It’s The Database, Stupid

Bill Nagel

Yesterday’s announcement that the Clear service could soon be baaaaack, along with a spate of recent client questions on electronic credentials and biometrics, have triggered this post.

My colleague Andrew Jaquith’s analysis of the myriad problems with the way that Verified Identity Pass and the TSA handled the Clear shutdown in June (including the potential for customers’ PII to be sold off) was spot on.

Read more

The new math: Does RSA + MSFT = the future of data-centric security?

[Written by Thomas Raschke and Bill Nagel]

On December 4, 2008, RSA and Microsoft jointly announced the imminent release of a collaboration that integrates RSA's Data Loss Prevention (DLP) product into Microsoft’s enterprise offerings. Initially, this means an integration between RSA's DLP 6.5 and Microsoft’s Active Directory Rights Management Server (AD RMS). The DLP product identifies and classifies sensitive information and RMS automates policy enforcement based on a company's existing AD structure. The integration is admittedly relatively basic to start, but in the long term the two companies expect DLP to be tightly woven into the fabric of Microsoft's enterprise products — identity-enabled data protection sitting deep within a company's Microsoft infrastructure.

What it means: All things considered, this is good news for every CISO. Microsoft has the broadest technology base by far; teaming up with a true security front-runner like RSA mitigates the fact that Microsoft has also had arguably the largest selection of security challenges in the past. The partnership addresses today's prime security challenge: By and large, firms tell us that the need to protect sensitive information leaking to people and places inside and outside the corporate perimeter is the single biggest obstacle they face.

Read more

EIC 2008: Takeaways from Europe's biggest <i>identity</i> event

Bill Nagel

Several weeks on and I'm still digesting the massive amount of information and insight from the second European identity conference in Munich, organized by Kuppinger Cole. Five days chock-full of content (7 am to 7 pm every day!), 50 exhibitors, 130 speakers, four workshop tracks, five theme tracks, and 25 best-practice sessions. Hundreds of delegates showed up from all over, even though Infosecurity 2008 was raging in London the same week. EIC 2008 was a superbly run event, with the seemingly inexhaustible Martin Kuppinger at the center of the storm.

Read more

End user security psychology, part II: Can knowledge-based authentication be effective?

Bill Nagel

Another post on Finextra discusses some recent research out of New Zealand that determined that the longer an authentication process drags on -- the more gantlets a user needs to run before being let in a site's front door -- the less secure those users perceive the site is.

Read more

End user security psychology, part I: Are small mobile computers less secure than larger mobile computers?

In the course of researching mobile authentication and mobile signatures -- using a cell phone as the alternative to a token for identity, authentication, and signing purposes -- this post from Finextra’s Chris Skinner on why mobile banking and payments don't work (yet) caught my eye. Hint: People don't want them. But why?

Given that my colleagues serving eBusiness, channel, and product marketing professionals are also officially skeptical about the prospects of mBanking and mPayments, I expected him to trot out one of the usual rationales for this, including:

Read more