SAN JOSE – Trust was the watchword in Bill Gates’ keynote speech, which opened the RSA Security Conference here yesterday. And he laid out a wide-reaching, four-pronged plan to improve trust and security in what he calls an ever-increasingly digitized world.
The security industry needs to help companies create trusted relationships with partners and customers, the Microsoft chairman and chief software architect told a packed audience of security professionals. And companies need to be able to trust the security of the code they’re using.
And smart cards, which Gates has promoted for years, are part of his latest plan to help users tread the fine line between trusted authentication and privacy concerns.
Gates’ plans for the future of security was long on vision and short on details. He talked about four initiatives: creating a trusted ecosystem, building more secure code, striving for simplicity, and building ‘fundamentally secure’ platforms.
He also announced a few new features in the upcoming Windows Vista client operating system, which include smart card support, changes to Internet Explorer and a new identity technology that he called InfoCard.
”All together this will create a trusted ecosystem,” he said. ”Secure code, devices and users… It’s a big challenge to make sure security is not the thing that holds us back.”
The Ultimate Question About Identity
Gates wasn’t the only one championing trusted relationships — whether they be between users, partners or applications.
Art Coviello, chief executive officer and president of RSA Security Inc., and Scott McNealy, chairman and chief executive officer of Sun Microsystems, followed Gates with their own morning keynotes at the security conference that is drawing in 14,000 attendees this year, according to an RSA spokesperson.
”Who are you?” asks Coviello. ”In the world of business, even the most basic transactions start with that question… We need to help people answer that question.”
And both Coviello and Gates say part of being able to do that will include the wide-spread — however long-awaited — adoption of smart cards.
”In terms of authentication, passwords are increasingly the weak link,” says Gates. ”We need to move to multi-factor authentication. A large part of that will be smart cards.”
Gates, however, is far from the first industry luminary to talk about the coming demise of the password and the rise of the smart card. So far, the death knell has not rung for the password, and the smart card, at least in the United States, has failed to catch fire.
Gates and Coviello both say that is about to change.
Smart cards won’t only be used for logon authentication. They’ll also be used to make online transactions easier and safer. Microsoft is banking on it. The upcoming InfoCard technology will be used, Gates notes, to authenticate users to various websites they do business with. The cards will offer up varying levels of information about the user, giving the least amount of information needed.
This is designed to aid companies and individuals walk the fine line between users’ privacy concerns and the need to authenticate their identities.
”I’m forsaking some elements of my privacy,” says Coviello said. ”There’s that friction between authentication and privacy… We are reaching the time when digital identification must decrease this friction.”
Coviello explained that every transaction does not call for the same level of authentication. A simple transaction might only call for a name and membership number, where as an online application for a bank loan or a money transfer would call for absolute identification.
”For too long organizations have blended into a one-size-fits-all identity scheme,” Coviello said, ”rather than find a well-fit approach to each transaction. We can take a layered risk-based approach.
”All the parties involved need to have confidence,” he adds. ”They’re choosing convenience over security [today]. How long do you think it can go on this way?”
Security Breeds Confidence
That confidence is hard to come by these days, said Sun’s McNealy, who showed the audience part of an email he received from a company stating that they had his name and Social Security number on a laptop that had been stolen. ”It’s a big issue and it’s a personal issue for every one of us,” he said.
McNealy also noted that several million people are being added to the Internet every week, and 390 gigs of content are being created every second. People are buying 200 million cell phones every quarter.
”Pretty soon, you’ll face your cell phone out and you’ll videotape your whole day,” he said. ”It’s going to get scarier if we don’t come up with technology and rules to secure that data.”
Part of the problem in securing that data, according to McNealy, is the “hodge-podge” of technologies linked together to build data centers that more resemble Frankenstein monsters than secure systems.
”You’ve got 87 suppliers, half of whom have been bought by Oracle recently, and you wonder why you have security problems,” he told the audience. ”I always argue that computer security is more screwed up than any other industry out there, except health care — and they kill everyone eventually. So the bar is pretty low.”