Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Mobile Trusted Module by Atos and StMicro at Cartes
Just search exhibitors at:
http://www.cartes.com
Rob Enderle The Real Truth about Technology and IT
2008: Significant Improvements in PC Security
http://www.itbusinessedge.com/blogs/rob/?p=163
Posted by Rob Enderle on November 5, 2007 at 11:14 am
We’ve had a number of highly public data breaches during 2007 and the vendors are starting to step up to address this exposure. This will range from the rollout of new parts to the creation of a new platform and the introduction of technology that will allow a stolen laptop to scream for help. On the physical side, we’ll see more peripherals that will only work with the machines they are assigned to and will be increasingly hard to steal.
TPM and Encrypted Data
We’ve been buying PCs with Trusted Platform Module devices in them for some time, but most of us haven’t bothered to turn this important piece of technology on. Seagate recently released its new TPM-compliant encrypted drives which should start showing up in laptops shortly. The advantage to these drives is, if implemented properly, IT owns the keys to the encryption and both centrally manages them and can revoke them. Once keys are revoked, the drives are effectively worthless, which makes disposing of laptops much easier — you just pull the key. Should the drive be lost, assuming you have strong user authentication, you can reasonably assure the data won’t be compromised.
This provides another reason to pick up a product like Wave Systems and turn the darned TPMs on. It amazes me that folks have this security feature, which they paid extra for, and most don’t actually use it.
Interesting Grawrock comment re:TPM management
http://communities.intel.com/openport/blogs/proexpert/2007/09/25/hello-world#comments
Hal’s second question was the creation of software and SDK’s for TPM management. I do not know of any Intel plans for that software but TPM management code is available from a variety of vendors including Wave, Infineon, and NTRU. As Steve noted we bundle with our platforms the Wave solution. I would check with the TCG web site (www.trustedcomputinggroup.org) for more pointers.
GCN article on Trusted Computing
http://www.gcn.com/print/26_25/45094-1.html?topic=techreport
Utimaco Provides Enterprise Key and Policy Management for Next-Generation Intel vPro Technology
http://newsticker.welt.de/index.php?channel=fin&module=smarthouse&id=591052
Utimaco – The Data Security Company, today announced at the Intel Developer Forum support for the next generation of Intel® vPro™ processor technology, will be made available in the second half of 2008. Under the cooperation, Utimaco SafeGuard® solutions will provide key and policy management for Intel’s hardware-based encryption technology, codenamed Danbury technology. Utimaco plans to integrate Danbury capabilities with SafeGuard data security functionalities, for enterprise-wide management of data encryption. "With the integration of Intel´s chipset-based technology under our management platform SafeGuard Enterprise, customers get the best of both worlds: Hardware-enabled encryption with enterprise-grade data security management,” said Malte Pollmann, Executive Vice President Products, Utimaco. "Working together, Utimaco and Intel are combating the dangers of unprotected data on mobile and desktop PCs.” Data breaches due to lost or stolen PCs pose an ongoing threat to the enterprise. Once deployed, Utimaco SafeGuard solutions not only ensure that no authorized user can access the protected device, read data from the device or use the device to enter the company network, but also ease the required management processes of security policies, encryption keys and multifactor authentication in medium to large enterprises. "Intel is providing solid data protection capabilities in its new vPro technology platforms. These new capabilities allow businesses to protect data and to more effectively manage systems with encrypted data," said Tom Quillin, Digital Office Ecosystem Enabling of Intel. "Intel will collaborate with Utimaco on delivering robust data protection, made easy-to-manage with Utimaco tools.” Utimaco was recently again positioned by Gartner, Inc. in the "Leaders” quadrant of the "Magic Quadrant for Mobile Data Protection 2007” in recognition of the strength of the company’s product offering and understanding of customer needs. About SafeGuard Enterprise Data Security Suite SafeGuard Enterprise 5.1 comprises of the existing SafeGuard Management Centre module and the SafeGuard Device Encryption module. SafeGuard Management Centre enables companies to implement security guidelines centrally and administer them company-wide and across platforms. SafeGuard Device Encryption transparently encrypts data on notebooks, PCs and removable media. Further modules rounding off Utimaco's new data security suite are to be added in later product versions: SafeGuard File & Folder Encryption secures user data that is exchanged between working groups. In addition, it can be used to encrypt both local disk drives and network servers at file and directory level, and to assign them individual access rights. SafeGuard Configuration Protection offers central control over all fixed and mobile computing devices and protects against malware, inappropriate software use, and unauthorized configuration changes. SafeGuard Data Exchange guarantees the secure exchange of confidential data with business partners and customers.
Dell/Seagate/Wave in the Washington Post
http://www.washingtonpost.com/wp-dyn/content/article/2007/09/18/AR2007091800887.html
New Dell laptop sports Seagate's crypto marvel
Dell's newest Latitudes come with Seagate's auto-encryption hard drive.
John E. Dunn
PC World
Tuesday, September 18, 2007; 12:19 PM
Dell has become the latest and largest vendor to offer laptops featuring Seagate's full disk encryption hard drive, the 2.5 inch Momentus 5400 FDE.2.
The drive was first announced after its extended gestation only last March, but that was inside laptops made by clone vendor, ASI. Dell is to sell the high-security drives in its new Latitude D630 and D830 models from this week.
The groundbreaking Momentus FDE.2 -- for once this marketing clichi is probably about right -- ranks as the first laptop hard drive integrating the technology to make it to the mass market. Although hard drive encryption is a common technology, the Momentus integrates the technology at hardware and drive firmware level, making it both transparent, extremely hard to crack, and because of built-in acceleration, faster than add-on encryption.
In all other respects, from the user's point of view, the Momentus FDE.2 is a conventional hard drive which requires a master passphrase to be set for boot-up access. Dell is to sell the drive with the Embassy Trust Suite from software company Wave Systems, also promoted by Seagate during the drive's soft-launch in March. This allows IT admins to manage laptops using the drives, accessing such features as password recovery, and data backup of encrypted drives
"Dell is at the forefront of notebook security because it ranks as a top concern for customers in an environment where more data is produced by an increasingly mobile work force," said Dell's Margaret Franco.
"The industry-first solution we're announcing today adds to our multi-pronged approach to security that delivers an ironclad assurance of protection."
Seagate and Dell hope that despite adding cost to a laptop -- not yet specified on the company website - businesses will jump at the chance of hard drive security in a way, thus far, they have not. Full disk encryption systems still have the reputation for being awkward to manage, difficult to use, and for slowing down the PC.
Balanced against this will be the now-routine security scares caused by the loss of theft of laptops, containing important data that turned out as not-encrypted in any way.
Seagate has produced a white paper, explaining the drive technology on its website.
Encrypted drive on Precision M6300
(interesting aside in bolded section)
http://virtualization.sys-con.com/read/430300.htm
Dell Buys All Extreme Edition Core 2 Duos Intel Can Spare
Dell is relieving Intel of all of the new 2.8GHz Core 2 Duo Extreme Edition processors that aren't going into games machine
By: Virtualization News Desk
Sep. 17, 2007 05:30 PM
Digg This!
Dell is relieving Intel of all of the new 2.8GHz Core 2 Duo Extreme Edition processors that aren't going into games machine for its new top-of-the-line Precision M6300 Mobile Workstation with a 17-inch screen. It's unclear how long this temporary exclusive runs but Dell is also using garden variety Core 2 Duos for the box.
The notebook, considered a desktop replacement because of its 8.5lb weight, will eventually replace the M90 laptop. It's fitted with Vista Business and Ultimate or XP SP2 to start; Red Hat 5.1 will follow in November. The graphics are an Nvidia Quadro FX OpenGL.
Users can choose a 120GB encrypted disk drive - though given their demonstrated lack of responsibility it should be standard - that Dell claims is easier to manage and less noticeable than the usual software encryption. They could also have a solid-state drive or a Vista-only hybrid.
The notebook promises four-hour battery life and comes with an Energy Star 4.0 rating.
Dell is first in PC workstations up against competition from HP and Lenovo.
Microsoft exec. touting TPM tech
http://star-techcentral.com/tech/story.asp?file=/2007/9/17/itfeature/20070917160518&sec=itfeatur...
Encryption is the key
With more hackers out for personal financial gain, such attacks are expected to become more sophisticated and difficult to defend against, according to a security expert.
"They are experts at crafting specific tools to attack data, with the intention of either stealing information or tampering with it before reinserting it," said Steve Riley, Microsoft's senior security strategist at Tech.Ed SEA 2007.
Apart from such network breaches, a growing number of businesses are falling victim to laptop computer theft, which can also result in the costly loss of data.
To protect against this, Riley suggests that users make it a habit to encrypt the data on their hard drives, even if it's on a home PC and especially if it's on a portable computer.
This, he said, can be easily done using third-party software or by taking advantage of Microsoft's Encrypting File System (EFS), as well as its BitLocker Drive Encryption solution, which come with Windows Vista.
Riley also advised users to consider using computers that come embedded with the Trusted Platform Module (TPM) chip.
"A combination of these technologies should be used to enforce multiple layers of security," he said.
He recommends using the TPM chip's abilities through BitLocker and enabling a personal identification number (PIN) verification mechanism.
Computer users, he said, should also make a habit of choosing stronger passwords for authentication.
This does not necessarily have to be something with a combination of alphabets and numbers, which would be difficult to memorise.
Instead, they could use a phrase consisting of at least 15 characters, he said.
Riley claimed that this type of password or "pass phrase" would make it very difficult for an attacker to crack even he or she used a rainbow table, which is a reference list used to recover plaintext passwords from hashes generated by a cryptographic function. — RAVIND RAMESH
VPro and TPM, good little explanation...
http://mybroadband.co.za/news/Hardware/1344.html
Intel unveils Vpro 2007
Sibonelo Mkhwanazi Computing SA
17 September, 2007
Intel has unveiled the Vpro Processor Technology for 2007, formerly named Weybridge, and even more formally known as AMT3.0. The company says this technology adds a bunch of security features to the mix
"The Vpro 2007 spec does several interesting things, the first is to prevent rootkitting via hypervisor, basically preventing a malware hypervisor from getting under the hypervisor you want to have running," says Diane Bryant, vice-president of Intel’s digital enterprise group.
Bryant says the Trusted Platform Module (TPM) allows the user to do a ’secure boot’, basically when he/she loads a machine he can check sum vital parts of it. "If those parts do not checksum the same when you boot, it can set a flag, or better stop the boot. In other words it cryptographically ensures what you have running is what you want running," she notes.
