Boardroom
RSA, The Security Division of EMC

In the Boardroom With...



Mr. Joram Borenstein
Senior Product Marketing Manager
RSA, The Security Division of EMC
www.emc.com
NYSE: EMC


SecurityStockWatch.com: Thank you for joining us today, Joram. Please give us an overview of your background and your role at RSA which is now part of EMC.

Joram Borenstein: My current role is Senior Product Marketing Manager in the Identity and Access Assurance Group of RSA, The Security Division of EMC, where I have responsibility for product marketing, product strategy, sales support, and technology evangelism, and more. Since joining RSA 2 years ago, I have worked on a wide range of products and technologies, including our authentication, anti-fraud, monitoring, verification, and authorization products in a number of remote channels (Web, Mobile, IVR), verticals (financial services, health care, government, insurance), and geographies (EMEA, US, Asia-Pacific/Japan).

Before RSA, I was Product Manager and Director of Marketing at Unicorn Solutions, a metadata and ontology management software company acquired by IBM in 2006. Prior to that, I was a Product Manager at VCIX, a content management software developer.

SecurityStockWatch.com: We understand you’ll be speaking at the upcoming NACHA – Payments 2008 Conference. May we have an overview of the topics you’ll be addressing?

Joram Borenstein:Fraud (and online fraud in particular) is in a constant state of flux and development. Fraud tends to migrate across geographies, industries, and channels as both new security mechanisms are put into place and as fraudsters identity new tools and vulnerabilities to attack organizations worldwide. Specifically, RSA is currently seeing a series of patterns having to do with new emerging threats such as Trojans and Man-In-The-Middle (MITM) Attacks, a significant movement towards IVR / Call Center Fraud, and a focused attack on new account enrollments.

The topic which I will be speaking about (with Jack Henry & Associates) is entitled “The Connection Between ACH Fraud & Threats to Online Banking” and dives into the relatively new issues that have emerged in the United States in the past 12 months having to do with ACH Fraud. Our RSA Adaptive Authentication customer base of over 8,000 financial institutions is seeing an up-tick in attempted transaction-based and transaction-specific fraud having to do with high-risk activities in the online banking channel. ACH Fraud, in particular, has surfaced as a worrisome new trend as the fraudster community builds out new tools for attacking financial institutions.

We – and more importantly our customers – believe that this movement towards a growth in ACH Fraud ironically has to do with the fact that with the majority of US financial institutions complying with the FFIEC Guidance in late 2006 and early 2007, and locking down only the login portion of their online banking portals; by focusing on login only, many financial institutions did not do enough to suitably protect their post-login activities, or transactions (of which ACH transfers are just one type). In an effort to protect themselves and their customers against ACH Fraud, American financial institutions have had to strike a balance between protecting these activities and yet also encouraging confidence in their customers to continue using online banking.

SecurityStockWatch.com:Please give us an overview of RSA solutions, competitive advantages, and RSA’s value proposition.

Joram Borenstein:Please give us an overview of RSA solutions, competitive advantages, and RSA’s value proposition.

In response, RSA is ushering in a new information-centric approach to security that will empower leading companies worldwide to address these challenges and move ahead with the confidence to compete and win in today’s marketplace. Fueling our mission is the passionate belief that security should be about lifting business limitations, not imposing them.

Enterprises are now global, virtual and dependent on dynamic information access. By nature, digital information is in constant motion throughout its lifecycle, often leaving the secured network perimeter via laptops, PDAs, email and backup tapes. In this shifting landscape, the battlefront in security is rapidly changing from securing the perimeter to protecting the information itself. RSA is responding to this need with an information-centric approach to security that guards the integrity and confidentiality of information throughout its lifecycle—no matter where it moves, who accesses it or how it is used. With information-centric security, organizations can be confident their information assets are protected, freeing them to explore new models, markets, partnerships and innovations.

RSA’s technology, business and industry solutions—coupled with professional services and third-party strategic partnerships—help customers put critical information into the hands of the people who need it, while protecting that information against unauthorized access. Its family of information-centric security solutions includes:

  • Data Loss Prevention - Data is your company's greatest asset. The accidental loss, manipulation or theft of that data is your greatest risk. The RSA Data Loss Prevention Suite is a solution that discovers, monitors and protects your sensitive data from loss or misuse whether in a datacenter, on the network, or out at the endpoints.
  • Encryption and Key Management - Effective, persistent security for your information requires encryption controls that can secure any level in the IT stack; storage, database and file server, application, end-point, and network layers. Encryption addresses different risks at each layer. RSA, EMC, and its technology partners offer products for all of these levels - enabling you to secure sensitive data whether it is at rest, in-motion, or in-use across your organization.
  • Security Information and Event Management (SIEM) - Over 1000 customers have embraced RSA enVision ™ Platform as their Security Information Event Management solution. Learn how you can transform raw log data into critical information to support your compliance, security and IT and Network challenges.
  • Authentication - Authentication solutions from RSA assure identities to a system, resource, information or a transaction based on risk.
  • Fraud Prevention - Fraud preventions solutions from RSA offer protection against identity theft and other external threats targeting customers - regardless of the channel they choose to conduct their business.
  • Access Control - Access control solutions from RSA allow companies to manage large numbers of users while enforcing a centralized security policy that ensures compliance, protects enterprise resources from unauthorized access and makes it easier for the right users to securely gain access to the right information.
  • Credential Management - Credential management solutions from RSA provide full lifecycle management and policy administration for credentials used in the identity verification and assurance process.

