to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID

You Tell Us:

We use SSL Technology for web data entry points:

What is SSL?

Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

VeriSign's Sclavos: "enable and protect interaction"

compliance and privacy

Current News Updates

VeriSign's Sclavos: "enable and protect interaction"

A slogan of the multinational VeriSign is: "enable and protect interaction." To this end, the company focuses on security and authentication, but also on guaranteeing the stability of the Web domain system. According to its president, Stratton Sclavos, "It is unclear how governments are evolving on issues of identification." In an interview with Navegante, Sclavos explained his new universal identification system for the Web, called VIP. This comes at a time when Spain is betting on the Internet with its new electronic NID (National Identification Document).

He also reviewed new Internet threats, such as "pharming," reminding us that security depends on the precautions we take, just as it does in the real world.

Question: What are the new threats and new security strategies?

Answer: Society is migrating toward a digitalized world. The Internet has been operating for more than 10 years now, and we're migrating from traditional to electronic commerce. Obviously, it's not surprising that money is also moving to these new kinds of transactions. There are also an increasing number of attacks, and they're more sophisticated. We believe we must take action on two fronts: on one hand, develop new, improved tools to block and prevent these attacks, and on the other, increase user education. We have to realize that in the same way that we take certain security precautions in the real world, such as padlocks and deadbolts, we must also take precautions in the digital world.

Q: Regarding new threats, what are the trends for the immediate future?

A: "Phishing," which we consider a "direct attack," is still a problem, but now we're seeing that users are becoming more knowledgeable and are not so easily fooled. The new attacks are coming from "pharming," such as "Keyloggers," for example - computer programs that observe and record information from one computer and send it to possible attackers without the user ever being aware of it. We consider these potentially more dangerous precisely because the user usually doesn't have enough technical knowledge to know that his or her computer is sending this information.

So, we believe that "pharming" is the new big threat we must face on the Internet, and we are one of several companies developing tools that can block computers and not let them connect to the Internet unless they are "clean."

Q: Do those tools now exist?

A: They exist for companies and businesses. Where they haven't been developed yet is for home use, for private individuals, and more work needs to be done on that.

Q: When will it be available to consumers?

A: Yes, well, there are some now under development, not only by VeriSign, but by other companies like Microsoft and Cisco.

Q: How important is authentication in VeriSign's global operations?

A: VeriSign's security business is about $400 million a year, of which half comes from authentication. So that's $200 million a year.

Q: With regard to that, could you explain what the VIP (VeriSign Identity Protection) network is - the concept and how it works?

A: Well, we started our business as a website authentication firm, and later we worked on authentication of computers, and for 10 years now we've been looking for an effective way to identify people; consumers. That's VIP. We got the idea from the banks. Before, the first bank cards worked only at the ATM machines that belonged to the banks that had issued them, but later, networks were set up that would let you use the same card at different ATMs (VISA, MasterCard, etc.) The VIP idea is the same: using a single device, you can operate on any website that uses the VeriSign verification system. Plus, you need only one device instead of a dozen cards for different operations on the Web. It's very easy for consumers to use, and it's quite inexpensive.

Q: How does the device work?

A: Most of the system's complexity is on the Web, which is something new, so it's very easy for the consumer. For example, this is a device in the form of a token, which is also a 256Mb flash drive. If we press the button, a number appears that is always different from the previous one. It stays on the screen for 30 seconds, and that is our key for operating on the Web at a given time, which is linked to the user name and password. The way the device communicates with the VeriSign network, as well as the rest of the information it sends, is secret, and guarantees that the system will work.

Q: And what is the price?

A: In the U.S., this token can cost about $20, although that price may go down -especially for volume orders. We're also working with cell phone manufacturers, for example, Motorola, to have it added to some models.

Q: When will the first cell phone with this system come out?

A: We hope it will be on the market by the end of this year. In fact, Spain is actually a very strong market, with a growing number of broadband and "online" banking users, and we believe this market offers us a great opportunity to offer our services.

Q: Have there been talks with any Spanish banking entities?

A: Yes, we've been talking with one group for three months. But I can't go into that right now.

Q: We talked about authentication at a time when we are implementing the electronic NID (National Identification Document), which is the public way to verify a citizen's identity, and which will also allow "online" transactions because of its electronic signature, which is guaranteed by the national government. What is your opinion on this? Do you think it will affect your prospects in any way?

A: The VIP network is what's called neutral technology. It can be found as a device like this token, but also as a card that you can press your thumb on to generate your code. What the electronic NID will do is say who you are on a national network, but its validity will be limited to the national level. The VIP network contributes added value to international trade. Banks, for example, demand this additional authentication for critical operations on the Web. The code generated by the VIP network, in addition to the user name and password, serves as that additional guarantee.

Q: But wouldn't an electronic passport, also generated by the national government, fulfill the same function?

A: It's just that it is unclear how governments are evolving on issues of identification. I believe that both governments and the private sector are always looking for ways to perfect identification and verification systems, because the need exists. VeriSign's strategy is to create a global, worldwide system that's private but very flexible, one that will work for both public and private networks. Also, every country has different policies, so that an electronic NID is being introduced in Spain, but not in the U.S., and Japan has its own system.

Q: With this system, if you lose your national health insurance card, for example, what guarantees does the system provide? Because I understand that in the end, security is more of a personal issue than a technological one.

A: One of the big advantages of this system is that because it's managed over the Web, it's very easy to invalidate a card or device immediately.

Q: VeriSign has recently announced acquisitions such as M-Qube and Kontiki. What does this mean for the group? What is its strategy?

A: VeriSign's strategy is simple: We look at the market and see how the world has changed and how we are relating to each another, how business or recreational activities are changing. These new acquisitions focus on services that aid in this transformation, specifically, new forms of digital entertainment, such as for example, cell phone ring tones and songs, games played on cell phones, as well as broadband video games, movies....

Q: And what does that have to do with VeriSign's business?

A: Well, VeriSign was created in 1995 as a supplier of security tools. From the beginning, it looked for new lines of business. It was the first company to provide security services over the IP network. During the 10 years since the company's founding, we've tried to develop other services and include them in our offerings. For example, Google's purpose is to organize all the information available on the Internet, and VeriSign's slogan would be to "enable and protect interaction." These new acquisitions are aimed at interactive services, possible new interactions, and that's the rhyme and reason of these purchases.

Q: Your company manages the ".com," ".net," ".cc" and ".tv" domains. You recently reached a controversial agreement with ICANN, by which VeriSign is assured exclusive management of ".com" domains until 2012, with annual price increases of 7%, which will begin to be applied in two years. VeriSign will also be given preference for renewal rights to this agreement. What do you have to say in answer to criticism from other companies aspiring to manage these domains?

A: I think it's very hard for the general public to understand the enormous complexity involved in managing domains as extensive as ".com". There are 50 million ".com" domains in the database, and as many as 15 billion requests. This complex and immense system must always be 100% functional - it cannot fail, regardless of growing threats. We have been managing all of this for eight years now and have never had a failure. Recent reports indicate that we receive more DNS attacks than anyone else; we're the number one target. That's why we have to increase our investments. We feel that the price increase is very small (from about $6.00 to between $7.00 and $7.50). It's a small price to pay for the cost of providing this quality service. In my view, Internet security and stability are more important than a small price increase.

[This interview has been translated and supplied by VeriSign, sponsors of Compliance and Privacy, from the original Spanish article by Pablo Romero which appeared in El Mundo Navegente on 29 March 2006]

Discuss This Interview


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.