RSA solves your company's identity crisis

CEO Art Coviello explains the importance of security standards and identity authentication

AS A FOUNDING member of the Liberty Alliance and a driver for the SAML (Security Associates Markup Language) standard, RSA Security is actively involved in finding ways to secure business transactions. CEO Art Coviello met with InfoWorld Test Center Director Steve Gillmor and InfoWorld editors to talk about the strategic importance of security standards for Web services and explain the differences between identity management and authentication.

InfoWorld: Can you give me an update on the strategic initiatives around RSA these days?

Coviello: Strategic initiative No. 1 is to work our way through this IT and IS recession. [The economy] seem to be picking up some momentum, so that's the good news. Then we're hoping to get back to profitability this quarter -- that would be good as well.

People tend to look at the security market [as] one big homogeneous pot. It's like saying Enterprise Software is one big thing when everyone knows that CRM and ERP are totally different. The same is true in security. The security that RSA does enables people to do things, as opposed to preventing people from doing things. We provide trusted identities to people. We define the privileges or access rights that they get. We ensure that their information is private and confidential. And most importantly, we give them a digital record or digital receipt that [verifies] the transaction or flow of information actually took place. That has been critically important historically, but it's going to be even more so as more applications become Web-enabled and as Web services start to take hold.

The big strategic thing that is happening right now is the definition of standards around Web services and around security standards for Web services. We're integrally involved in that through our association as a founding member of the Liberty Alliance and as one of the drivers for the SAML standard. The Liberty Alliance is basically designed to create a standard for federated identities so that your identity can be passed to multiple Web sites and be recognized. Creating that standard would allow RSA to create a security solution that makes that identity a trusted identity. It's a very important development, not only for commerce on the Internet but [also as] an opportunity for us to provide a secure solution for these identities.

InfoWorld: It seems that everybody has been jumping into the identity management business lately. What's driving that interest and what's RSA's unique position in that space?

Coviello: Identity management is more than just the provisioning and creation of an identity. Where RSA adds tremendous value ... is adding the trust, the verification that you are who you say you are. We do that with a combination of technologies: time synchronous tokens, digital certificates, and the ability to manage biometric information if that's one of the ways you use to establish [identity]. It's obviously a heck of a lot more than just creating an identity. It's also more than creating a digital certificate. It's managing those identities, protecting those identities, and making sure that people can trust that that identity is really you. That's a heck of a lot of value to be able to add.

InfoWorld: What is the difference between what you do and what identity management companies do?

Coviello: I'll give you a for-instance. To get an identity at a company, you'd go to the HR organization and you'd sign up and your name would go in a database. So [for] most of these companies that are doing identity management, it's really about provisioning. It's about giving somebody an identity in the first place that goes across multiple databases so that you don't have to re-provision somebody into multiple Web sites or multiple databases for multiple applications. That's what most people mean by identity management. What we're talking about, in terms of RSA's value-add, is once that identity has been proliferated, how can the person whose identity that is prove it's really them when they go to engage in a transaction online or go to access some information? This has been done historically through use of static passwords, which can be easily hacked. RSA has a combination of technologies that allow people to have a strong authentication that they are who they say they are.

InfoWorld: So to combine identity management and authentication would I have to combine one vendor's identity management product with another's authentication stuff and introduce all this disconnect between different solutions?

Coviello: Not necessarily. A lot of what we do would tie into provisioning-type applications. We use directory services ourselves and we have elements of identity management in what we do. It's a very interdependent world and there's no application that does everything. It's our job to make sure that we work with things like Microsoft's Passport or any other means of provisioning or generating an identity through the use of agents and through the use of standards like [those] being created through the Liberty Alliance. Admittedly, you might have to go to a couple of places, but vendors have to recognize the interdependence of their roles in applications. That's why the Liberty Alliance is such a good thing, because it's a bunch of vendors coming together to create a standard for creating identities. Then people like RSA can add value around it.

InfoWorld: So what is RSA going to do specifically around Web services in identity?

Coviello: One of the things that we're working on is the SAML, which is a standard for passing on these identity credentials [and] privileges. Not only proving that you are who you say you are, but [verifying] what you get to do, what your authorizations are. For instance, as a purchasing person, you have the ability to sign off on [certain items]. These assertions can be passed along using this standard and understood by other applications that comply with the standard. RSA would be providing the material that would go into the SAML assertion. Not only the trusted identity but also, with our Web access management product RSA Clear Trust, we have an authorization engine that defines what rights and privileges you have and signs you on to multiple applications across the Web.

InfoWorld: Are people confusing provisioning and authentication?

Coviello: There are definitely elements of confusion. That's why it's good to have a conversation like we're having right now. Provisioning is giving somebody an identity. Authentication is proving that the identity is valid. I think they're separate things.

InfoWorld: Where does this fit into the portal space? Will RSA deliver a portal or will you partner with everybody in the portal space?