SecurityStockWatch.com:What you’re your target markets and what is your perspective on the market drivers for RSA solutions at this time?

Joram Borenstein:RSA helps organizations in a wide array of industries to protect and manage identities and information access. These industries include but are not limited to:

  • Automotive
  • Consumer/Retail
  • e-Commerce
  • Financial Services
  • Government
  • Healthcare
  • Real Estate
  • Technology
RSA’s customers want to work with fewer vendors with broader security offerings who can provide a holistic approach to information security. Security budget justifications are trending towards risk factors throughout the information infrastructure. We’re seeing a dramatic increase in spending to prevent data breaches and protect credit card data and personally identifiable information.

Key management and data loss prevention technologies have been particularly popular in this respect. In the financial services industry, much of the focus continues to be on managing risk and protecting online transactions through risk-based authentication. And getting more attention than ever is the ability to track and analyze all security events on a network, to not only protect against data breaches, but to provide the key log and audit mechanisms to meet regulatory compliance mandates.

Both consumers and businesses face an increasingly-sophisticated crimeware ecosystem which specifically targets vulnerable groups, including employees of financial institutions and executives.

This crimeware ecosystem is complex, methodical, and professional, focusing on social engineering, vulnerable applications such as enrolling new customers, and vulnerable channels such as telephone banking. Just like businesses, cyber criminals have a “go-to-market” strategy that starts with attacking the largest major markets first like the United States. Now we are seeing increasing online fraud in Japan and a dramatic increase in malicious online activity based in the city of St. Petersburg.

SecurityStockWatch.com: Are there one of two “wins” or success stories in the Enterprise verticals you’d like to talk about? And, how about one or two wins in the Government space?

Joram Borenstein:RSA often provides Identity Assurance solutions for enterprises that prevent account misuse and identity impersonation. Some examples of this include RSA providing identity assurance solutions to over 8,000 financial institutions and over 100 million online accounts worldwide, with online banking protection deployed in the US, Canada, the UK, Brazil, Spain, Israel, Kuwait, Japan, Australia, India, and elsewhere.. These customers include: Bank of America, Wachovia, Washington Mutual, E*Trade Financial, The Vanguard Group, Zions Bank, Bank of the West, ING Direct, UMB Financial, Monex Japan, Alliance & Leicester (UK), and others. RSA also has over 30,000 enterprises using its products to protect over 20M employee accounts to secure access to their networks and web applications.

One specific Enterprise win that comes to mind is Accor North America, the major hotel operator. RSA solutions have been critical to Accor North America’s ability to achieve compliance with the Payment Card industry data security standard, and rapidly implement a progressive data protection strategy.

Accor North America operates six hotel brands, and they share the booking of reservations between the properties and the central infrastructure. There are several different networks and applications that share credit card information on a daily basis. They needed the ability to seamlessly encrypt data both at the point of sale and centrally to protect this information from being accessed by identity thieves intending to commit fraud.

Accor North wanted the ability to encrypt transaction information at each hotel, and also encrypt transactions as they were processed at the call center or via the web. They conducted an evaluation and selected RSA Key Manager for encrypting credit card data. RSA not only had the right technology solution, but also the professional services expertise to help them implement encryption across their enterprise.

The US Social Security Administration is a win in the Government space. They currently have 100,000 user licenses of RSA Card Manager.

The Social Security Administration, faced with the requirement to comply with the Homeland Security Presidential Directive 12 (HSPD-12) mandate by the end of October 2006, selected RSA Card Manager to provide smart card management for its employee identification system, including the issuance of PIV cards for all employees, and management of the lifecycle of the digital certificates stored on the cards and the cards themselves. The agency issued an RFP for card management software requiring that the solution be interoperable with existing equipment and be able to manage additional third-party components such as biometric capture and verification technology, hardware security modules, Oberthur bureau card personalization system, and public key infrastructure. There were essentially two series of requirements that needed to be met. One is the system itself with components that include identity proofing, registration, credential issuance and management. The other includes the specific security requirements for the card as well as the interoperability with other government agencies. RSA was one of the first companies in the HSPD-12 space to get certified by GSA and on the Approved Vendors List. As SSA began to take a closer look, they realized that GSA approval was just the tip of the iceberg. It would also need to work with the existing HR management system and the agency’s incumbent PKI infrastructure. The system they would build would need to work flawlessly from the beginning, with a few issuing stations to issue a few hundred identities. However, it would need to scale to 1500 enrollment stations in one year, and be the centerpoint for the PKI certificates for all 85,000 SSA employees.