She says the nice thing the Vpro 2007 variant does is to turn off the modes necessary for a hardware-based VM (Virtual Machine) to function until there is a clean secure boot. "If you try and slide a rogue hypervisor into the system, it will sense the non-secure boot, and keep instructions necessary for the malware to operate locked down," adds Bryant.
Bryant says related to this is a closing down of DMA (Direct Memory Access) preventing the user from putting things all over the place in memory.
She says VMs that can write outside their allotted memory are a big potential risk, and they are now shut down in two ways. "DMA’s can be remapped with an offset to direct it to a specific VM, making it ’start off’ in the correct spot in memory," says Bryant.
Bryant says the Vpro 2007 can also constrain DMAs to an upper bound, forcing any DMA from a specific VM to go only to the places it should be allowed to go. She says if you figure out a way to spoof a DMA request, this will hopefully shut it down.
"The Network Information Centre (NIC) keeps a few seconds of traffic data in memory, performing two calculations. The first is to count the number of Internet Protocol (IP)addresses per port over a period of 10ms to Is, and from 8 to 64 IPs. Basically if your machine decides to open 50 sockets on port 31337 in 25 seconds, this can flag the behaviour," says Bryant.
She says another area of concern is that the newest management technologies, like 802.1 x and Cisco NAC, all need an Operating System to give some tokens or certificates in order to secure the connection. "This is not a problem if the OS in question has the security token, but if the OS is not running you cannot make a secure connection," she notes.
"What the Vpro 2007 does is store some of those tokens on the NIC itself so the connection can be secured before the OS comes up. You can also image a machine remotely in a secure way where as before you could not ’up the shields’ until everything was booting correctly," says Bryant.
I agree! Looks like the supply issue has been addressed and perhaps some early adopters in place to tout the wonders of the technology. Certainly the references to Wave are getting less oblique and more confident. Nice find Fixit. Cheers, Foam
Dell Rolls Out New Secure Notebooks
Dell delivers the world's most secure commercial notebooks
http://www.darkreading.com/document.asp?doc_id=133821&WT.svl=wire_1
SEPTEMBER 13, 2007 | ROUND ROCK, Texas -- Dell today announced the world's most secure notebooks with the addition of a managed hardware-based encryption solution on its Latitude D630 and D830.
The industry-first solution delivers improved performance versus software based encryption and automated compliance reports so customers are confident that encryption is enabled.
"Dell is at the forefront of notebook security because it ranks as a top concern for customers in an environment where more data is produced by an increasingly mobile work force," said Margaret Franco, director, Dell Product Group. "The industry-first solution we're announcing today adds to our multi-pronged approach to security that delivers an ironclad assurance of protection."
Dell Inc. (Nasdaq: DELL - message board
Hitachi/TPM talk at CEATEC
(Wonder if they'll be trying to tie their FDE HDDs to the TPM? Bit or a rhetorical question, naturally...)
http://www.ceatec.com/2007/en/visitor/co_day_03_detail.html?lectue_id=30904&track_code=is
The Security frontier leveraged by TPM
An industry group called the Trusted Computing Group (TCG) is promoting the development of a trusted computing environment based on a hardware security module, the Trusted Platform Module (TPM). Since 2005, almost all PCs shipped in Japan have included the TPM, so this module is now a de facto security standard for PCs. In today's speech, we discuss the technology trend of TCG, usage cases for the TPM and embedded systems for which the TPM is used.
role:
Mr. Hisanori Mishima
Systems Development Laboratory Senior Researcher 7th Research Dept
Hitachi, Ltd.
Enterprise-wide key management in wide demand
(Here's the demand pull as Alea puts it)
http://www.darkreading.com/document.asp?doc_id=133121&WT.svl=wire_1
Survey: Encryption Is Growing
Independent survey shows increasing use of encryption and growing need for centralized automated key management
SEPTEMBER 5, 2007 | STONEHAM, Mass. -- The greatly increased adoption of the use of encryption is driving the need for centralized and automated key management solutions – this is the finding of a new survey report ‘Encryption and Key Management’ issued by Aberdeen Group and co-sponsored by nCipher plc (LSE: NCH - message board), a global leader in protecting critical enterprise data.
Best-in-Class organizations demonstrated a tremendous increase in the number of applications and locations deploying cryptography in order to protect sensitive data compared with one year ago and consequently an increase in the number of encryption keys they have to manage. Eighty-one percent increased the number of applications using encryption, 50 percent increased the number of locations implementing encryption and 71 percent increased the number of encryption keys under management compared with one year ago.
To address this increased adoption Best-in-Class companies have shifted their thinking and were 60 percent more likely than the industry average to take a more strategic, enterprise-wide approach to encryption and key management than the traditional more tactical approach of addressing particular and isolated points of risk within the infrastructure. To further quantify this shift the survey describes the significantly higher priorities and corresponding investments on important encryption and key management technologies as well as organizational and process related topics by Best-in Class companies. The survey concludes that these pioneering organizations have already benefited by lowering the instances of actual or potential exposure while simultaneously reducing actual key management costs by an average of 34 percent.
“Best-in-Class organizations have not only deployed encryption more widely for the protection of sensitive data, but also have begun to implement centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance” says Derek Brink, vice president and research director at Aberdeen Group. “Clear ownership and accountability for the creation, revision and enforcement of encryption and key management policies and practices is a critical factor for successful implementation. Products such as nCipher’s keyAuthority provide such companies with a tool to accelerate deployment and provide a platform for future growth.”
Gemalto/VOIP/TPM
Following talk from Gemalto exec. is interesting:
http://www.strategiestm.com/conferences/gemalto-innov-forum/07/agenda.htm#m18
VOIP and TPM: the importance of being security aware
Pierre Girard, security expert, manager of the Open Security System
XXXXCSLEWIS - Information QUARTERLY, more or less, I guess. Seems to average about four a year. My guess is there'll be a late summer/early fall edition soon. Cheers, Foam
AMD - New Processor extensions
http://www.internetnews.com/ent-news/article.php/3697141
Enterprise
August 30, 2007
AMD Proposes New x86 Extensions
By Andy Patrizio
AMD is proposing a new set of x86 processor extensions. As InternetNews.com reported last week, the SSE 5 are targeting markets where AMD sees room for performance improvement.
The SSE 5 extensions are for three primary areas: high performance, compute intensive applications such as financial simulation and life sciences, multimedia applications like high definition video encoding and image processing, and security applications such as secure transactions and hard drive encryption.
The extensions are being made public today; AMD (Quote) will engage developers and OEM partners over the course of the development. Leendert Van Doorn, AMD senior fellow, told Internetnews.com that the extensions are for the Bulldozer architecture, due in 2009, so there will be plenty of time for developers to make suggestions for changes or improvements.
Analyst Rob Enderle thinks AMD has a better approach when it comes to extending the x86 architecture beyond its basic design. "Intel gets an idea in their head of where things are going and then goes off and does it. AMD tends to listen to developers a lot more. One of the big differentiators this decade is they talk to OEM and developers and design around that," he said.
While AMD adds the 47 new instructions with SSE5 to its processors, AMD is also looking to be more power efficient and shrink the die. Bulldozer will be 65nm instead of the 90nm design of current chips. "So what we're doing is be smarter about instruction set and get more work out of the instruction set," said Van Doorn.
SSE5 accelerates traditional compute intensive workloads by improving communication between the cores and reducing the number of instructions needed per cycle. It also introduces the concept of combined instructions, such as fused multiply.
For example, if a pair of operations involve a mathematical step and then performing an action based on the results, that becomes a single operation instead of two. In some cases, this means the same task a chip does now will require fewer operations. A 4-by-4 matrix multiply required 20 instructions under SSE5 vs. 34 instructions under SSE4.
For encryption, there will be native instructions that could result in a five-fold improvement in encryption. CODEC (define)&nbps;performance on SSE5 will improve by as much as 30 percent.
All if this will be done openly, with the full SSE5 specs published on AMD's site and open for discussion, just as it did with 3Dnow! and the x86-64 specs. "We want to have a dialog with the community on how to expand the x86 instruction set out in the open. That's why we're releasing this instruction set now more than two year before shipping a product," said Van Doorn.
Extensions are how Intel and AMD differentiate, and they usually end up cross licensing them so there are no huge compatibility problems, said Enderle. He thinks there could be some real value in SSE5 when it ships, but adds that's a long way of.
"It looks like they could provide a level of value. It would be nice to hear back from customers that they agree but I haven't heard that yet," he said.
Snackman - Usually there are four issues every year so I imagiine the next one should be out very soon. Will be interesting to find out what's afoot on that front. Cheers, Foam
ARM and Wave
1) Next issue of I.Q. Magazine Online will feature Wave Systems in the connected community showcase section. The following is from the current issue:
"...We will also fea-
ture Wave Systems Corp. The company
is the leader in delivering trusted com-
puting applications and services based
on open specifications of the Trusted
Computing Group (TCG). This includes
advanced products, infrastructure and
solutions across multiple trusted plat-
forms from a variety of vendors."
http://www.iqmagazineonline.com/IQ/IQ19/pdfs/IQ19_pgs9-13.pdf
2) Lark Allen will be presenting at ARM Developers Conference:
Understanding TCG Standards for Mobile Trusted Modules and Secure Storage
Lark Allen
Wave Systems Corp
2:00 PM - 2:45 PM
This session describes the Mobile Trusted Module and Reference Architecture specifications, published by the Trusted Computing Group and directly related to ARM-processoe based systems, define the design and structures for security modules in mobile phones. The Secure Storage specifications, define the addition of hardware encryption, access control, and advanced security functions for storage devices.
http://www.rtcgroup.com/arm/2007/conference/conference-sessions.php?day=2&sort=1
More on Seagate/acquisition/U.S. Govt.
http://www.santacruzsentinel.com/archive/2007/August/28/local/stories/05local.htm
Seagate CEO's comments about Chinese suitor have Washington worried
By JENNIFER PITTMAN
Sentinel Correspondent
Three days after Seagate Technology's top executive told The New York Times he would be hard-pressed to stave off an aggressive Chinese bid for the publicly traded hard disk drive maker, the company clarified Monday that no bid is on the table.
But that wasn't soon enough to put to rest federal concerns that such a transaction could threaten national security.
"Seagate is not for sale," said Woody Monroy, a company spokesman who dismissed scores of recent headlines about a pending Chinese acquisition.
