The annual RSA Conference, expected to draw 15,000 security professionals and more than 325 vendors from around the world to San Francisco's Moscone Center exhibit hall, kicks off this week with keynotes from industry luminaries Bill Gates and Larry Ellison.
Microsoft Chairman Bill Gates, accompanied by Craig Mundie, chief research and strategy officer, is expected to tout the security of Microsoft's new Vista operating system, plus how e-commerce can improve if Web sites make use of the industry's new Extended Validation Secure Sockets Layer (EV SSL) certificate for authentication.
The EV SSL certificate causes the visited Web site's URL address to glow green in the Microsoft Internet Explorer 7.0 browser to indicate the Web site is legitimate, not a phishing site. VeriSign and Entrust are the first public certificate issuers to make it available.
So far, few sites other than PayPal are known to be making use of the EV SSL certificates, which require the certificate issuer to go to some effort to verify the identity and business affiliation of an individual requesting one.
"We confirm every piece of information independently," says Tim Callan, director of product marketing at VeriSign, which in December began selling the high-assurance EV SSL certificates for US$995.
VeriSign's more "general-purpose certificates," which don't display the green URL bar with the IE 7.0 browser and don't require the same investigative checking, cost $400. The drawback of conventional certificates is that they don't provide users with any effective warning and sometimes are issued without enough information about the certificate buyer's identity.
Callan says that while Microsoft has the first browser to support EV SSL, the Mozilla Firefox and Opera browsers are expected to support EV SSL green-light authentication.
Entrust this week plans to announce that it is selling EV SSL certificates for $495, in comparison with $159 for its standard SSL server certificate.
While certificate-issuing organizations anticipate quick adoption of the more expensive EV SSL server certificates with their antiphishing "green-light-go" feature, some e-commerce companies say they're not in a hurry to use them.
"We'll be evaluating the EV SSL certificate this year, but, no, we don't plan to use it right now," says John Millican, chief information security officer at online travel firm Expedia.
When Oracle CEO Ellison takes the stage at the RSA Conference for his keynote, his topic is expected to be identity management and Oracle's approach to providing customers with application and system-management administration, configuration, provisioning and monitoring.
In addition, Oracle plans to announce this week Oracle Management Pack for Identity Management, server-based software used for network discovery, monitoring, service-level management and configuration of Oracle and non-Oracle products, including directories, authentication servers and provisioning software.
The executive keynotes don't stop with Gates and Ellison. Conference attendees will also hear from Art Coviello, formerly CEO at RSA Security who became executive vice president at EMC and president of EMC's security division RSA after EMC acquired RSA last year; John Thompson, Symantec's chair and CEO; John Swainson, CA's CEO; Gene Hodges, CEO of Websense; and Stratton Sclavos, chair, president and CEO of VeriSign. In addition, RSA at the last minute has decided to add one more keynote speaker: Gen. Colin Powell.
Beyond the RSA keynotes, the action at the conference will take place in the 220 conference sessions, which range from network-access control to mobile-phone malware to VoIP and encryption. There, corporate CSOs, vendors and independent experts can be expected to weigh in on what they think works, and what doesn't.
Product launch pad
The RSA Conference has become a launch pad for security products. Check Point is expected to have in the exhibit hall its line of UTM-1 appliances released this week, which integrate firewall, VPN and intrusion-protection systems. The Network World Lab Alliance, which took a look at the UTM-1 450 model designed to support 250 simultaneous users, provides a review.
Also at the conference, network access control will make a splash with Tipping Point and NeoAccel both announcing their first NAC products and with NAC vendors Vernier and Mirage announcing compatibility with security products from Microsoft and IBM, respectively.
TippingPoint is announcing a NAC Policy Server and Policy Enforcer elements that combines with its intrusion-prevention gear to continuously monitor traffic flows on the network and weed out those that are unauthorized. Pricing for the NAC gear has not been set.
NeoAccel is introducing an appliance that can allow a device onto a network but then block if from running unauthorized applications.
Called NAM-Plus, the appliance performs a preadmission scan of devices as they log in to the network. If they pass, the NeoAccel product applies a preset security policy to the device via client software downloaded at the start of the session. The client software can enforce blacklisting certain applications so they are blocked at run-time, or it can put applications on a whitelist. If the client has a policy to disallow instant messaging, it will block it. Applications not specifically addressed in the policy can be referred to the NAM-Plus policy engine for resolution or to a network administrator.
The latest version makes use of a parallel way to run multiple scanners at once in a way that reduces scanning time. According to Qualys CEO Philippe Courtot, the feature means that large networks that formerly would require two days to scan could now be scanned in eight hours.
Courtot adds that VeriSign will be reselling Qualys technology.
In addition, Qualys is broadening how QualysGuard produces reports, orienting them to reflect auditing, compliance and business management, rather than simple technical concerns. "We want to speak the language of the auditors and security-compliance people," Courtot says.
Several vendors will be making announcements related to host-based security.
CA is announcing the Host-Based Intrusion Prevention System. According to Sam Curry, vice president of security management, the Windows-based endpoint software, which starts at $40 per seat, uses behavorial analysis to block malware attacks. The software requires a separate management console from that used by CA's antivirus and antispyware software, but the intent is to eventually unify management consoles, Curry notes.
Also at RSA, Finjan is set to unveil a free browser plug-in called SecureBrowsing, which alerts users to potential malicious content hiding behind links of search results, ads and other selected Web pages.
CTO Yuval Ben-Itzhak says, "The URL showing in your browser will be sent to our remote server and return with a safety setting - red light or green light." The SecureBrowsing freeware, set to be available in March, will work similarly to Finjan's Vital Security Web Appliance used by enterprises.
Separately, Sophos plans to unveil the ES1000 e-mail security appliance for as many as 1,000 users. It is expected to ship in April.
In addition, Sophos is expected to detail its network-access control and antimalware strategy for Symbian-based and Windows Mobile 5.0 devices.
Competitor Kaspersky Lab is expected to announce its antivirus products for Symbian and Windows Mobile 5.0 devices .
At the RSA Conference, McAfee will make its foray into the data loss-protection market with software designed to guard sensitive information from unauthorized access and transfer at the network, desktop and notebook levels. Called the McAfee Data Loss Prevention Host, the new software monitors data leaving the network via e-mail, instant messaging, printed documents, USBdrives, CD-ROMs and other methods, officials say, and will give administrators the option to block the operation, alert the user or monitor activity. Pricing is set per user; for example, an organization with 5,000 to 10,000 users would pay $47 per user.
Mirapoint will introduce what it says is an industry first: a version of its RazorEdge e-mail security appliance that slides into an IBM BladeCenter. Slated for availability in the second half of the year and priced starting at $4,800, RazorGate on IBM's BladeCenter will offer all the e-mail security features of Mirapoint's stand-alone RazorGate appliance, but with the scalability, low-power consumption and space-saving benefits of a blade server, officials say.
Other planned announcements include:
* Ingrian Networks' file-system tools for encrypting unstructured data on corporate servers.
* Paraben's P2 Enterprise Shuttle, a $7,000 tool for collecting forensic evidence.
* Mirapoint's Razorgate e-mail security appliance that slides into IBM's BladeCenter.
l Voltage Security's Voltage Secure Mail 3.0, the company's updated mail-encryption product for improved centralized management of multiple devices; and a new encrypted e-mail service, Voltage Data Protection, scheduled to be available in the second quarter. n