In the Boardroom With...
Mr. John Worrall
Vice President - Worldwide Marketing
RSA Security (NASDAQ: RSAS)
SecuritySolutionsWatch.com: Thanks for
joining us today, John. Please give our audience an overview of
your background and your role at RSA Security.
John Worrall: As the vice president of
worldwide marketing at RSA Security, I am responsible for RSA
Security�s market strategy; global, corporate, and field
marketing; product marketing and management;
corporate communications; government affairs; and the RSA
Conference events in the U.S., Europe and Japan.
Before I became VP of worldwide marketing, I
headed-up RSA Security�s product management team and was
responsible for the product strategy and plans for our
authentication and access management solutions. I�ve been with
the company for nine years, and have been in the high tech
industry for more than 20 years.
SecuritySolutionsWatch.com: RSA Security
has an impressive track record of �wins� in verticals such as finance and healthcare. Would you care to
discuss a success story
from three major verticals?
John Worrall: Sure. First, in the
financial space, a good example is our work with E*TRADE Financial
where we work to secure their customers� online trading accounts
with strong authentication using our RSA
SecurID� technology.
Their E*TRADE Complete� Security System is secured by RSA
SecurID two-factor authentication tokens and user adoption has
been impressive. This added layer of protection serves to harden
the existing security infrastructure. Their customers continue to
use the established User ID and password, but then enter a random
six-digit code�generated by the RSA Security authentication
token�that changes every 60 seconds. This prevents unintended or
unauthorized access to a user�s account. According to E*TRADE�s
CIO, Greg Framke, their customers really like the solution and
more of t heir customers are now willing to move more assets to
their E*TRADE accounts because of the protection RSA SecurID
provides. He considers the use of RSA SecurID, which they brand as
Digital Security ID, to be the padlock on the front door of their
Internet business.
On the healthcare side, Blue Cross and Blue
Shield of Kansas City is using RSA�
ClearTrust web access management software to implement a
series of initiatives designed to enhance web self-service for their
members, healthcare providers and brokers. They wanted to transact business through an
electronic interface so they could increase the speed and quality
of their services, while simultaneously reducing costs. The interesting part of this story
is that they also had a requirement to meet HIPAA guidelines: HIPAA is the Health
Insurance Portability and Accountability Act, which sets strict
guidelines for protecting personal health information. We were able to help them fulfill each of these
diverse needs. They are also using RSA SecurID two-factor authentication to provide over
750 employees with secure and convenient remote access to the intranet from home or
while traveling.
RSA SecurID gives this Blue Cross organization the confidence that
they are granting
access to the right people, and to their protected resources.
Although we are strong in other verticals
such as insurance and technology, we have
an interesting and growing business in the real estate market. We
are selling a
focused
solution based on RSA SecurID, and the Mid-Florida
Regional Multiple
Listing Service (MLS) organization is working with us and a
partner, Secure Content Group, to secure
valuable MLS data online. MLS data is unique: it is valuable
intellectual property that helps realtors win deals, and this
information lives in over 800 MLS organizations nationwide, so you
can imagine the incredible opportunity this brings to RSA
Security. With Mid-Florida, we successfully delivered over 25,000
tokens to their members in just three weeks, and the process was
extremely easy. The neat thing is that they expect to save over $1
million of their subscribers� hard-earned commissions over the
next three years, in part because � now � every realtor has to
become an MLS member in order to obtain an RSA SecurID token to
create a unique and trusted identity. Before the RSA SecurID-based
program, some individuals were sharing passwords and identities to
save money on membership fees. Not only did this limit revenue to
the MLS, but it opened up potential breaches of sensitive data �
such as the combinations of the lockboxes attached to doors on
homes on the market.
SecuritySolutionsWatch.com: RSA Security
recently announced
that the U.S. Treasury Department Financial Management Service
(FMS) and the U.S. Office of Personnel Management (OPM) have
selected RSA� Federated Identity Manager solution to help meet
requirements related to the federal government�s
E-Authentication Initiative. Would you kindly give us an overview
of the solution RSA Security has provided here to the U.S.
Government?
