Check out our previous article
Security 2.0 and the Challenge of Managing User Identities
Introduction
Not that long ago, most companies knew there were finite port connections to the corporate computer network — for example, a known quantity of VPNs and dial-ins. But today, a physical network perimeter is no longer defined by network devices. Instead, the people using the system — employees, customers, guest users, vendors, partners — constitute the new boundaries.
Speaking at the recent RSA 2007 Conference, Symantec Chairman and CEO John Thompson was blunt: “During the past year, we’ve seen some critical changes in the evolution of security. Today, the battleground for security isn’t just the device. It’s also about protecting the information that is being shared and the interactions that are happening online. Today, the network perimeter can’t be locked down. It’s no longer defined by physical assets in the data center or desktops in the office. The reality is: people are the new perimeter.”
This article elaborates on a new approach to risk management known as Security 2.0, with special attention paid to how it protects users’ identities.
A user-centric approach
As a recent article on Security 2.0 observed, protecting information and securing interactions takes more than bolted-on security. It takes integrated products and services that provide a holistic view into an organization’s security posture. It also takes solutions that identify risks early — so that steps can be taken to mitigate them and prevent an attack. And it entails enabling customers to manage their security events — no matter what products they may already have installed.
A cornerstone of Security 2.0 is identity protection, what Symantec’s Thompson has called “the most pressing challenge facing the [security] industry today.”
“At the corporate level, the deployment of identity management systems has essentially stalled,” he told RSA 2007 attendees. “But changes in corporate governance requirements and other regulatory initiatives will force enterprises to restart these projects. Part of that will mean extending identity management beyond the enterprise to the customers, partners, and vendors that they interact with.”
A look at recent events underscores Thompson’s point. A compromise that results in the leakage of personal identity information can result in a devastating loss of public confidence, legal liability, and costly litigation. Consider the experience of retail giant TJX. The company recently owned up to the compromise of nearly 50 million debit and credit cards, stolen by hackers who accessed TJX computer systems over a period of several years. It has been called the biggest breach of personal data ever reported.
The fact is, the paradigm has shifted when it comes to security. Enterprises now have the responsibility to secure whoever connects to their networks — regardless of whether they’re employees, customers, or partners. Enterprises have to assume that they’re not protected and provide the security that enables them to interact with the organization safely — and to have confidence in that connected experience.
“Accepting responsibility for the security of a device accessing your network — when it’s not owned or managed by you — is a radically new concept in our world,” says Thompson.
Failure to address this new security paradigm isn’t an option. According to a Gartner and Cyber Security Industry Alliance study, 53% of Internet users have stopped giving personal information to websites due to fear of identity theft, and 14% have stopped paying bills online.
The evolution of the online experience
The potential for online applications and services built upon a solid identity foundation is almost limitless. While commerce gets much of the attention, communication technologies such as email and instant messaging can also be significantly enhanced by identity protection. In addition, social networks, parental controls, fraud and risk reduction systems, digital rights management, and file sharing can benefit greatly from emerging identity protection systems. Clearly, digital identity is a primary building block in the evolution of tomorrow’s online experience. And the availability of robust identity protection solutions is the key to the adoption of tomorrow’s new services.
While security is not the main objective of identity management, it has been called the “foundational prerequisite” for trusting and using new online services. The ultimate objective is to instill trust in the new functionalities that identity services enable. To be successful, the security foundation must protect user privacy, provide reliable identity verification, and enable bi-directional trust. Privacy is paramount. In order for users to want to participate in such a system, they must be confident that it will protect their privacy and won’t disclose identity information without their consent. They must also be confident that their information will be adequately protected and not disclosed to unintended parties. Finally, parties involved in identity-related transactions require a means by which they can determine how much to trust each other. A system must provide these capabilities as a foundation before higher-level, identity-enabled services can be built.
Conclusion
Organizations that deliver a secure experience to end users — regardless of whether they’re partners, suppliers, or customers — will not only reduce their risks but also create a competitive advantage for their companies. With more secure identities and transactions, businesses will be better able to retain customers and reduce their own risk of fraud. The ultimate goal of Security 2.0 is the protection of users — regardless of the device they use, the online transaction they conduct, or the threat they face.