"In general there has been speculation or discussion that there are some Chinese companies that would be interested in buying an American disk drive company," Monroy said. "I think Bill [Watkins, Seagate chief executive officer] was speaking in general [terms to the New York Times]. There's nothing, from our perspective, more to say about that other than to clarify that Seagate is not for sale. We haven't had any offers or bids made for Seagate"
If a bid were high enough, however, shareholders would have the final say, he said, echoing Watkins' comments that were published in the Times on Friday and helped fuel the rumors. "If they're offering a very, very high premium, you can't just dismiss it out of hand"
Seagate began selling products with encryption technology earlier this year and several manufacturers are using it in their laptops such as Fujitsu, Dell and ASI. A major security concern is that Seagate's technology could end up inside U.S. government computers after being manipulated by a foreign government.
Watkins was also quoted in the Times saying that "The U.S. government is freaking out" about the issue of its technology getting into Chinese hands.
With good reason, according to two commissioners from the U.S.-China Economic and Security Review Commission, a government legislative agency that monitors security implications of trade and the economic relationship between the United States and China.
Advertisement
Michael R. Wessel, a U.S.-China Economic and Security Review Commissioner, said Monday that any deal putting cutting-edge technology into foreign hands would need to be closely scrutinized.
"The comments by the chairman of the company seem to indicate this was more than just a hypothetical," Wessel said, noting that security questions are aimed at minimizing federal security risks not at impeding foreign acquisitions. Some of Seagate's technology can be remotely triggered, he said.
If a bid were to be made to acquire one of the country's two disk drive makers, U.S. agencies need to understand what assets would be transferred as part of the sale, what are the inherent risks in those technologies, and how could risk be reduced, he said. "Those are questions that should be asked"
About 1,300 of Seagate's 54,000 employees work in Scotts Valley. The company has major facilities in China, Malaysia, Switzerland, Ireland and Thailand. About 43,000 employees are located in Asia, according to company filings. Western Digital is the only other U.S. company making drives. Three years ago, Wessel and Larry M. Wortzel, one of his colleagues on the commission, raised alarms when Lenovo, a Chinese company that bought IBM's laptop business, began selling laptops to the U.S. government that were meant to be used on a classified network.
"Everybody laughed at Commissioner Wessel and myself with Lenovo," Wortzel said. "Then the state department came in and said, 'Those guys are right we can't be sure they won't build a trap door.' It turns out there was a trap door [in the technology] that allowed maintenance"
Wortzel said he doesn't have a concern about the sale of the company — just about whether the products of foreign-owned companies gain entree into sensitive U.S. government departments.
"If the government of the People's Republic of China is able to alter or implant software or modify hardware that goes into U.S. government computer systems, that potentially gives a foreign intelligence service access to that system," Wortzel said. "I don't care what the Chinese buy. I care what the U.S. government does with the product"
The commission, as a legislative policy making body, has no formal role in foreign acquisitions. The Committee on Foreign Investments in the United States [CFIUS] would review pending deals by foreign entities.
Utimaco encryption for universities
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070828005....
(Well at least it shows that there's a lot of demand out there for encryption solutions)
Universities Enlist Utimaco to Keep Students, Parents and Faculty Safe from Data Breaches
George Washington University and University of San Francisco Partner with “The Data Security Company” to Stop Information Theft
FOXBORO, Mass.--(BUSINESS WIRE)--Utimaco – The Data Security Company, today announced continued momentum in the education sector with successful deployments at George Washington University and University of San Francisco. Utimaco has been chosen by clients in the education sector to ensure against data breaches that could reveal proprietary university information and the personal and financial data of students, their parents and university employees.
Just as corporations must protect data against unauthorized access, so must universities take precautions to secure data stored on mobile devices including laptops; removable media such as USB sticks; and on desktops and networks. Incoming and returning students who enroll in universities in the United States are required to share critical data related to financial, health and other personal information. As students enter campuses for the 2007-2008 school year, they will also bring with them an unprecedented number of devices that can be used to transmit and store data and that will put educational institutions at increased risk for data breaches. George Washington University and University of San Francisco are proactively combating that threat by deploying Utimaco SafeGuard products.
Utimaco’s SafeGuard solutions provide the full spectrum of data confidentiality, integrity and central security policy management. Utimaco products protect at the end-point or the back-end (data at rest), during transmission (data in motion) and during processing (data in use). Utimaco’s 360 degree approach to data security and partnerships with market leaders have created some of the bestselling solutions for protecting data worldwide.
“Just as in the corporate sector, universities are struggling to keep up with the security risks that come with the use of new technologies,” said Craig F. Bumpus, General Manager, Utimaco Americas. “For corporations around the world, Utimaco provides rock-solid, user-transparent encryption technology that keeps data safe wherever and however it is being used, transmitted or stored. We are proud to see an increasing number of universities now choosing Utimaco for their data security needs.”
Utimaco SafeGuard products are trusted by some of the world’s leading brands to protect customer data and prevent corporate data leakage. Utimaco continues to expand its customer base in the US to include government, financial services and healthcare clients.
Utimaco Safeware AG – The Data Security Company.
Utimaco is the leading provider of data security solutions. The Data Security Company enables mid- to large-size organizations to safeguard their data assets against attacks and to comply with privacy laws by protecting their confidentiality and integrity. In response to twenty-first century threats Utimaco’s complete range of data security solutions provide full 360 degree data protection unlike point solutions which only partially cover the data security needs of enterprises. Only SafeGuard solutions protect and manage data during storage (data at rest), during transmission (data in motion) and during processing (data in use). Utimaco offers its customers comprehensive on site support via a world-wide network of certified partners and subsidiaries in Europe, the USA and Asia. Utimaco Safeware AG, with headquarters in Oberursel, near Frankfurt, Germany, is listed on the Frankfurt Stock Exchange (ISIN DE0007572406). For more information please visit http://www.utimaco.com.
Juniper security and Mexican bank
http://www.juniper.net/company/presscenter/pr/2007/pr-070828.html
(Not sure what exactly the bank is using from Juniper but maybe it can be sold on an effective NAC solution!)
Banco del Bajío Banks on Juniper Networks for High-Performance Network Security
Juniper Security Solution Provides Financial Institution with Advanced Feature Sets, Reduced Complexity and Increased Reliability
SUNNYVALE, Calif., August 28, 2007 – Juniper Networks, Inc. (NASDAQ: JNPR), the leader in high-performance networking, today announced that Banco del Bajío, a leading Mexican financial institution, has chosen a comprehensive security and remote access solution from Juniper Networks to secure its network from threats and provide branch office connectivity. With Juniper Networks, Banco del Bajío has significantly reduced costs associated with attack prevention, maintenance, and support, while providing innovative services to its rapidly growing business. The Juniper solution also reduces transaction times between Banco del Bajío and other financial institutions, providers and clients while preventing attacks at the LAN and WAN infrastructure.
"During the vendor selection process, many vendors highlighted products and services that were clearly not up to our performance and security standards or that of the financial industry," said Francisco Flores, IT security manager, Banco del Bajío. "Early on in the bidding, it became apparent that Juniper was well ahead of the competition and would offer us the strongest and most cost effective solution."
Banco del Bajío initiated operations in December 1994 and since then has experienced dramatic growth, both in customers and in branch offices. With 117 branches nationwide and plans to extend to more than 130 by the end of 2007, the bank sought a security solution to scale and secure network traffic among the growing number of branches to offer leading-edge security to customers without compromising performance. After evaluating solutions by multiple vendors, Juniper Networks' security solutions with increased reliability, advanced feature sets, and easy implementation and management were selected to meet the financial institution's high-performance business requirements.
As Banco del Bajío's business and size increased, the institution had to enhance the solutions deployed throughout the LAN and WAN. "As our operations grew, we realized Juniper delivered the security we required and we began deploying more Firewall and SSL VPN security solutions to safeguard the networks' information and transactions," added Flores.
Juniper and Banco del Bajío are continuing to deploy encryption technologies in order to ensure the highest degree of reliability in data handling for its customers, contractors and employees. By integrating Juniper's security solutions into its network, Banco del Bajio is now able to maximize security, minimize malicious code attacks and quickly and easily meet new Mexican encryptions standards, becoming one of the first banks in Mexico to do so.
"Enterprises today need secure, reliable and quickly deployable network security solutions to support their rapid, real-time business growth," said Tim Lambie, vice president, Americas International, Juniper Networks. "We are pleased that Juniper Networks is the security vendor of choice for Banco del Bajío as well as many other financial institutions and organizations throughout Latin America."
xxxxcslewis - Your article clearly implies that some agencies of the govt. are buying or will soon be buying Seagate FDE. Very good indicator on that front!! Cheers, Foam
Interesting RSA survey on data encryption
(bodes well for the Wave/Seagate solution!)
http://money.cnn.com/news/newsfeeds/articles/prnewswire/NETH011A23082007-1.htm
RSA Survey Maps Enterprise Data Security Management Turmoil - And How to Stop It
PR Newswire
Research Reveals Enterprises Acknowledge Data Security Issues and Point Solutions Can Complicate Efforts; Current Policies Failing to Prevent Data Loss Sufficiently
August 23, 2007: 08:00 AM EST
BEDFORD, Mass., Aug. 23 /PRNewswire/ -- RSA, The Security Division of EMC , today announced the results of a survey commissioned by RSA entitled "The State of Data Security in North America." Conducted by Forrester Consulting, the survey results reveal that many businesses are still in a 'reactive mode' when deploying data security measures and often struggle with the challenge of creating and implementing planned strategies for data loss prevention. The report - which surveyed almost 200 organizations - also highlights the rising costs and technology implementation hindrances standing in the way of compliance with internal and regulatory policy mandates.
"Organizations are grappling with the 'data security dilemma': how to respond to specific regulatory mandates and pressing issues while laying out a holistic and sustainable strategy for data loss. Too often, the point-solutions being deployed today complicate and can potentially derail long-term efforts to get this right," said Dennis Hoffman, Vice President and General Manager, Data Security Group, and Chief Strategy Officer at RSA, The Security Division of EMC. "The survey demonstrates that securing data has become an information management process that cannot be addressed effectively through unrelated projects and products: that all data must first be identified and classified; that different controls will need to be applied to prevent the data's loss; and that the enterprise-wide management of those controls needs to be as efficient as possible."
Companies Need to Enable Safe Access to Data
The survey showed that the flexibility to make information readily available to partners, customers and distributed workers are top priorities for businesses today. Seventy-five percent of the respondents reported that access to data by remote employees is a top concern, followed next by demands for collaboration and data exchange with partners at sixty-nine percent, and consumer access at sixty-three percent.