John Worrall: I would be glad to tell
you about this. First, the E-Authentication Initiative
supports the President�s E-Government Management Agenda, and
aims to provide a
standardized process for establishing and using electronic
identities. This will
eliminate the need for each federal agency to develop a separate
solution for verifying
identities and electronic signatures. Our RSA Federated Identity
Manager solution will
enable both agencies to leverage this technology to easily and
securely share trusted
identities across government departments, agencies and business
units. For these
government organizations and businesses worldwide, RSA Federated
Identity
Manager eases online collaboration, reduces administrative costs,
increases security
and improves the end-user experience.
At OPM, RSA Federated Identity Manager is
being utilized within an electronic system
that empowers Federal employees to manage their own discretionary
payroll and personnel transactions. This includes more than 60 agencies and
more than one
million users. The E-Authentication Initiative is an important
example of how federated
identity technology may enable organizations to effectively share
trusted identities
online.
SecuritySolutionsWatch.com: Data loss and
data protection is front page news now on a regular basis. Major companies often report that data is lost or
stolen for hundreds
of thousands of individuals. �Phishing� threats are becoming
more prevalent and
sophisticated and identity theft is on the rise. Please outline
for our audience RSA
Security�s data protection strategies.
John Worrall: We approach the loss and
protection of data in two ways. First, we
provide data protection through our encryption software, RSA
BSAFE, which happens to
be the most widely deployed software in the world. We�ve sold
over a billion copies,
actually. This technology integrates into existing technology infrastructures. The
software takes advantage of the latest cryptographic technology
and industry standards to ensure that sensitive information
remains private and critical business transactions remain trusted
and secure. RSA BSAFE also protects wireless and embedded
applications � for customers such as Sony, Motorola and
Nintendo.
In the financial space, you have probably
heard a lot about tapes with customer data
�falling off the truck�. We�re advocating that these
organizations encrypt these pieces
of data �at rest� from the get-go to ensure the privacy of
sensitive information in
databases, content management systems, and other critical data
stores. If these
repositories of data were to be encrypted in their original
design, the ability to steal
identities from the criminal possession of this data would be
impossible. We believe
this is a no-brainer and should be a standard practice for all,
and we�re working hard
to educate the market. The unfortunate incidents that we read
about every day are
certainly helping to raise awareness of this issue.
Secondly, you bring up the hot topic of phishing
and identity theft.
According to the U.S.
Federal Trade Commission, identity theft has become the world�s
fastest-growing
crime. Consumers bear the emotional costs, but companies often
bear the brunt of
the associated financial costs. Notoriously easy to steal or
guess, static passwords
allow an intruder to access any online resources the legitimate
user is entitled to see
� and purchase items online with little likelihood of being
caught and prosecuted.
RSA Security has always led the way in
protecting businesses from these real threats
with our RSA SecurID technology. For example, well over 300,000
online banking
customers at Credit
Suisse in Europe are using RSA SecurID tokens as a method of
strong authentication to gain access to their online accounts,
similar to how E*TRADE
customers are doing so for their online trading accounts. And we
have a range of
strong authentication formats to suit the diverse needs of the
user population.
Further, last month, we completed our
acquisition of Cyota
- and now have the
broadest portfolio of software and services available to protect
online identities and transactions. Cyota delivers online security and anti-fraud
solutions to thousands of
financial institutions worldwide, such as Bank of America, Chase,
and Washington Mutual � including nine of the top 12 banks in the U.S. and the
United Kingdom.
RSA Cyota solutions will give our customers
more options, more choices and more
flexibility when they assess and choose what authentication
product or service serves
them best. We can give them enhanced flexibility, through access
to strong
authentication and transaction protection solutions that fit
individual lifestyles and
security needs. This means that our customers can choose from a
range of
authentication techniques � from life questions, watermarking
and anomaly detection
to digital certificates, tokens and smart cards � depending on
the risk associated with
the transaction and the desired convenience.
