Security In The Spotlight

RSA Security plans to detail its overall identity and access management strategy, said Art Coviello, CEO of the company. Key to the strategy is a new architecture that will provide a common platform for all of its products, including SecurID authentication, ClearTrust Web access and Keon digital certificate management, he said.

The architecture, code-named Nexus, is a Web application server-based architecture using J2EE that will allow the server components of RSA's products,including ACE Server for SecurID,to have the same user interface and administrative back end, he said.

"That's how we're going to make it work extremely transparently and seamlessly in your environment," Coviello said.

Bedford, Mass.-based RSA said it plans to roll out product upgrades based on Nexus starting next quarter. Customers with maintenance contracts can obtain the upgrades for free.

Coviello said the platform will offer new opportunities for RSA's reseller partners. "This gives them an opportunity to secure Web applications and Web services, which will present a tremendous opportunity as the growth curve for VPNs and firewalls flattens out,that's a market that's subject to commoditization and overdistribution," he said. "We think this gives them a heck of an opportunity to add value."

Kevin Reith, manager of strategic technology at solution provider Info Systems, Wilmington, Del., said RSA's new platform will allow his company to provide a more comprehensive security solution and offers greater service opportunities.

"It will make it a lot easier to glue the pieces of the security puzzle together. Security is no longer about point solutions but [about] layers of security that cover multiple facets of a customer's enterprise," he said.

The platform opens the door to other technologies,such as portals, single sign-on and personalized Web services,that many customers have on their radar screens, Reith added.

Also at the RSA Conference, VeriSign aims to make it easier to secure Web services with the launch of its Trust Gateway. The technology simplifies Web services security by applying XML security operations to applications at one location, eliminating the need for developers to write security code into each application, VeriSign executives said.

Trust Gateway combines VeriSign's managed Public Key Infrastructure (PKI) with a software module that is deployed at the customer site in front of the application server and performs a number of functions, including routing incoming and outgoing messages, validating credentials, encryption and access authorization. Administrators configure security settings via a browser-based console.

Ben Golub, senior vice president in VeriSign's security and payments division, said Trust Gateway gives systems integrators and enterprises an integrated, standards-based security solution for Web services.

"It allows companies that are engaging in Web services or,more broadly,enterprise application initiatives to centralize the security policy administration and deal with all the high-end processing of signatures and encryption that are called for in Web services," he said.

Trust Gateway will be generally available in June with subscription pricing. Plans call for VeriSign, Redwood City, Calif., to team with other vendors to deliver the module as an appliance, Golub said.

The show also will feature news on security standards for Web applications, Web services and network identity. A group of application security vendors, including SPI Dynamics and Teros, plan to propose an XML standard to define and categorize application vulnerabilities in a standard way that can be used by various application security products.

Meanwhile, the Liberty Alliance, a consortium of more than 160 organizations, will release details about the second phase of its specifications for open, federated network identity.