Adhering to Internal Policies Considered Critical but Costly
Organizations are cognizant of the imperative to manage and control their data securely and appropriately - as prescribed in many legislative and industry mandates. In fact, sixty-two percent of respondents consider the enforcement of existing company policies on data to be their most pressing driver in ensuring that data is properly secured before it is shared and distributed. However, controlling the rising costs of ongoing compliance with those policies is becoming a burden, and thirty-three percent of the respondents - the majority response to this question - noted the operational costs of compliance are more significant than they would like them to be.
The research also revealed how many organizations have yet to determine what shape their policies should take - and how to implement them effectively:
-- Fifty-five percent of respondents have data security policies that are
either outdated or require significant changes to bring them in line
with regulatory and company mandates
-- Twenty-seven percent indicated that the policy they have is rarely
enforced
What is Holding Businesses Back
1. Knowing what data you have - and understanding its sensitivity
Determining the scope of how to address company policy requirements
starts with data classification - knowing what data is important and
everywhere it is located. Data classification is essential to
providing proper guidance for a data security strategy and ensuring
focus on the most critical areas so that costs can be contained.
-- Fifty-two percent of respondents listed data classification as a
top priority; however, thirty-seven percent of respondents do
not actually have a data classification policy
2. Using Appropriate Data Controls to Prevent Loss or Leakage
Once companies have a data classification policy in place, the next
step is to implement a control strategy to mitigate the associated
risks to their data. Encryption is quickly becoming the de facto
control technology for meeting data security requirements:
-- Sixty-two percent of respondents intend to increase their
encryption deployments and sixty-five percent plan to increase
their overall spending on encryption
-- Fifty-two percent of respondents intend to increase spending on
information leak prevention technology, another important
control
-- However, sixty-two percent of those surveyed either do not have
an encryption policy or strategy at all, or consider their
strategy to be incomplete as it only covers data at rest or data
in transit, but not both.
Implementing a strategy that addresses all aspects of a data security
policy requires an enterprise-wide approach. However, this survey
showed that seventy-eight percent of respondents do not always
approach the adoption of encryption controls from an enterprise-wide
perspective. Instead, they focus more on solving tactical
operational problems increasing the operational costs of deploying
and managing encryption controls.
3. Simplifying the Management of Data Controls
In the survey, the biggest contributor cited to the rising costs and
deficient rate of return on investment on encryption was the lack of
enterprise-wide key management. The top three operational issues
with encryption indicated by respondents were in the area of key
management, and over fifty percent of respondents also noted that
these operational problems have had a material impact on the
business. Most organizations polled, fifty-three percent, still rely
on manual processes to deal with key management issues.
"The results of the survey indicate that a comprehensive and
cost-effective approach to data security will help organizations
construct manageable - and repeatable - data loss prevention
processes," Hoffman continued. "This framework will enable
enterprises to fully exploit their information's value for business
advantage."
Methodology
In April 2007, RSA commissioned Forrester Consulting to survey North American organizations and ask them about their priorities and activities around data protection. In this online survey:
-- Twenty percent of respondents were from companies of between 5,000 and
20,000 people, 21% were from organizations of greater than 20,000
employees.
-- Twenty-nine percent of respondents were from organizations with
revenues between $1 billion and $10 billion, and 17% had revenues of
greater than $10 billion.
-- All respondents used encryption within their companies, and all
respondents were involved with encryption policy within their company.
-- About half of respondents had titles of Chief Security Officer or Chief
Information Security, CIO, IT Director, or VP of IT
The survey, "The State of Data Protection in North America," conducted by Forrester Consulting, can be found online at: http://www.rsa.com/solutions/financial/whitepapers/ForresterStateofDataSecurit yAugust07.pdf.
Other FIXs article
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/08/10/fixs_1.html
National ID? How about a global ID?
A little-known federation quietly lays the infrastructure for a universal identity system that could eventually be implemented nationally or internationally
By Maggie Biggs
August 10, 2007
The Federation for Identity and Cross-Credentialing Systems (FiXs) -- a little-known group of non-profits, government contractors, commercial entities, and government agencies -- has just unveiled a first-of-its-kind global infrastructure to support distributed, integrated identity management and cross-credentialing across organizations. The implementation combines several existing security technologies along with a set of trusted models, policies, and operating rules to insure the accurate identity of personnel accessing physical sites or logical systems.
Already in a pilot mode at a handful of government agencies and defense contractors, the FiXs identity management initiative does not have a hard date for broad deployment, although the impediments do not appear to be technical. “The cultural gap with the public in general is still too wide,” said Dr. Mike Mestrovich, President of FiXs. “I think there would have to be a public consensus to move us in that direction and I don’t see that happening until at least 2009 or beyond.”
Founded in 2004 and based in Fairfax, Va., FiXs counts among its members the Department of Defense (DoD), Wells Fargo, Lockheed Martin, EDS, and several others. Modeled after secure electronic payment systems and initially implemented by the DoD’s Defense Manpower Data Center (DMDC), the FiXs initiative meets the objectives set forth in the October 2006 Homeland Security Presidential Directive (HSPD-12).
“Until now, cross-bordering policies between government and industry had not been established,” said Mary Dixon, director at the DMDC. The FiXs implementation does not assign roles, grant or deny access, or otherwise act as a gatekeeper. Rather, the mission of FiXs is simply to authenticate the identity of participants within its member organizations. Once verified by FiXs, individual site managers and systems administrators assign or designate access controls based on the role of the individual and the policies of a given organization.
FiXs’ capabilities allow it to cross between both public and private sector organizations using a federated trust model. The implementation is available worldwide in local or remote settings via both wireless and wired environments. Access is available in real time. An individual’s specific identity data remains within their vetted source organization.
“By its very nature, the federated solution aids in privacy because there is no central database and individual data can be stored in only one [vetted] place,” Dr. Mestrovich said. Yet the distributed design and cross-organizational model found in the FiXs implementation does offer the possibility of a future national or international identity management system that might cross borders and organizational boundaries. “The federated approach can actually take the place of a mandated National ID system,” Dr. Mestrovich stated.
Still, the head of FiXs does not see a national or international identity management implementation as a near-term reality for a couple of reasons. First, no schedule has been defined to implement such a system on the federal, state, or local level, let alone among the broader private sector. “We are speaking to a couple of States about using FiXs, but no timetable has been set,” Dr. Mestrovich said.
More to the point, even though the federated identity management approach could power a national or international system, policy and implementation agreements would be needed among federal, state, and local government agencies as well as corporate governance boards, civil libertarians, foreign governments, and the population at large.
The initial DMDC pilot leverages the trust model, operating rules, policies, and security defined by FiXs and it can be considered a reference implementation. Several technologies underpin this early federated identify management and cross-credentialing deployment. Among these is the Common Access Card (CAC), which contains individual information housed in a barcode and within an integrated circuit chip. The card is used to secure both physical sites and for systems access.
In this implementation, CAC is combined with the Defense Biometric Identity System (DBIDS) to accurately identify personnel -- whether full time employees (FTEs) or contractors. Beyond CAC and the DBIDS, FiXs also includes cross reference capabilities that include photographs, textual, and fingerprint data. Industry standard encryption is used to secure the identity management process.
The FiXs organization currently has just under thirty member organizations, but the group is open to additional members. With this early implementation, group members can help to shape identity management policies and technologies as FiXs begins to be leveraged by a broader number of public entities and private sector firms.
Janne Uusilehto/TCG at e-Smart 2007
http://www.strategiestm.com/conferences/esmart/07/programme.htm#p4a
• Plenary - Panel debate
SIM, no SIM or 'Super' SIM ?
Plenary - Panel debate
in cooperation with:
in cooperation with publisher & editor Yvon Avenel, SmartCardsTrends and moderated by Michel Lemonier, ICT programme director at AII (Agency for Industrial Innovation)
The "Swiss Army Knife, throw-in-everything-but-the-kitchen-sink" phenomenon of the mobile telephone is reaching its full effect : after voice, photo, music, video, Web navigator..., new applications as Mobile TV, ticketing, access control, authentication, Web secure server, remote and contactless payment are upcoming.
Of course, this openness also increases the level of security and liability exigencies. Which is leading, in turn, to a complete revamping of the mobile's security architecture.
The smartcard industry, starring digital security straight in the eyes from now on, is at the center of this new convergence. But new players and security challengers are also there. Secure application processors, secure embedded flash microcontrollers, Trusted flash cards, MTM (Mobile Trusted Module), stand-alone Secure Element, Secure NFC chips, etc...
The SIM card, originally conceived as the "control tower," and effectively the only "lockbox" in the device, is now at the core of a new plan working to draw from all of the resources of SIM technology, one that paradoxically at times seems to wish to challenge or even replace it.
What is the SIM's future ? The SIM is beyond the SIM. Today, it's time for debating how business models and security regulations and cultural environnement could shape the new Mobile eco-system and decide the new role of the SIM and the Smartcard industry 's security expertise.
1) TECHNOLOGIES: Is the SIM competing or collaborating in terms of expertise with secure application processors, secure embedded flash microcontrollers, Trusted Flash cards, MTM (Mobile Trusted Module), stand-alone Secure Element, Secure NFC chips... What are the key technologies at stake ?
2) APPLICATIONS & MARKETS: Contacltess Payment, Mobile TV, ticketing : who are the dominant players and what are the business models and the use cases which shape the new security mobile architecture ?
3) ENVIRONMENT: Which are the security certification and requirements for the new applications, in terms of policies, regulations and cultural areas first depoyments of Mobile TV and mobile payments in Korea, Japan and the U.S …European issues and perspectives.
Among the panellists:
- Cédric Nicolas, Handset Design and Development Director - Bouygues Telecom
- Thian Yee Chua - Cassis International
- Philippe Vallée, EVP Telecommunications and R&D - Gemalto
- Ozlem Ozturk, Director of Product Marketing, Smart Card Business Unit - Spansion
- Janne Uusilehto, Nokia and chair of the Trusted Computing Group's Mobile Phone Work Group
- complete list of panellists available soon
Other interesting FIXs article
http://www.eweek.com/article2/0,1895,2165313,00.asp
Web System Vets U.S. Contractor Workers
By Chris Preimesberger
August 2, 2007
MONTEREY, Calif.—The U.S. federal government and the 3.3 million people who work as private-industry contractors to provide goods and services for it now have a centralized, secure, Web-based system for identifying and credentialing outsourced workers around the world.