We�ve established ourselves as a strategic
hub for the consumer marketplace,
providing the ability to authenticate and protect all aspects of
online banking and e-commerce: end-users, merchants and transactions. RSA Cyota
Consumer
Solutions include an RSA SecurID-based hosted customer
service; an
anti-phishing service
that provides 24x7 detection of phishing attacks, alerts to
customers and fraudulent site shut-down; risk-analytics techniques
to identify
fraudulent activity in accounts; and a cross-bank collaborative
online fraud network.
SecuritySolutionsWatch.com: What
resources; such as webinars, case studies, and
white papers, are available at www.rsasecurity.com
for end-users?
John Worrall: When you visit www.rsasecurity.com,
you�ll see that we�ve provided
a lot of resources to help educate the market about critical
information security issues, such as identity theft and password
management, and it is also a vehicle for communicating information
about our product line and the enforce the fact that we
are the leaders in protecting identities and digital assets.
I�d like to start with a newer portion of
the website, it�s called Speaking
of Security, the
RSA Security Blog. There, you�ll read postings from RSA
Security bloggers, each of
whom has knowledge and interest in different areas of the security
industry: R&D,
developer solutions, engineering and government policy. You�ll
get to read their views
on the industry�s breaking news and trends, and gain a deeper
understanding of the
company�s position, direction and attitude. It�s becoming
quite popular. Another new
section is our Information Security
Glossary which we offer as an aid to understanding
current concepts and initiatives in the realm of Information
Security. We also publish
our own magazine called Vantage,
and will have a new issue next month during RSA
Conference 2006. A major differentiator for RSA Security is RSA
Laboratories, an
academic environment which serves as our research center. It was
founded by the
inventors of the RSA public-key cryptosystem. Through its research
program,
standards development, and educational activities, RSA
Laboratories provides state-
of-the-art expertise in cryptography and security technology for
the benefit of RSA
Security and its customers.
We also offer a robust program of Web
Seminars, that are complimentary and
interactive e-learning resources to both introduce and demonstrate
the business value and potential of RSA Security�s solutions, and help
educate the industry on new
standards, regulations and issues such as identity theft and
password management.
In addition, we offer a roster of customer
success stories to offer third party case
studies of how our identity and access management solutions are
working to solve
problems at firms around the globe. Finally, most of our online resources can be found in our Content
Library, where you can find items such as white papers,
solutions briefs and technology backgrounders.
SecuritySolutionsWatch.com: Government
mandates and new legislation are driving public and private sector
enterprises to improve the security of their networks. Please give
us an overview of these Government initiatives.
John Worrall: I will start with HIPAA,
since that has already come up in our
conversation. A comprehensive law for the medical industry, the
Health Insurance
Portability and Accountability Act is especially important for its
security implications.
A portion of the law, the Administrative Simplification
provisions, was developed to
encourage the industry to work with healthcare information in its
electronic forms.
The provisions included standards for protecting the privacy of
patients and for
information security. As one of the first laws that applied to
both privacy rights and
information security in the United States, it has wide reaching
implications.
Then there is the Gramm-Leach-Bliley
Financial Services Modernization Act (GLBA) of
1999 which applies to all financial institutions in the U.S. and
is regulated by the Office
of the Comptroller of the Currency (OCC). GLBA requires that
financial institutions
ensure the security and confidentiality of customer personal
information against �reasonably foreseeable� internal or external threats. From an
information security
perspective, organizations must implement a process that assesses
and monitors the threat environment, as well as the tools and policies to
counter threats, including
access controls, authentication, encryption, data integrity
controls and audit controls.
And there�s the Sarbanes-Oxley Act (SOX), a
piece of legislation that regulates all
public companies. This is more formally called the Public Company
Accounting
Reform and Investor Protection Act and is comprehensive
legislation intended to
reform the accounting practices, financial disclosures and
corporate governance of
public companies. SOX mandates that organizations ensure the
accuracy of financial
information and the reliability of systems that generate it.
Section 404 of SOX requires
that management perform an assessment of internal controls over
financial reporting
and obtain attestation from external auditors, on an annual basis.
