Establishing Digital Trust: Don't Sacrifice Security for Convenience
The RSA Conference began 10 years ago as a meeting ground for cryptographers. Anyone not able to speak the language of crypto algorithms wouldn't bother showing up. This year's edition, held recently in San Francisco, showed a number of signs of an industry that is maturing.
It's a much different affair these days, taking on the look and feel of a full-fledged trade show, along the lines of smallish NetWorld+Interop.
Just consider the opening ceremony, which saw the San Francisco Symphony Orchestra playing the theme to "2001: A Space Odyssey" before giving way to '80s rocker Pat Benatar, who belted out a revised version of her hit "Heartbreaker." (Benatar still sounds good, but lyrics like, "You're the right kind of hacker, to release my new tech-nol-o-gy" had at least this reporter cringing.) Something tells me the crypto experts in 1991 didn't have quite this level of theatrics.They also didn't likely have the same level of comfort as 2001 RSA attendees. All conference sessions were held in the Sony Metreon movie complex adjacent to the Moscone Center. We're talking stadium seating, complete with cup-holders, which came in handy given the abundance of coffee mugs, bottled juices and water that were available at no charge.
The San Francisco show attracted more than 250 vendors and 10,000 attendees, according to Scott Schnell, senior vice president of marketing and corporate development for RSA Security. That makes it the "largest security conference ever," he said.
Those kind of numbers alone point to security as an industry on the rise. Here are a few other items picked up during three days at the RSA Conference that buttress the point.
Two members of Ford Motor Co.'s security team presented a session on how they were implementing Public Key Infrastructure technology. You read that right: an actual end user company, and a large one at that, talking publicly about a PKI implementation. And they weren't the only end users talking PKI at the show. (See Companies warming up to PKI.)
Baltimore Technologies announced and demonstrated its UniCERT Certificate Deployment Service (CDS), a Web-based tool for issuing and managing digital certificates. If the demo was any indication of how this tool really works, it is indeed simple, with a form-based GUI and automated certificate distribution capabilities that just might go a long way toward lowering the PKI learning curve.
Another PKI vendor, Entrust, talked about how it is trying to move from a model where security credentials are stored on client machines to one where the credentials are stored on the Web and security is delivered as a service. The service would be integrated with various applications using XML, said Paul Doscher, executive vice president, marketing and business development with Entrust. The idea, he said, is to identify the person, not the device. That promotes mobility, enabling a person's security and authorization credentials to travel with them and be valid no matter what device they may be using. This theme of mobility and security as a Web-based service was one heard a number of times throughout the conference from other vendors, including VeriSign.
Nobody was (again) saying 2001 will be the year of the smart card, but there was evidence the cards are starting to gain momentum. Scott Smith, director of product management and marketing at smart card vendor Gemplus, said his company's revenue grew 57% in 2000 vs. the prior year, exceeding $1 billion. His company used the show to announce an agreement whereby Computer Associates would integrate Gemplus smart cards into the CA eTrust PKI system, part of a string of such announcements meant to ensure that the cards can be used with virtually any vendor's PKI tools.
Compaq, meanwhile, was showing smart card readers integrated into keyboards and laptops. The keyboard with integrated reader costs only $77, the company said. Compaq also showed fingerprint readers that cost less than $100 and can examine your finger from virtually any angle, reducing the chance of erroneous readings due to improper finger placement. The company has similar readers integrated into keyboards and in a PCMCIA format for laptops.
The news wasn't all rosy, of course. One of the most well-attended sessions at the show was "Drive-By Shootings on the Information Superhighway," in which George Kurtz demonstrated just how easy it is for hackers to break into your systems. Kurtz, CEO of security services firm Foundstone, is a recognized security guru who wowed the crowd with simple (to them) examples of actual hacks his firm has encountered in the field. "Is it really as easy as the media claims? I think we can say unequivocally, 'yes,'" Kurtz said.
The biggest threats come from systems that are, from a security perspective, misconfigured either out of the box or after the fact, such as with default or easily guessed passwords, he said. He demonstrated hacks whereby he could get access to all passwords, execute arbitrary commands on a Web server and even use a string of encrypted passwords to assume the identity of anyone on a system, including the administrator. "Cracking passwords is no longer necessary," Kurtz said.