What are you going to talk about in your keynote address?
Needless to say, as leaders in authentication, I'm going to be talking about identity protection. I'll be talking about the fact that we need to have more ingenuity and imagination around identity protection. There can't just be one authentication solution. We need to have solutions that balance the risk to the individual and the entity, convenience and cost.
Cyota brings to RSA a new concept: passive authentication, which is authentication based on a risk profile that's developed for people accessing computer resources or doing transactions online. It allows us to create this layered approach to authentication where we go from passive to active depending on the [business'] requirements and the risk profile, the convenience and the cost of the various solutions. The RSA approach with Cyota is to not only have different solutions for different customers, but to have different solutions within our customers' constituencies.
One of our customers, someone like E*TRADE Financial, may implement strong authentication for higher risk transactions in the form of some active methodology for authenticating someone. Some of the more routine transactions -- even if they are significant -- might be satisfied with passive authentication that's based on the risk profile for an individual. We believe that's the way this market is going to develop. Bruce Schneier made headlines earlier this year by saying that two-factor authentication really doesn't counter emerging threats. As a company that makes a good deal of money off strong authentication, what does RSA make of that criticism?
Bruce is always quick with the one-liner, but there's a difference between a one-liner and actually having a real conversation. We've never advocated strong authentication as a single security solution. We always believe in defense-in-depth. If people use strong authentication as opposed to static passwords, you would eliminate the vast majority of all fraud that's going on right now.
Can fraud persist around strong authentication solutions? Yes. And that's where the defense-in-depth comes in. Things like mutual authentication -- being able to authenticate that it really is the right Web site you're going to -- having the session encrypted, having antimalware and antispyware, are elements of defense-in-depth. But I guarantee you that if you had strong authentication in the mix, you would eliminate between 75 and 90% of this fraud.
So, when Bruce says strong authentication doesn't solve the problem, he's right. It won't solve it 100%. But, boy, I think the world would be a better place if we solved it to the tune of 75 to 90%. Is federated identity the next big thing in ID and access management?
Federation has been a disappointment to me -- not because of the technology, which is ready and is being deployed. The problem is the inability for people that have a vested interest in seeing identities federated to come up with some business models to create trust between and among one another. I think it's going to be slow-going. Where we see progress is in one-to-one type relations for federation. Where we don't see progress is in many-to-many. I also think development of a standard for creating a Web service to a degree of specificity that everyone can develop to -- XML -- is also slowing us down. And I think over time that will change. But I don't think federation is going to be the hot topic. What is the hot topic?
Tightening the linkages. You see applications and operating system providers like Microsoft reaching down to the network. You see Cisco reaching up from the network towards applications. You see people developing endpoint solutions. You see people wanting to add strong authentication solutions at the front end of an SSL VPN. I think you'll see a lot of the gaps in security start to not only get covered, but to be tightly linked to create a better opportunity for defense-in-depth. Some security will be built in the platforms, more security will be built in the operating systems and more security will be built into wireless devices. It's an inexorable trend towards just tightening things up. There are so many security events each year. What makes this one stand out?
One word: Content. We have from the beginning built our conference around educating -- first, educating around the key topics of cryptography and encryption, and then, over the years, we have broadened it. I think the fact that we were first -- the fact that we had some of the smartest people in security, the people developing encryption algorithms -- has been quite a draw. We were wise very early on to make it less about RSA and more about the industry, which is why it's developed into an industry conference. Take us behind the scenes. What's the hardest part about hosting the entire security industry for a week-long event?
I don't do it by myself. We have industry leaders helping us decide what the content is going to be; the content is decided independently of RSA. We have 275-plus exhibitors at the expo. Again, it's not just RSA. All of those companies are hosts as well. Bill Gates gives the opening keynote. In theory, it's my conference and I don't even get to speak first. But Bill has been an excellent warm up act over the years and I'm really appreciative of his efforts. (laughs)
Read more of our RSA Conference '06 coverage.