In today�s
businesses, information technology (IT) systems are inextricably
linked with financial
reporting, and information security is essential in ensuring the
reliability of these
systems. Therefore, the guidance starts from the premise that
single-factor
authentication, as the only control mechanism, is not adequate to
reliably authenticate
online banking customers.
Something that is of particular interest to
financial institutions and RSA Security, is the
recent guidance from the Federal
Financial Institutions Examination Council (FFIEC).
Regulators have now noted that passwords have become highly
vulnerable in the face
of changing threats, including phishing, pharming, various types
of malware and other
evolving attack techniques. On Oct. 12, 2005, the agencies of
FFIEC published joint
guidance entitled Authentication in an Internet Banking Environment, recommending
that financial institutions and their application service
providers (ASPs) deploy security
measures to reliably authenticate their online banking customers.
The FFIEC
published its guidance after the Federal Deposit Insurance
Corporation (FDIC)�one of the five agencies of the FFIEC�had issued similar
recommendations in a study on
Putting an End to Account-Hijacking Identity Theft of December
2004.
Among the measures the FDIC recommended to
its member banks in that report was
upgrading from single-factor to two-factor authentication for
access to online banking.
Another related recommendation also was included in the FDIC�s
July 2005 Guidance on Mitigating Risks From Spyware. FFIEC�s
October 2005 guidance considers single-
factor authentication, as the only control mechanism, to be
inadequate for online
banking. Rather, banks should use authentication (the process of
verifying the identity
of a person or entity) methods that are both effective and
appropriate to the risks
associated with online banking. These methods include multifactor
authentication,
layered security or other controls reasonably calculated to
mitigate those risks.
It is important to note that the guidance is
not a formal regulation; it does not create
any legal obligation for banks. It is only a
recommendation�strong guidance to be
exact. Financial institutions are taking this guidance seriously
and implementing it
because the guidance comes from not one, but five regulatory
agencies of the financial sector, and because all five agencies of
the FFIEC have given banks a deadline of Dec. 31, 2006 to comply.
Finally, our encryption solutions have been
certified under the rigorous U.S.
government cryptographic standard, Federal Information Processing
Standard (FIPS) 140, ensuring our customers meet the stringent requirements needed
to maintain the
security of government applications and data. Our solutions have
been used in numerous military and civilian equipment and system applications
including internal
agency I.T. systems, aerospace systems, munition systems, and
others.
SecuritySolutionsWatch.com: The 15th
anniversary of RSA Security�s annual conference is coming up in
February 13-17 in San Jose, CA. How about an overview of the
Conference?
John Worrall: We are proud to
celebrate the 15th anniversary of the annual RSA�
Conference, which we will hold in the U.S. in February, as you
mentioned, and then in Japan in the spring and in France in the fall. We are
especially proud to be the producers of the RSA Conference as it is the largest and most
comprehensive event
for information security professionals. We also are careful to
maintain a �church and
state� policy where the RSA Security corporate business and the
RSA Conference
division are separate from each other, and are actually located on
different coasts of
the United States. This helps to ensure a vendor-neutral
industry-wide event.
At a time when most technology conferences
are growing in the single digits, last year
our conference grew in attendance by 40%, with 14,000 attendees.
This year the booth
space sold out in record time, and our call for papers submissions
were in the
thousands. I think you would have a challenge in booking a hotel
room in San Jose these days.
The RSA Conference provides a forum for
information security professionals to learn,
network and grow professionally with thousands of their peers,
industry experts and
leaders � and it is all under one roof at the McEnery Center. We
have a vast lineup of
keynote presenters, including Bill Gates from Microsoft, John
Chambers from Cisco,
Gary Bloom from Symantec, and our own Art Coviello.
We have more than 200 class sessions offered
in 17 tracks, and more than 275 exhibitors who represent the top companies in the industry. And
every year, the RSA Conference is built around a different historical theme which
highlights a significant use, or misuse, of information security. In 2006, the theme is
centered on ancient Vedic mathematics, and a mathematical
Sage named Aryabhatta.
SecuritySolutionsWatch.com: Thank you very much
for your time today, John.
Please
read our Terms of Use and Disclaimer.
Investment
Guide To 350+ Security Stocks�.
|