ADVERTISEMENT
This system, in the works for about five years and tested by the Department of Defense for three years, officially went online July 25. It processes outsourced workers whether they represent an aircraft manufacturer or deliver soft drinks to machines on a military base.
The announcement was made July 31 at a conference at the Del Monte Hyatt Regency here in this seaside city.
The DOD has declared the new trusted-identity system, designed and built by a separate not-for-profit coalition of government and private-sector agencies and companies, as the first global and enterprisewide solution for cross-credentialing between industry and the U.S. government.
The system makes extensive use of existing corporations' employee credentialing by federating those commercial identity systems into that of the DOD's.
The Federation for Identity and Cross-Credentialing Systems, or FIXS, builder of the network, is a not-for profit organization that provides a forum for government and industry to come together to solve issues involving centralized identity, credentialing and network authentication.
PointerClick here to read why the Cyber Security Industry Alliance gives the U.S. government poor marks on information security.
FIXS, based in Fairfax, Va., comprises a coalition of government contractors, commercial companies and nonprofit organizations whose mission is to build a worldwide interoperable identity and cross-credentialing network built on security, trust and standard operating rules.
This week's conference here is FIXS' annual event for getting many of the key government agencies and private-sector defense and security vendors in one place to facilitate improvements in the federal government's wildly disparate identification and credentialing systems for the millions of contractors—large and small—who provide goods and services to the government.
eWEEK.com Special Report: Enterprise, Government Team for Security
In its previous two conferences, FIXS was fixated on getting various U.S. government agencies—such as the DOD and the National Security Administration—together to work on these problems. This year the focus is on bringing the private-sector service providers into the mix, FIXS President and conference director Mike Mestrovich told eWEEK.
"The biggest issue we've had to face is the process of vetting the users who need to get into this new system," Mestrovich said. "Companies and agencies all have different models and processes, and coming to common denominators on the key factors took a great deal of time and work, to say the least."
The FIXS network is now an authorized link to the DOD's cross-credentialing identification system infrastructure. It is modeled after the financial industry's highly secure ATM approach, Mestrovich said.
"The ATM system is amazingly secure, more so than you might think," said Bob Lentz, who serves the DOD as deputy assistant secretary of defense for information and identity assurance. "The banks lose to fraudulent activity only $7 out of $1,000 moved via ATMs every day. That's a great record. We'd like our network to be as efficient and safe."
PodcastsListen here to a podcast about nearshoring, the growing practice of outsourcing IT jobs to our neighbors just across the border in Canada.
The FIXS network is a scalable system—not unlike Star and Cirrus verification for ATM cards—that provides trusted, secure identity verification and credential authentication for contractors accessing a range of government facilities, Mestrovich said.
One of the first bottom-line benefits of the new credentialing system is that it speeds up the deployment of contractors working on projects in remote areas, such as the military theaters in the Middle East.
DOD contractors wait an average of five to seven days—and often much longer—between arrival at the job and deployment on their missions while their credentials and permissions are being authenticated, Lt. Richard Faulkner, an Army security specialist, told eWEEK.
Since the contractors are being paid from the moment they arrive on the job site, "tens of millions of dollars are lost each day on idle contractors, while they await their credentials and work instructions," Mestrovich said.
eWEEK.com Special Report: Outsourcing the Enterprise
The indoctrination process for all workers for all government and military contractors includes more than just identity vetting. There are health examinations and immunizations, issuance of Java-enabled CAC (common access card) identification, visas, passports, issuance of government equipment, uniforms and several other factors.
But identity management and security clearances have always taken the most time, Faulkner said. "Every hour that we can cut off the time it takes to process a contractor is money saved," he said.
Now in full DOD production, the FIXS network is operational on a global scale, Mestrovich said.
"The ability to conduct worldwide identity transactions represents a new era for federated identity strategies and clearly shows the commitment of industry and government to build more secure global identity management systems for physical applications," Mestrovich added.
Member companies in the FIXS coalition include Northrup Grumman, Lockheed Martin, SAIC International, EMC's RSA Security, SRA International, Digital Government Institute, SuperCom, Imadgen and PriceWaterhouseCoopers, among others.
Halliburton and Bechtel, two of the largest government military contractors, are not yet members of FIXS, Mestrovich said. "We're hoping they join us, of course," he said.
Interesting FIXs story by Rob Enderle
http://www.itbusinessedge.com/blogs/rob/?p=136
: Rob Enderle :: XML
The Real Truth about Technology and IT
FiXs: One Security/Credit Card to Rule Them All at the 2012 Olympics
Posted by Rob Enderle on August 2, 2007 at 10:45 am
I’m a big Lord of the Rings fan, and if you live on this planet you’ve likely either read the books or seen the movies. The central component of the story is a set of rings that identified the leaders of various races and gave them powers (permissions) and one ring that dominated them.
In the security space, FiXs is emerging as the standard that may become the security and credit card equivalent to the “One Ring.” What they are doing with this for the 2012 Olympics looks absolutely amazing.
Let’s talk about what FiXs is and why it is so potentially powerful, and close with the work being done for the London Olympics that ties it all together.
FiXs: The Federated Trust Primer
FiXs,the Federation for Identity and Cross-Credentialing Systems, was formed to take advantage of a similar technology being deployed by the U.S. government to deal with the nightmare of identity management between massive government entities. The problems the U.S. government has in managing identities, keeping out unauthorized parties and assuring the identities of those in sensitive jobs (like the military) makes the kind of security problems most of us deal with seem trivial.
However, after 9/11 the U.S. government issued HSPD-12, which mandated cleanup of the massive mess associated with providing critical access to government systems by those who both needed it and were authorized to have it. Authorities believed it likely was easier to hack into many systems than it was to get authorized access to them, which significantly hindered the U.S.’s ability to defend itself. This created the DCCIS (you really learn to HATE acronyms in this business), or the Defense Cross-Credentialing Identification System.
This system is currently under deployment and is believed to be the most comprehensive of its type. Why it is important to you is that companies doing business with the U.S. government — and businesses doing business with those businesses — will likely have to comply with this system in some shape or form. If you want the U.S. government to sign off on your security you are likely going to need something that is DCCIS compliant, and the only thing out there is FiXs, which is basically the civilian form of DCCIS and the only system that meets the HSPD-12 requirements.
This won’t happen overnight, but companies that are compliant will likely not only increasingly have competitive advantages in government deals but also in deals with other large U.S. based national and multi-national defense and government contractors. They likely will also enjoy a rather pronounced security advantage as well, given the nature of this system.
But it’s not just the U.S. According to Northrop-Grumman Corp., this technology is moving into Europe with a vengeance because of their need to better track citizens, entitlements and access. This is why it is slated to be used as the core policy behind the 2012 London Olympics.
The Olympics, particularly during times of war, has to be one of the biggest security nightmares on the planet. Not only do you have to manage tens of thousands of employees, volunteers, athletes, coaches, related families, contractors and security personnel, you have to manage over a million attendees without making the experience so annoying they promise never to come back.
This is not a case where you can trade off speed, ease of access and security — you have to be able to provide all of the above. Granted, part of this solution is likely the most comprehensive deployment of security cameras in the world, which includes beat cops and all of London (and is already being deployed).
But for access and cash transactions (the event is going paperless), the FiXs solution — coupled with biometrics and a smart card — is being readied to do the heavy lifting. There will be a lot of vendors, both U.S. and European, handling the technology side of the solution (FiXs is a consortium of vendors), but the success of this deployment could well establish this solution as the gold standard for access.
In a nutshell, for anyone going to the Olympics that year, you’ll buy your tickets online as always, go to a kiosk at the venue and identify yourself using at least two factors. You’ll then be scanned (likely a fingerprint reader, but could be a face scan) and be given your universal card. The card will know what venues you are allowed to go into and what seats you have. You can also use the kiosk to buy transportation tokens (which the card will hold) and fund the card so you can buy things.
If you lose the card, you simply go to another kiosk and use the same biometric marker to invalidate the lost card and grant you a new card with all of your stuff on it again. No one else can use your card and, without cash or physical tokens, transactions should happen more quickly and lines move more rapidly.
The Olympics officials will know with certainty who is actually attending events and, should there be a crime, have a high likelihood of quickly identifying the very likely suspects and a high probability of keeping them out of the games in the first place.
This will likely be a managed service, which means no up-front cost but a charge per transaction that will pay for the system. This will help fix a little budget problem that has recently popped up. Maybe they thought the IT stuff was free?
Wrapping Up
I worked on a project for Disney a few years back that tried to do something similar, and the technology just wasn’t to this level yet. I think the Disney folks would have thought they had died and gone to heaven if they could have this level of capability at one of their parks, let alone what this could do to secure buildings and better protect employees and company assets.
I’m sure there are privacy concerns surrounding tight tracking like this, but given the information that identifies you as you and the systems that provide the permissions are separate, you would think the result would be less, not more, redundant information and, in the end, a much greater protection over your identity.
Regardless, with two major governments using FiXs as a central federated identity policy vehicle, the likelihood that most of us will fall under this in the next five to seven years is high. It’s probably time to come up to speed if you are in the security business and aren’t aware of this.
Interesting Authentic job ad for Japan
http://www.authentec.com/careers_international.cfm
Field Applications Eng - Embedded Software (Japan) (Tokyo, Japan)
This position will provide applications engineering and technical support for integration of biometric fingerprint sensors into wireless handsets. Specific responsibilities include:
* Review customers’ designs of biometric applications for a fingerprint sensor on an embedded platform such as mobile phone, PDC, memory key or an access control system.
* Assist customers, on-site, in integrating fingerprint sensor control libraries with the platform operating systems software.
* Advise customers on the best method of integrating fingerprint software with the software libraries and products.
* Devise ways to break pre-release software on a standard computing platform.
* Compile information on market preferences and suggestions for device improvements.
* Review product literature for completeness and technical accuracy.
* Report on competitive products and identify significant market trends.
* Publish application notes, user's manuals and device errata. Publish technical articles, design guides and device data sheets.
Required Skills:
* Knowledge of one or more of the following: Linux, Windows CE/Mobile, Symbian, Qualcomm, Rex operating systems
* Knowledge of embedded CPU architectures (ARM, Ti OMAP, Intel/Marvel XScale, Freescale MX) and HW interface types (SSI, USB, OTG, parallel); register software programming model
* Kernel level programming. Device Driver model. Demonstrated expertise in utilizing DMA engines, designing and implementing Interrupt Service Routines, global interrupt handling, MMU, memory virtualization, user space, race conditions
* C/C++ required; Java or BREW a plus
* Experience in utilizing software development tools: In-circuit emulators, JTAG debuggers, profilers; knowledge of debug techniques in embedded OS environments.
