Security Experts Gather

SAN FRANCISCO -- Security is a hot topic in technology circles, and for proof, one need look no further than the buzz surrounding this year's RSA Conference, an annual gathering here focused on information technology security.

Once the exclusive province of cryptographers, the annual RSA Conference has grown and diversified in recent years along with the IT security industry itself. This year's conference reflects heady times for that industry, with a high-profile keynote address by Microsoft Chairman and Chief Software Architect Bill Gates, swollen attendance figures, and a gaggle of product news from companies looking to build bridges between their products and those of competitors.

Targeting Trouble Spots

Weary after a year punctuated by major outbreaks of worms such as Blaster, Sobig, and MyDoom, more than 10,000 attendees are expected. An estimated 250 exhibitors are displaying technology to stop malicious hackers, viruses, and other online scourges, according to Sandra LaPedis, area vice president and general manager of RSA Conferences, a division of RSA Security.

Attendance at this year's show is expected to be up by about 20 percent over last year, due in part to Gates's appearance at the show, an improving economy, and a sustained interest among companies and the public in computer security topics such as viruses, spam and identity theft, she says.

Conference organizers have also changed tactics to try to broaden the appeal of the show. They've added a separate discussion track on identity and access management and a new private Executive Security Action Forum for Fortune 500 chief information officers (CIOs) and chief information security officers (CISOs), LaPedis says.

Dozens of companies, large and small, are planning product announcements to coincide with the conference. The need for better security management is the dominant theme.

VeriSign, IBM, and others are backing a new program to develop an open standard for strong, multi-factor authentication that can be used across the Internet.

VeriSign is announcing an initiative called the Open Authentication Reference Architecture (OATH) that will replace the patchwork of proprietary user authentication products. It is intended to allow users to seamlessly access services on corporate networks and the Web, VeriSign executives say. IBM says its Tivoli Identity Management product will support the new OATH architecture.

Product Announcements

Sun Microsystems is also planning to announce changes to its product line that are intended to make network security easier to manage.

Calling its new security model "Infinite Access," the company plans to announce integration of its Java Card technology with a wide range of the company's other software. This closer integration will provide strong, multi-factor authentication "out of the box" (without requiring custom integration) for users of Sun's Java Desktop System, its alternative to Windows, says Rama Moorthy, manager of Sun's Security Marketing and Strategy group.

The idea is to make security ubiquitous, invisible to users and easy for businesses to use, Moorthy says.

Sun also plans to announce closer integration of its identity management product, the Java System Identity Server, with Microsoft's Active Directory Server. A new version of the Java System Identity Server that incorporates technology acquired with Sun's purchase of WaveSet features improved lifecycle management for user accounts and will allow customers to directly manage accounts within Microsoft's Active Directory Server using the Java System Identity Server, she says.

Other companies are using RSA to announce new versions of their products that work better with other security management technologies.

Qualys plans to announce integration between its QualysGuard vulnerability testing service and security event management products by ArcSight, GuardedNet, and Network Intelligence. The integration will let customers using those products to correlate vulnerability information from QualysGuard with intrusion detection systems (IDS) and firewalls to provide a single view of network security, a Qualys spokesperson says.

Management View

Tripwire, which makes software to monitor changes in computer configurations, says it is upgrading its server management product. Tripwire Manager 4.1 will be easier to use with other enterprise management software such as Hewlett Packard OpenView and IBM Tivoli, the company says.

A new company, Skybox Security, is unveiling its product, called Skybox View, which is described as an enterprise risk management platform. Based on attack simulation technology developed at Dartmouth College's Institute for Security Technology Studies, Skybox View creates an integrated security model of an organization's network that maps network scanners, firewalls, and routers, as well as considering management systems and security policies. The product then launches simulated attacks against them to identify likely access paths for attackers, the company says.

Also on the management front, firewall maker Zone Labs is announcing a new version of its Integrity security policy enforcement product, Zone Labs Integrity 5.0. The new integrated firewall and security policy management product features tighter integration with Check Point Software Technologies firewalls and virtual private network products so companies can limit network access to machines that comply with specific security policies, Zone Labs representatives say.

Finally, the Organization for the Advancement of Structured Information Standards (OASIS) plans to announce growing support for its emerging AVDL (Application Vulnerability Description Language) standard, which allows security products from different vendors to share data about software vulnerabilities.

The OASIS AVDL Technical Committee has completed the first specification for the standard and will submit it to OASIS for approval in March, says Brian Cohen, CEO of SPI Dynamics and a member of the AVDL Working Group.

AVDL will be a common language among disparate security products and, when widely adopted, will set the stage for a closer integration between vulnerability detection system and automated patching and remediation products, says Wes Wasson, vice president of marketing at NetContinuum, another AVDL Working Group member.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon