Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Authentication (User) Blog
Showing posts tagged with Security
Showing posts in English
nicolas_popp | 05 Apr 2010 | 0 comments

This week is the week of the OpenID summit in Mountain View, California. We are all hoping that 2010 will be another pivotal year for open identity. There seems to be a combination of market forces that are making federated identity more attractive. In fact, we are hearing new compelling use cases for federation. A first example is cloud access and identity management. As enterprises shift their IT infrastructure and information to the cloud (as in IAAS, PAAS and SAAS applications), CIOs need to federate corporate identities with cloud service providers. For cloud resources, the corporate directory becomes the identity providers and the cloud services are the relying parties (and if you don't have a directory or don't want to use it for federation, Google is in the pole position to be your OP). Another interesting vertical ripe for federation is healthcare. Now that the Obama bill for healthcare has passed, one should expect a revival of health information networks (remember the...

nicolas_popp | 16 Mar 2010 | 0 comments

I could not resist the temptation. Trust Seal, the Trilogy is now on Youtube.

The first act is strictly business, but you may not want to miss act II and act III with Snikko the hacker. Rest assured. I have already promised the marketing team that there would not be a sequel.

nicolas_popp | 03 Mar 2010 | 0 comments

The Open Identity Exchange was launched this morning at the RSA conference in San Francisco. It is a significant step for federated identity as it will enable US government web sites such as the NIH to embrace open identity standards and roll out open identity services to US citizens. For example, the National Institute of Health can now move out of pilot phase and support accredited OpenID providers.

So, what is the Open Identity Exchange (OIX)? The OIX aims at enabling specialized trust frameworks or certification programs within a vertical community (e.g. US government, health care, financial services). Certification requirements for shared identity can be diverse and complex depending on the level of assurance required. Simply said, when it comes to trust, one size does not fit all.

You can think of a trust framework as the policy sibling of technical...

nicolas_popp | 23 Feb 2010 | 1 comment

Today, we are launching the VeriSign Trust Seal, a new service for small and medium businesses with an online presence. It is a big day for everyone at VeriSign who has been working really hard on the new service the last 15 months. It is always a thrill to release a new product. It is even more exciting when there is a compelling and long term vision behind the initial release of a new Internet service.

SEAL.JPGSetting the standard for websites trust
The goal behind this new trust service is as simple as it is lofty. Is it possible to create a blueprint for trust on the Internet? Can we increase safety and trust on the web by raising the bar of security best-practices? Can we communicate trust in such simple visual way that any consumer would understand? Can we promote trust between...

nicolas_popp | 16 Feb 2010 | 1 comment

As the world already knows, Google and a few other prominent US companies got severely hacked around Christmas time last year. Sophos has an interesting analysis of the exploit. Web malware and a zero day vulnerability in IE6 were essential to the exploit.

For security folks, this was a meaningful event. The level of sophistication of the attacker was unprecedented. The attack was carefully crafted. The breach was severe. For tomorrow's cyber historians, however, the breach may prove to be a tipping point. In fact, it may even change the way the world approaches cyber security and cyber warfare. So, what makes the Google hack such a game-changer? Could it be the magnitude of the attack, the significance of the targets or even the...

nicolas_popp | 15 Jan 2010 | 0 comments

As one of the world's leading security vendors, VeriSign has been asked to discuss the top 10 most important security areas for 2010. So, ahead of my new year's resolution, I decided to indulge (after a year working heads down on a single product, it is a fun exercise to think of all the things that you have been missing out on). Although the list is far from complete, it is clear to me that there is no recession for the bad guys. In fact, it has probably never been a more interesting time to be in the security business.

Security Prediction #1:
Cloud Security (Securing the Next IT Infrastructure)

Call it cloudmania or software as a service (SaaS) hype, data, applications, or networks: The whole IT infrastructure is shifting to the cloud. With it, a large chunk of today's IT budgets will be redistributed to the next Google of the cloud. In 2010, SaaS security will be in the forefront as chief information officers ponder their increasing...

nicolas_popp | 26 Nov 2009 | 0 comments

Concerns for the security of application run in the cloud are running high. The perceived lack of security of cloud platforms is often cited as the primary obstacle to adoption. Whether "cloud" is defined as infrastructure as a service (storage and compute services ala Amazon), platform as a service (application deployment environment ala Google App Engine), or simply as application outsourcing (SAAS ala SuccessFactor), almost everyone is lamenting at the security inadequacies of these new computing platforms.

This raises the question whether cloud providers should envision becoming security companies. After all, why would CIOs ever shift their entire IT infrastructure to the cloud unless the cloud came with strong security, compliance assurance and operational risk management? Conversely, should security companies rapidly transform themselves into cloud providers? After all, why would an enterprise that has crossed the Rubicon of moving the IT infrastructure to the cloud...

nicolas_popp | 03 Nov 2009 | 0 comments

One of key challenges in federated authentication network is the establishment of trust between an identity provider (IDP or OP) and relying party websites (RP). In the real world, contractual agreements provide a simple out-of-band mechanism to effectively bind two parties into a trust relationship. When it comes to federated identity networks, peer to peer contracts between many identity providers and a myriad of relying party websites do not provide for a scalable process. Therefore, open federated networks need a trust assurance framework to bootstrap trust between the three parties (the user, the OP and the RP).

The basic idea is that if an OP can be certified to comply with a set of industry best practices, the RP should be able to enter into open identity exchange where both the websites and the consumers are reasonably protected. Of course, a pragmatic trust assurance...

nicolas_popp | 20 Aug 2009 | 0 comments

In the coming years, many websites will contemplate adding strong authentication to accounts login. So far, early adopters for strong authentication have mostly been financial institutions. Since 2005, banks and brokerage firms have had had little choice than following the FFIEC guidance. This 2005 regulated mandated a move to stronger credentials than just name and passwords. Today, SAAS providers and large consumer Web sites are increasingly suffering brand exposure and public scrutiny following high visibility attacks (here and there). With increasing reliance on the cloud to host mission critical applications and sensitive data for enterprises and consumers, I would expect many large online services to begin offering stronger login...

nicolas_popp | 26 Jun 2009 | 1 comment

Although the managed security services (MSS) is a relatively well understood and mature market, a few innovating startups are beginning to challenge the current structure of perimeter security. The interesting question at hand is whether the rapid emergence of cloud computing and the de-centralization it engenders challenge the whole notion of perimeter security, forcing our industry to re-invent today's approach to managed security services.

Today's managed security service providers (MSSPs) essentially offer perimeter security management outsourcing. Customers still have to buy and deploy in-premise security equipment such as firewalls, IPD, IDS and the rest. The tedious day to day management and continuous policy process is delegated to the cloud, but the security boxes remain. From that standpoint, todays managed security services fall short from moving the infrastructure cost and complexity of perimeter security to the cloud.