Coviello: We have very active partnerships with BEA, Plumtree, and others in the portal space. Epicentric is another. Web-enabled applications won't roll out as fast as they might unless people have confidence that they can be trusted. And we won't roll out much in the way of trusted identities and Web single sign-on if there aren't portals that are being implemented in Web applications that have been developed. So there is certainly that mutual dependency.

InfoWorld: How much has the advent of Windows 2000, with directories actually deployed, changed your business?

Coviello: Actually, it helps us enormously. Each one of our applications -- the identity module, the provisioning, the Web access module, things like digital certificates -- all can work in a directory environment, so that you don't have to have different definitions for each one. The directory can point to the appropriate database to go get all of the information for one person. It will greatly enhance the ability to implement these applications efficiently and quickly.

InfoWorld: Certificates have had a real problem achieving a critical mass. Why is that and what are you doing to help solve that problem?

Coviello: Great question. First of all, no one implements public key infrastructure, in the sense that they say, "Gee, I guess I need a public key infrastructure today." They have a problem that needs to be solved, and [the reason] why a public key infrastructure is such a good technology is it can give someone a digital identity. It can be used to create a digital signature. It can be used to create an encrypted link between the client and the application. And it scales to millions of users. It's a neat technology.

The problem to date is that the place where you want to have these digital identities [and] digital signatures [and] all of these encrypted links is on the Internet. And there have been precious few significant enterprise applications that have been put on the Internet. Most people have ERP [and] CRM applications installed, but they don't have Web-enabled versions of them. The trouble with installations of public key infrastructure is they've been done in client/server environments. A client/server application wouldn't understand an identity certificate from the rear end of a truck, whereas every single browser is built with the capability to understand a digital certificate. So the place where they're most necessary to provide security -- across the public Internet -- is also the place where they're most easily usable. [But] to date they've been installed within companies, where you have to make custom agents to get them to be understood in client/server environments.

We have actually stopped selling our client/server version of PKI and are totally devoting our work in that area to Web applications. Not only can we create the digital identities, but we can protect them on a secure server, download them with a browser plug-in for the time they're being used, and then the certificate basically goes back to the server as soon as the session ends and doesn't stay on the desktop. Or, if you choose, we have smart card middleware where the digital certificate could be placed on a smart card and be protected in that fashion. But if you did that you'd need the smart card reader infrastructure. Either way, we would be able to help you generate the digital certificates, manage them, send them down to the browser for the session in which they're being used, and protect them either on a secure server or on a smart card.

InfoWorld: How do you extend that model out, because there's a lot of concern these days emerging around the whole area of digital rights management?

Coviello: That's another very good question, because a digital certificate can be used not only to identify a person but also to identify a device. We're seeing digital certificates being used in cable modems, for instance, so that the services only go to a particular cable modem. They can be used in all sorts of entertainment devices so that the access and use of the intellectual property or the service being generated can be defined down to a particular device that is identified with the digital certificate. It's a pretty neat use of the technology, and we're seeing more and more instances of that happening. We recently did a deal with a very big Japanese technology company, whose name we can't disclose, that is OEMing our certificate authority to generate certificates in a number of their products.

InfoWorld: Are you talking to Microsoft about Palladium and its implications for RSA?

Coviello: Microsoft has lots of things going on. We try and add value to Microsoft whenever and wherever we can. [We] try and save them from some of their worst problems, I hope. Clearly in identity management they've got a big role to play. Clearly in commerce and in Web services they've got an incredibly big role to play. Our job is to add value over and above what they do. Quite frankly, if we don't figure out how to do that, then shame on us, because we work on security 365 days a year and Microsoft has lots of different applications and they've got to be working to make sure that there's security in all of those. We can add value around that. Clearly, we operate in a heterogeneous environment, whereas Microsoft obviously likes to work in a Microsoft-only environment.

InfoWorld: What's the thing you're trying to move forward from a technology perspective, rather than just the economics of the business?

Coviello: In the past several years, through internal development and through acquisitions, we have assembled a fairly strong cluster of technology. What I'm looking forward to is bringing those products and technologies closer together so that we've got one basic platform on which we put all of our security applications -- so that customers get a consistent user interface, consistent GUI, consistent administration, one database to look to, a directory that ties things together nice and neatly. We're well down a path to do that. We do that in conjunction with the formation of these standards. I think as we come out of the recession, we're in better shape strategically than we've ever been in the company's history and are in a position to take advantage of what most industry pundits believe will be the next big wave of security, and that's enablement. That's trusted identity and privilege definition for Web access.

InfoWorld: Is RSA going to be involved in any of these Homeland Security initiatives?

Coviello: We're very deeply tied in, in an advisory capacity. [The government has] done a good job talking to vendors and trying to understand what is the commercial off-the-shelf capability that they can avail themselves of. We're doing a lot of educating down [in Washington] and spending a considerable amount of time, and naturally have to work with the systems integrators. We're establishing closer and closer ties with them as well. So it should be a pretty interesting story. Smart cards are going to be big there. Quite frankly, use of digital certificates with smart cards is going to be big.


Copyright © 2002 IDG Communications, Inc.