* Experience in using logic analyzers, oscilloscopes, multimeters
Knowledge of high level initiatives such s TCG Trusted Platform Module; Mobile Trusted Module a plus
* Rudimentary digital board level HW debug skills
* Excellent communication and project management skills
* Excellent leadership skills; ability to influence and lead customers’ development teams
* Must be conversant in English
Required Education/Experience:
* B.S. degree in Computer Science, Computer Engineering, Electrical Engineering or related fields required; M.S. desired
* 5+ years of relevant industry experience in working within the mobile or PC computing environment, as well as experience in dealing with external customers and internal product development teams.
* Direct customer experience is essential. Experience in supporting customer inquiries related to quality a plus.
Interesting article touting hardware phone security (TCG mention)
http://www.technologyreview.com/Infotech/19130/?a=f
Wednesday, August 01, 2007
Securing Cell Phones
Phone companies should consider the recent hack of the Apple iPhone a wake-up call for better mobile security.
Last week, researchers from a security company found a flaw in iPhone software that allows it to be remotely controlled. The weak spot was in the Safari Web browser, software that's also used on Apple's computers. "It's a good example of how flaws in PC software show up in a similar guise on cell phones," says David Wagner, a professor of computer science at the University of California, Berkeley.
Cell-phone viruses have been around for nearly a decade, but many experts believe that serious threats could become a serious problem in the next couple of years thanks to the gadgets' growing computing power and complexity. "I think a large part of this is that cell phones are becoming miniature computers," Wagner says, "and as a consequence, they are starting to inherit some of the same problems that we face with PCs."
Many cell phones are scaled-down computers, and they can take advantage of some of the existing efforts to make personal computers more secure, such as using antivirus software. But cell phones have their own set of problems. For instance, mobile devices are easily lost or stolen; they are accessible via a number of methods, including the cellular network, Bluetooth, and, increasingly, Wi-Fi; and they have a limited battery life and constrained processor power. Researchers have only recently started to grapple with the implications of designing cell-phone security systems that encompass these and other challenges.
Currently, a number of security companies that provide antivirus software for computers--including Symantec, McAfee, and Sophos--have also introduced products for mobile phones. Such software works similarly to computer versions, says Anand Raghunathan, senior research staff member at NEC Laboratories America, in Princeton, NJ. He says the cell-phone software tends to be more efficient and is designed to run on a phone's lower-end processor (compared with modern desktop computers). However, these antivirus tools are scaled down a bit, "designed to have limited functionality so they don't drain the battery too much."
In some cases, the problems of constrained battery life and processing power can be addressed by simply running security software on the cell-phone carrier infrastructure, as opposed to on the phone. Raghunathan says that today, many carriers have software built into their equipment that scans network traffic for known signatures of viruses, bits of code that act like a fingerprint. This network software can keep malicious programs from making their way to and from people's devices.
But Raghunathan is skeptical that security software will be the final word on keeping cell phones from harm. "I think the next generation of solutions will be hardware-based security, where phones have security built in," he says. While security hardware alone couldn't prevent security holes in software, such as in Apple's Safari browser, it would "certainly limit the consequences."
Raghunathan explains that security hardware in a phone--often an extra processor and some memory that are hardwired for specific tasks--works by dividing the phone into two environments: one that the user has access to, with all the applications, and another that is designed to be impenetrable to viruses and malicious software. Passwords and other critical information are stored in the secure environment so that even if a virus is downloaded, it can't access the data. This sort of approach would also be useful if a phone were lost or taken, Raghunathan explains, because when it's reported stolen, the carrier could access the secure environment to shut down the phone, locking out anyone who wanted to read the theft victim's e-mail or look at her pictures.
Phones with hardware security aren't yet available to consumers, Raghunathan says, but he expects that the first versions of these will appear within the next year or so. One of the driving forces behind hardware security is the Trusted Computing Group, a consortium of technology companies including Intel, Microsoft, IBM, and Hewlett-Packard. One of the organization's goals is to establish hardware-security standards for phones. While secure hardware could provide users with benefits, there is some disagreement regarding who would have access to the hardware. Some groups, including the Electronic Frontier Foundation, argue that with trusted computing, consumers might have less control of their devices than service and content providers do. For instance, content providers might use the platform to create unbreakable digital-rights management software to lock a downloaded song or video onto a device.
Some experts believe that the companies that make mobile phones and software can solve many of the security issues. By incorporating better software practices so that security is integrated from the first day the software is written, companies can do a lot to keep viruses to a minimum. However, because it costs money to make phones more secure, and because it's a feature that isn't readily visible to a consumer (unlike a three-megapixel camera, for example), security is often an afterthought. "The real failing is that the vendors didn't learn the PC lesson and design better operating systems," says Steven Bellovin, a professor of computer science at Columbia University, in New York. "It's not like they weren't warned."
Even so, mobile virus and malicious software attacks have been minimal within the past few years, possibly because the industry is broken up into many different cellular service providers and software and hardware manufacturers, says Richard Ford, a professor of computer science at Florida Institute of Technology, in Melbourne. This means that for a virus to make a large impact in the industry, it would need to be rewritten a number of different times to work on various devices. Unlike the PC world, there is no big cellular target yet, although thanks to the iPhone's initial buzz, it may be developing a bull's-eye. "Hopefully the next year will be quiet," Ford says. "Quiet is good, but I think that sometime in the next three to five years, we're going to see a nasty outbreak."
Technology Review July/August 2007
Lots of security at Intel IDF, 2007
(Click on each session for details -Lots on TC and Intel TXT)
https://intel.wingateweb.com/us/catalog/controller/catalog
SCIC001 Security Chalk Talk Chalk Talk
Michael Condry
Manager, Platform Advanced Security Technologies,
Intel Corporation
Ned Smith
Staff Security Architect ,
Intel Corporation
Ernie Brickell
Chief Security Architect,
Intel Corporation
David Doughty
Director, Product Security Engineering,
Intel Corporation
David Grawrock
Senior Principal Engineer,
Intel Corporation
SCIS001 Providing World-Class Security and Data Protection for the PC Platform Keynote
Rob Crooke
Vice President, General Manager,
Intel Corporation
SCIS002 The Intel Safer Computing Initiative and Trusted Computing Session
Ernie Brickell
Chief Security Architect,
Intel Corporation
David Grawrock
Senior Principal Engineer,
Intel Corporation
SCIS003 Making Security Practical in the Enterprise with Client Technologies Session
Steve Grobman
Director, Solutions Architecture, Business Client Group,
Intel Corporation
Ned Smith
Staff Security Architect ,
Intel Corporation
SCIS004 Verified Launch with Launch Control Policy Session
David Grawrock
Senior Principal Engineer,
Intel Corporation
SCIS005 Delivering Security Requires more than Features Session
David Doughty
Director, Product Security Engineering,
Intel Corporation
SCIS006 Research on Platform Security Technologies Session
David Durham
Principal Engineer,
Intel Corporation
Lark Allen at Arm Developers Conference, 2007
http://www.rtcgroup.com/arm/2007/conference/schedule-of-events.php
Understanding TCG Standards for Mobile Trusted Modules and Secure Storage
Wave Systems Corp
This session describes the Mobile Trusted Module and Reference Architecture specifications, published by the Trusted Computing Group and directly related to ARM-based systems, define the design and structures for security modules in mobile phones. The Secure Storage specifications, define the addition of hardware encryption, access control, and advanced security functions for storage devices.
Lark Allen, Executive Vice President
Lark Allen is responsible for business development for Trusted Computing Security solutions at Wave Systems Corp. He participates in the Trusted Computing Group Mobile Phone and Secure Storage Work Groups developing open industry security specifications. Lark spent more than 20 years with IBM in development, marketing and services.
Secude/Seagate in DURABOOK notebooks
http://dmnnewswire.digitalmedianet.com/articles/viewarticle.jsp?id=160763
FREMONT, Calif., July 11 /PRNewswire/ -- SECUDE, Seagate & GammaTech (formerly Twinhead) are teaming to deliver best-in-class security solutions designed to prevent unauthorized access to data on lost or stolen notebook PCs. SECUDE's FinallySecure(TM) authentication technology, combined with Seagate's DriveTrust(TM) security featuring hardware-based full disc encryption, is now available on DURABOOK notebooks by GammaTech.
"SECUDE's FinallySecure(TM) provides total Data-at-Rest security with Seagate's Momentus(R) 5400 FDE.2 hard drive. The 2.5-inch notebook drive is the industry's first system to feature hardware-based full disk encryption, access control, and password management -- all without compromising performance," Dr. Heiner Kromer, CEO of Secude International AG.
The combined solution is the first link in the authentication chain, providing an Adaptive Technology with Risk Management and Productivity gains for end to end security. The SECUDE and Seagate security umbrella protects against loss of data, fines from non-compliance, and destruction of brand value. In addition, end user transparency results in an ROI from productivity gains and also allows for migration from single user to enterprise and software to hardware, all with central management. The solution allows GammaTech customers to survive, adapt, and grow in a heterogeneous IT eco-system.
Click Here!
"Seagate is pleased to see our current customer base leverage this technology to add security value to their current systems," said Tom Major, Vice President of Personal Compute Business, Seagate. "The market is hungry for this type of protection, and together we offer a robust best-in-class solution with little integration impact."
Seagate DriveTrust Technology is a next-generation security platform built into the hard drive that is considerably stronger than typical BIOS, OS, or ATA based hard-drive security solutions. DriveTrust combines strong, fully automated hardware-based security with a programming foundation that makes it easy to add security-based software applications for organization-wide encryption key management, multi-factor user authentication and other capabilities that help lock down digital information at rest. SECUDE has been an established leader in key & access management, authentication, and encryption technology for over a decade with a suite of products creating an end to end security platform including Single Sign-On, Key & Token Management, and encryption technologies. SECUDE has been a strong IT security partner of SAP for 10 years and is a leading provider of key and access management technologies for Seagate encrypted disk drives.
