SAN JOSE, Calif. -- To help reduce growing friction between user privacy and enterprise security, businesses should...
re-evaluate how much they need to know about people before vouching for their identities online, according to Tuesday's keynote speaker Art Coviello.
In a separate address to the 15,000 attending this year's conference, Sun Microsystems chairman and CEO Scott McNealy asked the IT community to embrace open-source software and platforms to improve overall security and encourage more global online participation.
Both speeches touched on a growing threat to Web-based information exchange: eroding consumer confidence. That unease is due to malware outbreaks, fraud and identity theft that could pose a serious barrier to widespread use of the Internet to buy goods and services or merely swap useful information for the greater world good. It also poses a problem for companies that must manage and safeguard many more digital identities due to partnerships, business expansion and regulatory compliance.
During Coviello's keynote, the president and CEO of RSA Security said the industry must do a better job of managing digital identities to make end users more comfortable divulging necessary personal data. He suggested a model that mirrors the physical world, in which the needed identity exposure is aligned with a transaction's actual risk.
"For too long now organizations have blundered into a one-size-fits-all authentication scheme that does not fit their need," he said. Or, Coviello noted, enterprises have done the opposite and ditched authentication altogether.
Coviello suggested an adaptive approach, ranging from allowing anonymity for no- or low-risk transactions to "Absolute ID" for high-risk transactions such as online banking or stock exchanges. The middle ground is what he termed "pseudonymity," calling for some personal information, such as a membership number or user name, without requiring much, if any, additional action by the user.
Similarly, enterprises should consider letting users self select the level of information they're most comfortable providing, volunteering more private data for transactions they deem more risky. In some instances, though, it may be wise for the company to make that call. For example, a bank may allow a weaker level of authentication to customers with less than $5,000 in an account, but require multifactor authentication for those with higher balances.
Regarding the threats that currently erode confidence in e-commerce, particularly phishing, Coviello urged the security community to create "good community policing" of the crime-riddled virtual world. That requires more cooperation and intelligence sharing.
"We're all fighting the same fraudsters rather than fighting them in isolation. We can stop them by fighting together," he said.
Sun's McNealy also touched on the importance of preserving privacy without forsaking security.
"It's going to get scarier if we don't protect privacy and data," he told the audience. "If we can't protect that, people aren't going to go online."
McNealy maintained that we are moving from the Information Age, in which people primarily went online to access data, to a "Participation Age," in which users actively contribute to online communities.
In particular, the CEO touted Sun's contributions to the open-source movement and drew applause when he suggested more companies share their code, much as Sun has done for products within its portfolio, including its Sun Solaris 10 operating system and other, Java-based systems.
"It's a little Al Gore-ish to say we created open-source software, but we did," he said. McNealy decried monopolies in the server and desktop markets and said these systems continue to be more vulnerable to malware that targets the most popular software and hardware.
He advocated for more heterogeneous computing environments able to resist intrusions and viral outbreaks. "There is not enough genetic diversity on the desktop," he said. The same holds true for the server room, he added.
Another threat from a proprietary-based monoculture comes from what McNealy termed "barriers to exit" that prevent some companies from adopting different or next-generation software and appliances, often with enhanced security. Otherwise, he said, cash-strapped companies in particular have antiquated systems wrought with vulnerabilities and lacking advanced protections to the latest threats.
Joining McNealy on stage at one point was Sun vice president James Gosling, known as "the father of Java." Gosling extolled the virtues of open-source code that's constantly scrutinized in the user community. He drew chuckles when he offered this metaphor:
"Only when you can peek under somebody's underwear can you really, really see someone's stuff."
Also sharing the stage was Sun distinguished engineer Sheueling Chang, who announced that the company will begin supporting Elliptic Curve Cryptography (ECC) in its product portfolio. That includes Sun's Java System Web Server 7.0, which is key to the company's Java Enterprise System. The more efficient ECC algorithm is expected to save the time it takes to secure online transactions as well as strengthen security in small devices such as CPU-limited cell phones and PDAs.