RSA’s Card Manager system communicates with issuing stations through a web-based interface, so it scales quickly and effortlessly regardless of geography. Post-issuance management and user self-service for functions such as PIN changes are also supported.

The Transportation Worker Identification Credential (TWIC) is another fantastic win for RSA. They currently hold 1.1 million licenses of RSA Card Manager. TWIC a smart card credentialing program that will ensure individuals who pose a threat do not gain unescorted access to secure areas of the nation's maritime transportation system. The TWIC program provides a tamper-resistant biometric enabled smart card credential to maritime workers requiring unescorted access to secure areas of port facilities, outer continental shelf facilities, and vessels regulated under the Maritime Transportation Security Act, or MTSA, and all U.S. Coast Guard credentialed merchant mariners. Initially, an estimated 750,000 individuals will require TWIC credentials and enrollment and issuance of the TWIC credentials has begun in over 25 ports across the US. To obtain a TWIC, an individual must provide biographic and biometric information such as fingerprints, sit for a digital photograph and successfully pass a security threat assessment conducted by TSA.

RSA provided RSA Card Manager and RSA Authentication Client for FIPS to enable TSA to issue TWIC credentials to secure the nations ports. The Transportation Workers Identity Credential (TWIC) is a smart card based identification credential that requires card management software for issuance and middleware for logical use of the credential. RSA developed a secure bureau interface to Oberthur Card Systems to allow the TWIC smart cards to be both graphically and electronically personalized in a TSA controlled card bureau located in Corbin Kentucky. This bureau interface allows for card batches from ports all over the country to be produced in a secure centralized location and then redistributed across the country for secure activation at the ports. The TWIC cards are then ready to be used by the port workers for identification and port access.

RSA Authentication Client for FIPS is used to securely logon to the TWIC enrollment and issuance workstations via certificate based authentication using the digital certificates on the TWIC smart card. RSA’s smart card middleware (RSA Authentication Client for FIPS) is also used to digitally sign the enrollment packages of the transportation works which contain sensitive personal information such as biometrics and digital photographs to ensure the security of these data packages. Used for logical authentication by the trusted agents of the TSA, the RSA Authentication Client for FIPS makes the contents of the TWIC smart card accessible to applications through standard interfaces including the Microsoft Windows Cryptographic Application Programming Interface (CAPI), as well as the interface defined in Public Key Cryptography Standards #11 (PKCS#11). Ubiquitous desktop applications, such as Microsoft Internet Explorer and Microsoft Outlook, use the TWIC smart card with these interfaces in place.

SecurityStockWatch.com:Thanks again for joining us today, Joram, Are there any other subjects you’d like to discuss?

Joram Borenstein:Yes, Identity Assurance and Information Risk Management. Identity Assurance is the set of capabilities and methodologies that minimize business risk associated with identity impersonation and inappropriate account use.

Today’s competitive global market is driving an insatiable appetite for business models that turn digital information into competitive advantage. The need for anytime, anywhere access to this digital information is shared by employees, customers, and partners. This ubiquitous exchange of information inside and outside the enterprise is driving identities and sensitive data headlong into dynamic threats from a very sophisticated global hacker network, making Identity Assurance a business imperative.

Information risk management is a highly effective strategy that ensures comprehensive information security, aligns security investments to the business and reduces the cost of compliance. Information Risk Management “follows the information” to determine where the risks are; and how to best prioritize security investments to drive the business forward. By taking an information-centric approach it provides the most effective means of recognizing, assessing and mitigating the risk information is exposed to throughout its lifecycle. Identity Assurance supports an information risk management process by helping to define and enforce policy around users and access and providing the essential technology controls to mitigate risks related to unauthorized access.

Identity Assurance creates trust by defining identity policy, verifying new identities and managing credential issuance. It manages authentication and provides context for what a trusted identity can do. And it provides knowledge back to the enterprise of what an identity has done, alerts on suspicious activity and provides valuable information of emerging threats so organizations can be well informed as they manage information risk. RSA's Identity Assurance portfolio extends the power of user authentication from a single security measure to a continuous trust model that is the basis of how an identity is used and what it can do. Trusted identities bring confidence to everyday transactions and are the foundations for new business models providing secure access to corporate resources and transactions while striking the right balance between risk, cost and convenience. RSA's Identity Assurance solutions apply appropriate access controls to mitigate risk according to the value and criticality of the data, application, identity or transaction.