Layered Security Approach in the Real World
My name is Fran Rosch and I manage the group that writes this blog and develops VeriSign's identity and authentication solutions.
I just got back from a 2-week trip to India, Israel and London talking to customers, prospects, and VeriSign team members. I spent much of the time talking about how customers should deploy solutions that are very "risk based." When consumers access lots of critical data or financial assets on their website, a user name and password is probably not enough. But how much is enough? Does one solution fit all? How much should we change user experience? How much should we spend on security and authentication?
As I traveled through the airports in San Francisco, Frankfurt, Bangalore, Delhi, Mumbai, Amman, Tel Aviv and Heathrow, I was struck by the very different security policies and I realized that they also deploy "risk-based" approaches just as we recommend on our customer's Web sites. Here were some different approaches I noticed:
* The BA flight leaving from Tel Aviv to London was the highest risk with the maximum security. As you would expect, the security in Tel Aviv was very tight with about 5 layers of screening including in-depth personal interviews, bag checks that open every compartment, dogs, etc.
* However, the security for the flight from Bangalore to Delhi was not high because internal country flights are not as sensitive.
* The flight from London to SFO had tighter security...you couldn't take liquids even though that is OK at other airports.
This reminds me of the point that we make to our customers - use layers of security to catch different types of fraud, security that maps to different types of risk. And here are examples in the off-line world where it already works!!