative, multibillion-dollar criminal enterprise based on fraud and ID theft necessitates a shift in emphasis to combat it, Coviello said. "We have to stop thinking of security as a technology laundry list that we just keep perfecting. Instead of perfecting security features, we should work at mitigating a specific business risk."

Recent International Data Corp. studies show that the black market merely for processing false IDs, without considering the revenue gained from identity theft, now amounts to more than $1 billion a year. Another IDC study, Coviello said, showed that malware instances had more than 200,000 variants in 2006 and that intrusion-detection systems were only able to spot 70 percent of intrusions.

Two of Microsoft Corp.'s lead executives made a surprising pitch for hardware assistance in ID management at RSA. Chairman Bill Gates and chief strategy officer Craig Mundie made a strong push for hardware-based identity management in a keynote speech, declaring that password-based protection must be phased out quickly to thwart identity theft. Gates pointed specifically to the work of the Trusted Computing Group in defining a chip-level Trusted Platform Module. TPM solutions on the physical layer, combined with general certificate-based identity strategies based on hardware, would mean the end of hard-to-remember and easy-to-compromise user passwords, the speakers said.

Industry consultant Roger Kay declared TPM ready for mass deployment, noting that it is already embedded in tens of millions of PCs and is offered by multiple chip vendors.

Weakest link
"We see smart cards specifically, and certificates in general, as the direction identity protection must move in," Gates said. "Passwords already are the weakest link in information protection."

In defining networks that provide granularity in allowed connectivity, Mundie said, some corporate users have been too quick to bypass lower-layer security mechanisms, such as Internet Protocol Secure (IPsec). Gates seconded the notion, saying, "IPsec is still the best mechanism for defining allowed connections on a network."

Enhancing the granularity of connection protection is one reason for moving networks to IPv6, which allows greater flexibility in defining allowed links on the basis of user identity, Mundie said. New work on the active directory and metadirectories for the server-based Longhorn environment, in conjunction with IPv6, will lead to more adaptive policy enforcement of connectivity rules under IPv6 and IPsec.

A particularly lucrative area of future policy management, Gates predicted, will be in mandated "health checks" for client systems, where endpoints are required to prove they have been updated with necessary patches before being allowed to connect to the corporate network.

Microsoft soon could be in an enviable position with its Network Access Protection framework, once seen as a dark horse against Cisco's NAC. Nevis Networks Inc., developer of the LANenforcer appliance and switch hardware products, elected at RSA to support Microsoft's NAP. Dominic Wilde, vice president of marketing at Nevis, said Microsoft had proved itself more aware of AAA and ID management than Cisco. Also, the free inclusion of NAP in Vista and Longhorn could "quickly turn NAC into a nonstarter for Cisco," he said.