Arthur Coviello | Positive signs in cybersecurity
Interview with RSA President Arthur Coviello
- By Joab Jackson
- May 27, 2007
"There is a growing recognition that the perimeter defense that we've all grown to love ' antivirus, firewall, virtual private networks ' is not sufficient." - Arthur Coviello
When it comes to matters of national cybersecurity, RSA President Arthur Coviello has been one of the most vocal technology executives ' and, at times, one of the most critical. In the past few years, Coviello has called for the elevation of a cybersecurity czar with proper budget authority at the Homeland Security Department. He has also called for government to take a more active role in network security. GCN talked with Coviello to find out what he thinks about recent changes in federal law and management objectives. We also wanted to find out more about EMC's purchase of RSA, which completed last year.GCN: The Federal Information Security Management Act calls for two-factor authentication. What would you recommend agencies use for the second form of authentication ' in addition to passwords?Coviello:
At the high end, we can provide a smart card with a digital certificate that can do a digital signature. At the highest-volume end, we have a methodology based on pattern recognition that allows a company to provide a risk score [of how likely people are who they] say they are, based on a pattern of activity that has been established.
For instance, if you do online banking, historically you would provide your user name and password at the bank's site. What we have done with a number of banks responding to the [Federal Deposit Insurance Corp.] recommendations for strong authentication, is to provide a technology that looks for consistency in [user behaviors] ' things like screen resolution, the IP address you access the site from, the time of day, the type of transactions you engage in.
Based on a consistent pattern of access, we can determine that it is you. If you don't come in from the same IP address or you try to wire-transfer money to Lafia, [Nigeria], we have a pretty good idea that it is not you. We develop a risk score depending on how many of those characteristics you are consistent with.GCN: What happens if I try to access my account by atypical means?Coviello:
If you did some type of anomalous transaction, like wire-transfer money to a sick relative in San Francisco, we would ask for more identification.
We might require you to phone the bank. We might require you to answer a series of life questions. We recently introduced a voice-based biometric where you could call a bank and identify yourself. So we don't stop the transaction from occurring, but we adapt to the fact and circumstances and risks involved.
This pattern-recognition technology that we've rolled out in the consumer marketplace in the past year can also be applied to government/citizen type of interactions and even internal government agency work as well. We will introduce that technology over time.GCN: Can you explain a bit more about the government banking regulations concerning online access control?Coviello:
In the fall of 2005, the consortium of federal regulators ' [consisting of] the FDIC, the Federal Reserve, the Office of Thrift Supervision and others ' came together to make a recommendation to all of the financial-services institutions that, by the end of 2006, they should adopt something stronger than a private password to authenticate transactions.
We think that that is government leadership at its best. It responds to a real need to address the threats of malware and spyware that capture the keystrokes and passwords. It does it without regulation. It was just a recommendation of the best practice, and yet the financial institutions responded and started to implement solutions in a big, big way.
We see this [leadership] with the Office of Management and Budget as well. [With FISMA], all the OMB came out with was recommendations around best practices. They did not mandate technology solutions, they did not recommend technology solutions.
Other than the [Homeland Security Presidential Directive 12], which is a specification developed internally that vendors have to develop to, they've not been technology-specific. OMB is just recommending best practices that are out there and have been followed by industry in the past.
I've been a fairly vocal critic on how the administration did not follow through with the National Strategy to Secure Cyberspace that was laid out in 2003. But in the last year, we've seen significant change in government leadership.
The FDIC is one example. Another came from the state of California with their Senate Bill 1386, [which required companies to notify customers about security breaches that exposed personal information]. It's had a dramatic effect on breach notifications. All of these [announced data breaches] might not have hit the press without the benefit of this breach notification.
As bad as those breaches were, and as much as they eroded consumer confidence, they have caused a sea change in companies. Now companies risk loss of reputation and, thanks to the Federal Trade Commission, even significant fines.
The third element we're very pleased to see is [DHS] Secretary Michael Chertoff appointing an assistant secretary for securing cyberspace and telecommunications, [Greg Garcia]. We had an opportunity to meet with him, and he assembled a very strong team, and we expect him now to go about executing the president's strategy. So we've seen a significant change.GCN: Why did EMC purchase RSA?Coviello:
EMC developed a franchise out of a specific focus on storage and [is now moving to] a broader franchise on IT infrastructure generally, and that encompasses four elements: Storing the information, managing the information, optimizing and protecting information.
Under the realm of protecting information, they came to us for information security.
In information security, there is a growing recognition that the perimeter defense that we've all grown to love ' which is composed of antivirus, firewall, virtual private networks and the like ' is not sufficient. The nature of threats has evolved. If you ask most customers if their perimeter is secure, they will say yes. If you ask if their information is secure, they would not be so sure.
Information is dynamic. It moves from storage to the database to the application, to the user and back again. It doesn't stay static, so to really protect information you have to take an information-centric approach. One does that by identifying and protecting the people who get access to the information. Another element is defining what level of access to information people should get. Another element is protecting the data as it moves and when it is at rest. At rest, we encrypt. As it moves, we can also encrypt, but there are other elements of making sure it only moves directionally where it ought to.
Joab Jackson is the senior technology editor for Government Computer News.