DURABOOK laptop computers from GammaTech, the newly named U.S. sales and marketing arm of Twinhead Corporation, feature spill-resistant keyboards, patented optical disk tray locks, anti-shock LCD screens and protected hard drives, all capable of meeting U.S. military MIL 810F standards for ruggedization. All DURABOOK laptops are protected by a magnesium alloy case 20 times stronger than ordinary ABS plastic notebook housings. The highly engineered laptops fill the fast-growing demand among professionals, students, and other active, mobile individuals for ultra-durable notebooks that can withstand the knocks, shocks, drops and spills of real life.
"With the ever increasing concern for security and data protection, the need for advanced access control and data security in laptops is obvious," said Steven Gau, president of GammaTech Computer Corporation. "This combined laptop security solution will be of immense value for a wide range of applications and for government and corporate users worldwide."
Acer Unveils New Notebook Computers Featuring Phoenix Technologies Core Firmware Foundation
http://money.cnn.com/news/newsfeeds/articles/prnewswire/AQM10109072007-1.htm
Next-Generation Acer Laptops Use Phoenix SecureCore Platform to Ensure Support for Latest Industry Firmware Standards and Long-term ROI
July 09, 2007: 08:30 AM EST
MILPITAS, Calif., July 9 /PRNewswire-FirstCall/ -- Phoenix Technologies Ltd. , the global leader in core systems firmware, today announced that the latest series of notebook computers from Acer Inc. -- recently ranked as the world's no. 3 PC vendor based on worldwide PC shipping volume* -- use Phoenix SecureCore firmware to provide secure and reliable PC performance.
(Logo: http://www.newscom.com/cgi-bin/prnh/20070410/SFTU048LOGO )
"By integrating Phoenix SecureCore into our new notebook PCs, we are providing our customers with a platform that is optimized for computing on- the-go and delivering the latest advancements in portable performance and efficiency that mobile PC users need," said Campbell Kan, Vice President, Mobile Computing Business Unit, Acer Inc.
"Acer's new line of laptop computers feature the most advanced Phoenix firmware available," said Dave Gibbs, Senior Vice President and General Manager, Worldwide Field Operations at Phoenix Technologies. "Based on more than two decades of industry-leading firmware research and development, Phoenix SecureCore provides Acer with the most advanced EFI and UEFI-based firmware platform available, combined with critical security and authentication advantages, and powerful, safe and reliable performance."
For more information on Phoenix SecureCore and to view a demo, please visit http://www.phoenix.com/en/Products/Browse+by+Products/Phoenix+SecureCore/defau lt.htm
About Phoenix Technologies
Phoenix Technologies Ltd. is the global market leader in system firmware that provides the most secure foundation for today's computing environments. The Company established industry leadership with its original BIOS product in 1983, and today has 154 technology patents, has shipped in over one billion systems, and continues to ship in over 125 million new systems each year. The company's breakthrough solution, SecureCore, enables hardware vendors to bring secure devices to market with the latest advances in Microsoft operating systems. The PC industry's top builders and specifiers trust Phoenix to pioneer open standards and deliver innovative solutions to help them accelerate time to market, differentiate products and increase profits. Phoenix is headquartered in Milpitas, California with offices worldwide. For more information, visit http://www.phoenix.com.
Trusted mobile device by Janne Uusilehto of Nokia
http://www.tmcnet.com/voip/0607/feature-articles-establishing-mobile-security
Establishing Mobile Security
The interrelation of trusted services in a trusted mobile device.
By Janne Uusilehto,
With the increasing ability of smartphones and data-enabled cell phones to store sensitive data and documents, conduct financial transactions, and access corporate networks, both consumers and corporations should be increasingly concerned with the security of their mobile devices. Identity, authentication, and platform integrity have become critical capabilities for mobile devices. Today’s cell phones implement these capabilities at vendors’ discretion, without a clear industry-wide consensus on the fundamental requirements and best practices. However, a recently announced open-industry specification by the Trusted Computing Group (TCG), an industry organization providing specifications across a variety of platforms and devices, promises to change the security environment on mobile devices for protection of personal information, ticketing, mobile commerce, content protection, and more.
Mobile Security Threats and Opportunities
Perhaps the biggest security threat that mobile users face today is the loss or theft of their phone. As well as its obvious value as a physical device, the phone may contain personal and financial data: stored in the handset or in the removable Subscriber Identity Module (SIM card). While a stolen SIM can be barred by a mobile network once the theft has been reported, it is much harder to effectively bar the handset from being used with a different SIM. Also, unless the user has protected his personal and financial data by a PIN (and many users do not), these data could be accessed by an unauthorized party. Emerging threats to mobile devices arise from these products becoming increasingly more open and more sophisticated, using additional sensitive information stored on the phone itself (e.g. personal photos, emails, contacts, and calendar items). In addition, mobile products are increasingly similar to PCs, or interface to PCs, or communicate with computer networks. This provides the potential for the types of attack that are currently restricted to PCs, so phones will need defenses against those attacks.
With more and more handheld devices capable of receiving email, security, especially in corporate email with sensitive internal and external data, is a major concern. Receiving or sending email requires connectivity to a network. This means that a mobile device can access data that previously would have been only available by a PC. More and more devices have this capability today and it certainly will become an expected feature on a variety of high-end mobile products. Certainly, smartphones will include this capability.
Without standards, any security implementation winds up being a proprietary, point solution. Here is where the pitfalls and opportunities lie. Security should be implemented in a way that allows users to interact with computers and avoids creating artificial barriers. If mobile phone security is implemented in an inappropriate manner, it is almost guaranteed to become a barrier to interoperability between future generation mobile phones and future generation PCs and servers. In any case, a standard can usually be upgraded more easily and meaningfully than a proprietary solution.
These are just a few of the reasons that justify the need for a specification for greater security and better service and applications. The acceptance and success of any effort to prevent threats and improve security must be a standards-based approach.
TCG and Trusted Mobile Devices
The Trusted Computing Group (TCG) is an industry organization providing specifications across platforms and devices and is the focal point of security standardization for computing devices. To provide integrity, authentication and identity and have security functions which are cost-effective, transparent to users, reasonably implemented, and interoperable, the organization released use cases, or anticipated applications for mobile security, as a first step to an open-industry specification (MINI URL #1 TO COME). In September 2006, TCG announced the industry’s first open-standard specification to enable mobile security to be embedded in a device’s basic architecture and interoperable with the existing trusted computing framework, the TCG Mobile Trusted Module (MTM) Specification (MINI URL #2 TO COME).
While TCG’s effort is new for mobile phones, it is well-established for computers. TCG approved its Trusted Platform Module (TPM) specification in 2000 and since that time, some 50 million PCs have shipped with integrated circuits that conform to this specification. In 2007, the TPM took a giant step forward with Microsoft Vista, which uses functions provided only by a TPM. The BitLocker™ (MINI URL #3 TO COME) in high-end versions of Vista, targets enhanced data protection from computer thieves and hackers. Using TPMv1.2, it protects user data to ensure that the PC was not tampered with when the system was offline. Vista will most likely make the use of the TPM much broader and a lot more commonplace. Note, however, that just as the TPM in a PC was used before Microsoft’s Vista, the MTM in a mobile phone can be used without Microsoft software.
Even the Federal Deposit Insurance Corporation (FDIC) Division of Supervision and Consumer Protection Technology Supervision Branch, in its report “Putting an End to Account-Hijacking Identity Theft — Study Supplement” (MINI URL #4 TO COME), recommended multifactor authentication including a TPM to protect identity and data.
The Mobile Trusted Module is as similar to the TPM as possible but the Mobile Reference Architecture (MINI URL #5 TO COME) comprehends the regulations and restrictions that affect cellular products. For example, the development of a Mobile Trusted Module and the Mobile Reference Architecture took into account the interest of various stakeholders that include the user/owner, the device manufacturer, the network service provider and others such as enterprises and third parties. Figure 1 shows these key stakeholders and the different issues solved by the MTM.
Establishing Trust
Building trust in a piece of hardware, software or network is not unlike the process that an individual uses to establish trust in a bank or garage mechanic. In this case, the trust builds on a trusted platform or trusted module. As shown in figure 2, common mobile phone building blocks are each able to show that they are trustworthy. Device, cellular, applications and user service engines all have Trusted Services. In each section, the solid rectangle represents an interface and the solid arrows between blocks indicate a dependency. The arrows point away from the dependent element. The MRTM is a Mobile Remote-Owner Trusted Module and the MLTM is a Mobile Local-Owner Trusted Module. The term Mobile Trusted Module (MTM) is a generic term for both MRTMs and MLTMs.
Secure Mobile Device Applications
As part of developing the MTM specification, 11 use case scenarios were considered that included mobile ticketing, mobile payment, and SIMLock/Device Personalization.
Using a mobile device to download and present tickets adds significant convenience when used properly but can be a serious threat because of illegal duplication, modification, or deletion. The ability to avoid problems with mobile ticketing starts with the mobile device having the built-in capability to provide secure service for downloaded applications. The ticketing application is one that could be downloaded and the platform would verify and authenticate the integrity of the application. Purchased or redeemed tickets have data objects that represent the rights and these rights are securely downloaded to the device. To use the ticket a data reader verifies the permission granted by the ticket and then treats the ticket as consumed. Once consumed, the security data linked to the application or to the ticket are deleted ending the process.
A similar process occurs for mobile commerce. Recent announcements by Citibank and AT&T address greater implementation of mobile commerce (MINI URL #6 TO COME). Mobile commerce is among the potential applications that were considered in the establishment of the MTM spec. The trend towards higher value services means that security will be an absolute requirement. Other financial services outside the voice realm provide an enabler to move forward and perform tasks/functions that have not been possible in earlier generations of phones and hardware.
Another interesting application is the corporate network access control. With remote access capability and broadband wireless capability in a PC, and the same capabilities in a portable communication device, corporate networks could use a TPM (in a PC) or MTM (in a mobile phone) as part of their network access control strategy. The Trusted Network Connect Work Group of TCG addresses these aspects across multiple platforms, peripherals, and devices (MINI URL #7 TO COME).
A Trusted Infrastructure
Service providers and carriers certainly would benefit from a more trusted infrastructure, but TCG’s mobile group deliberately avoided reinventing the wheel. Part of the objectives of the TCG’s mobile group was to avoid unnecessary redefinition of cellular network infrastructure and to avoid creating a different infrastructure to that expected to be deployed for trusted access to PCs. The result is minimal change to existing cellular networks and use of the same specifications as trusted PCs whenever possible. This means that companies can use similar backend infrastructure for both PCs and mobile devices.
