Compliance and Privacy News )
Essential Reading for Today's Business Mid October 2005

in this issue
  • Strong Authentication
  • MSS
  • SmartCards
  • Discussion Groups
  • Events Diary
  • Dear Visitor,

    Welcome to the Compliance and Privacy newsletter. This monthly newsletter will provide you with highlights of important and valuable information that comes our way during the month. Sponsored by VeriSign both this newsletter and the website benefit from the remarkable insights that VeriSign's analysis of Internet traffic provides. That said, the majority of the content is from other, independent, sources - thus giving you the best of both worlds.

    We welcome feedback, if you have any comments, send them to me. In the meantime, enjoy!

    Peter Andrews
    Compliance and Privacy

    Strong Authentication

    Managing Strong Authentication intelligently
    Thanks to the increasing number of "Phishing" attacks and their growing sophistication it is no longer safe for organisations to rely on static usernames and passwords. Strong authentication relies on a third component - something the user has in their possession. The combination of user name, password and a token that generates a one-time password or a digital certificate saved to the desktop or to a token. While one-time-password systems, such as RSA's SecurID system are relatively cheap and easy to implement, more organisations are now looking to digital certificates because of the wider benefits they offer

    PKI - an infrastructure for business
    A PKI (Public Key Infrastructure) has to be set up to generate digital certificates, but a study by Alladin Knowledge Systems in 2004 shows that it quickly pays off. On the one hand, authentication using digital certificates offers a very high degree of security, and on the other hand, the PKI is not only the basis for digital certificates, but also plays a central role in the security infrastructure of all companies. The PKI then provides the basis for secure and trustworthy processing of all transactions via internet, also allowing other services such as the digital signature, data encryption, issuance of digital certificates for (web) servers and time stamping.

    USB tokens
    Because virtually all PCs now in use have at least one USB port - USB-compatible tokens are an easy way to upload a digital token without the need for a bespoke card reader. The VeriSign Multipurpose Next-Generation Token was one of the first on the market. It offers both the option of one-time passwords and PKI authentication, and can also save information on a smart card. It means that if a user doesn't have a USB port or card reader to hand, the one-time password can always be used for authentication.

    Intelligent Management
    VeriSign has developed the Unified Authentication Platform to keep management simple. It enables companies to develop and manage the different types of strong authentication on a single platform. Its special advantage is that companies don't have to settle for one model in advance. They can start with a one-time password solution and later switch to digital certificates in connection with tokens or smart cards. Existing directory services such as Microsoft Active Directory, Radius, servers or single-sign-on structures can be integrated into the system and reused and it allows system administrators to manage tokens and certificates in a familiar environment


    Banks opting for Outsourced Managed Security Services

    83% of the world's largest banks openly admit that their systems were threatened last year by external attackers, according to a 2004 Deloitte Security Study of CIOs and IT security officers representing the world's 100 largest banks. And not only is the number of attacks increasing, but so too are their intensity: 40 per cent of the banks affected reported that those attacks resulted in financial losses.

    To combat today's professional and targeted attacks, banks are increasingly employing intelligent IT infrastructures. Yet security systems are often so complex that even large financial institutions find them challenging to cope with. A growing number of banks are therefore opting to outsource parts of their IT security to external service providers - a development confirmed by the Deloitte study. The trend among large, multinational financial institutions is evident: J. P. Morgan Chase, Bank of America and Deutsche Bank all opted last year to outsource parts of their IT or communication technology.

    This shift in the financial sector reached a new dimension with Managed Security Services (MSS). MSS enable financial institutions and other companies to entrust their IT security to specialists - either completely or in part. The most frequently outsourced applications currently include Managed Firewall Services and Managed Intrusion Detection Services.

    Yet some financial institutions still worry that outsourcing will leave them at the mercy of service providers. "We see our Managed Security Services as co-management not 'outsourcing' in the classical sense," said Souheil Badran, vice president, VeriSign EMEA. ""Ultimately, our clients maintain complete control over their systems. We merely provide services that companies are not in a position to perform internally - for instance the early recognition of global attack patterns, and identification and implementation of suitable countermeasures." MSS providers have a very broad perspective of attacks on the internet because they manage systems for many different enterprises, enabling them to draw conclusions on the actual threat posed by an attack. For example, by outsourcing its firewall and intrusion detection services Merrill Lynch can now reliably make assessments and initiate the right countermeasures.

    "A provider like VeriSign, which looks after many companies at once and has access to large volumes of data through its management of .com domains, has security-relevant information at its disposal like no other company. We now receive analyses of the incidents in relation to other events around the world and on the internet. This enables us to make far better decisions and to benefit from an early warning system," said David Bauer, who was then the chief information security officer at Merrill Lynch.


    Smartcards - a new resource, courtesy of The Home Office

    The UK Government has announced its intention to implement ID cards based around smartcard technology, despite claims that the costs could to in excess of 15Bn and the generally horrific track record of Government IT projects. As part of that project one of the largest ever biometric pilots was run earlier in the year, with the results being published in May. The study looked at Fingerprint, face and iris scanning/recognition of over 10,000 volunteers.

    Since then there has been a highly critical review of the costs of the project from the London School of Economics and many reviewers pointing out that ID cards would have made no difference to the outcome of the recent attacks in London.

    For those interested in IT security, what is fascinating is the volume of information available on the Home Office website

    Discussion Groups

    We've just launched a growing set of discussion groups for all the material covered by the website. They're brand new and need your contributions.

    Key articles from the newsletters and from the site itself will be dropped into the groups for discussion. And you're welcome to add your own topics, too.

    The idea of the groups is to share, informally, expertise between contributors. So feel free to ask a question, to give an answer, or simply to give an opinion.

    Events Diary

    European Banking Summit - Barcelona
    20 - 21 October 2005
    20 October:
    Presentation "The role of 'Strong Authentication' and 'Federated Identity' in the banking sector"
    21 October (morning only):
    round table discussion

    7th Secure IT Forum - London
    14-15 November Series of One to One meetings and Dinner
    Ryan Kalember speaks on: "Managing authentication across a global user community in the Implementing Security on a Global Level"

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.