One point worth noting is that the SIM is unlikely to disappear and will continue to provide the flexibility of having a removable element that carries the user’s identity from device to device. The MTM is designed for platform security and the SIM is primarily for user security. They perform quite different functions. The MTM can be used to provide device protection to deter device theft and use of a subsidized product on another service provider’s network, which does not replace the SIM, for example.
Confidence Via Public Specifications
With technology that uses full-strength encryption algorithms, and specifications open to inspection, the TCG specifications have been analyzed to identify potential shortcomings and flaws, and improved and enhanced by numerous knowledgeable experts. Through the participation of the key companies involved in the development of the specification, a considerable amount of time and effort has been expended to ensure the trustworthy aspect of the MTM specification. The thoroughness builds on the TCG’s TPM and efforts that started over seven years ago to create a trusted environment for mobile products.
Janne Uusilehto is the Head of the Product Security Technologies Team, Nokia (www.nokia.com). For more information visit the Trusted Computing Group at www.trustedcomputinggroup.org.
Utimaco and Seagate FDE key management
http://www.teletrust.de/fileadmin/files/isse/ISSE-07_Programm_V-0-5_070531.pdf
How to integrate upcoming Encryption Solutions (such as
Microsoft Bitlocker or Seagate FDE) into a comprehensive
Security Approach utilizing one central Key Management
Christian Hofer, Lead Software Architect Security
Products, Utimaco, Germany
Talks on Trusted Computing at 2007 IEEE C Q R International Workshop, Florida (May 17, 2007). Two talks by Alcatel-Lucent on Trusted Computing and one telling one by the NSA.
http://www.comsoc.org/~cqr/CQR_2007_one_pager_%20v41.xls
1260 - Intuitively, it would seem to me that no it wouldn't have to be the same tape drive, since it would be a centralized SAN with centralized key management. This is nothing other than a real street scrap to see who gets to plant the most flags in the emerging NAC market. Cisco is pursuing a centripetal strategy (policy set at the network center) and its strength is that it is the established player to beat in managing networks. TCG is pursuing a centrifugal policy placing the decisive criterion of network integrity at the endpoint (i.e. root of trust). Microsoft has understood the importance of the latter, but as usual wants the whole enchilada! It's all about who explodes out of the gate fastest in the NAC battle and right now Cisco wants to have a security strategy that differentiates it from the pack and which they can take to their established base and make a strong argument that their clients need only tweak the system they already have and presto, guaranteed security. Why bother with all these other complicated security schemes that need new types of hardware etc etc. They're in a strong position and they know it. Of course, Microsoft's endorsement of TNC changes matters significantly. Cisco won't get all the market share and I think they are smart enough not to paint themselves into a corner and will eventually seek to interoperate with other networks that are based on a common hardened security. In the meantime they will blow their horn about how easy it will be to keep going with Cisco (just an added layer for security) and will no doubt make big inroads in NAC. Important to keep in mind though that there can be no islands in the ubiquitous network and Cisco is no exception to this rule. Regards, Foam
Ouch! Cisco fires back...
http://www.crn.com/storage/199701202
Cisco, EMC Partner On Data Encryption
CRN logo By Joseph F. Kovar, CRN
10:00 AM EDT Wed. May. 23, 2007
Cisco Systems and EMC's RSA security division are working together to encrypt data at rest via an add-on card to Cisco's popular MDS 9000 Fibre Channel director.
The two companies unveiled the technology partnership at the EMC World conference, held this week in Orlando, Fla.
By bringing encryption with RSA key management to the Cisco SAN switch, Cisco and its solution providers can deliver encryption as a service, said Rajeev Bhardwaj, director of product management in Cisco's Data Center Business Unit.
There are various places to add encryption to data, including encryption appliances and tape drives with native encryption technology, Bhardwaj said. However, those methods typically decrease backup speed, require customers to manage yet another device in the data center, and force them to reconfigure their data center infrastructure, he said.
"We will deliver encryption as a fabric service," Bhardwaj said. "To enable encryption on a SAN, customers just get a line card, insert it into the SAN switch and that's it. No infrastructure change."
The Cisco Storage Media Encryption technology, due out in the second half, will initially be aimed at encrypting data as it goes to tape, Bhardwaj said. Encryption of data at rest on hard drives or virtual tape libraries will be available afterward, he said.
Solution providers said encryption is starting to become important to larger customers, and it's good for vendors to seek new ways to address the issue. Yet they disagree on whether the SAN fabric is the right place to add encryption.
Cisco's move to add encryption and RSA key management to the SAN fabric reflects the vendor's plan to add intelligence to storage networks, said Jamie Shepard, vice president of technology solutions at International Computerware, a Marlborough, Mass.-based solution provider.
"The encryption piece is part of the next generation of what Cisco is trying to do in putting intelligence in the SAN fabric, including adding replication via EMC's Kashya, and Fibre Channel over IP," he said.
The encryption will make it easier to take Cisco SAN infrastructure to customers that previously hadn't considered it, according to Shepard. "It's great for customers," he said. "They don't need to hire different guys to run this piece and this piece and that piece."
Jason Forrest, national practice director at FusionStorm, a San Francisco-based solution provider that has been encrypting data using appliances from NeoScale, said combining the encryption, RSA key management and replication on the MDS 9000 is a good fit.
"There's value in completely consolidating with Cisco," Forrest said. "If you look at a Brocade switch with Fibre Channel and iSCSI, you'll have a stack of boxes, all with different management."
The new Cisco/EMC technology will simplify things, said Keith Norbie, director of the storage division at Nexus Information Systems, a Plymouth, Minn.-based solution provider. "It's a simple integration and should be easy to sell," he said.
However, customer acceptance depends on pricing, Norbie added. "With Cisco, if you need more Gigabit Ethernet ports, the cost per port on a blade for the MDS 9000 is much higher than buying another smaller Cisco Catalyst switch for a stand-alone workgroup," he said. "The law of economics will rule."
Bhardwaj said the Cisco SME, when used for encrypting data to tape, will compete well with tape drives with embedded encryption technology.
"Cisco is looking at operational efficiencies," he said. "There's a huge number of legacy tapes that aren't encrypted. Also, do you want one way to encrypt, or three? One way of key management, or three?"
Though Cisco is the first to integrate a SAN switch with EMC's encryption with RSA key management, the technology alliance isn't an exclusive arrangement, said Dennis Hoffman, vice president and general manager for data security and chief strategy officer at RSA.
"The technology is available to all," Hoffman said. "Cisco doesn't expect RSA to be the only technology on the market. And Cisco realizes that, despite having a growing market, it's not the only technology available on the market."
Wave at FIXS West Coast Conference in August
Session 2-2
Reducing Risk and Improving Security
With Federated Solutions
Warren Blosjo [Moderator]
3FACTOR
Bernhard Keppler
Ellipson Data
Dave Nadig
Wave Systems
Stephen Orr
Cisco
More on Cisco and centralized "polic(y)ing" of networks
I thought that some good points are made below about a top-heavy approach to network security. Ultimately, I agree with Heraclitus on this one that the path up and the path down are one and the same.
http://www.digitalidworld.com/newsletter/Mar-29-07.html
Trust is Local
This editorial was inspired by a question (and the subsequent interaction) addressed to an identity management panel I participated in at last week's CSO Perspectives conference. The question was "who owns identity?" It was asked in the enterprise context of "ownership," as in what part of the organization should be given responsibility for and be held accountable for accurately sourcing identity information in an identity management deployment.
I answered a bit flippantly (as is sometimes my nature) that my observations indicate that asking this question usually leads to incorrect thinking and leads away from, not towards a good solution. I followed that with an explanation that there are many sources of enterprise identity, and thus many owners, with HR and the physical ID badge groups likely being the most accurate before any action is taken. I added that understanding and acknowledging the pre-existing sources of identity information is key to success in an identity management deployment.
But the question stuck with me on several levels, and on reflection I have come to realize this is yet another place where the nature of networks and how they transform things is often missed. Even in the apparently authoritative domain of an enterprise, identity is really networked. And it is becoming more so over time with increasing use of contract labor, outsourcing, business partner IT integration, etc. Thus "who owns identity" is ultimately quite similar to the recurring misleading question of the 1990's "who owns (or controls) the internet?"
Networks don't have "centers", rigid hierarchies, or even 100% definable structures. They are fluid and organic, changing structure constantly over even short periods of time -- even as they provide the same services and user experiences. This decentralized, adaptive structural nature is one of the big strengths of networks (making them hard to bring down). But technology has often fought against this nature of networks -- especially in the systems management and security arenas -- trying to model them as rigid, often hierarchical structures.
Permit me a brief apparent digression. Why do people speak of "Trusted Authorities", "Trusted Third parties", and even "Circles of Trust" but rarely "Trusted Networks"? The answer is that they intuitively know that an entire public network can never be fully trusted, only parts of it can. Relatively small parts at that.
In my series on the Third Wave of Identity I noted that security is local -- local to a device or physical location -- and that the ability to guarantee security is reduced the larger the "area" you attempt to secure. Trust is also local, but local to an entity. This is most easily seen if we assume the entity is a person.
You build up a trust relationship with a person over time. If a trusted person tells you that you should trust someone you've not yet met, you are likely to say "ok, I'll trust them". But if that person then says you should trust yet another person you've never met, and that the first person you truly trust has also never met, things begin getting tenuous (risky.)
One of the big problem sets identity technology and methods are striving to solve is how can sufficient trust for a transaction be rapidly established between two entities that have no prior relationship. Realizing that trust is local reveals why such rapid establishment of trust must become an exercise in probability and statistical risk management and not a strict, 100%, yes/no binary process, and also why trusted third party vouching must be part of the process.
It is the fact that both security and trust are local that force distributed networked computing and identity to shift from a security outlook (where you are either secure or you aren't and one vulnerability renders things useless) to a risk management outlook where risk is managed to an acceptable probability of success.
Once this is recognized, it in turn becomes clear that "who owns identity" is far less important than "do our management processes result in identity that is accurate to within our required risk tolerance?" Once that becomes the question, then approaches can be taken that acknowledge the network of distributed sources of accurate identity information and that create a network of identity management processes that align with the business and don't fight its structure.
That trust is local is a big reason why delegation through workflow, identity virtualization, and other identity networking technologies have become so key to successful identity management deployments. They allow identity to be "owned" locally in the various parts of an enterprise where it arises, letting the resulting identity stores to become more trusted and accurate than they can be if the process is overly centralized.
It also indicates why the question of "ownership" of identity so quickly becomes a conversational black hole.