In The Boardroom With...
Mr. Jim Reno
Chief Architect, Security
SecuritySolutionsWatch.com: Thank you for joining us today, Jim. Before discussing CA solutions in greater detail please tell us about your background.
Jim Reno: I’ve been working in the security space for about 15 years, mostly in the areas of identity management and authentication. I helped create the 3-D Secure protocol used in Verified by Visa and Mastercard SecureCode as an additional authentication factor for online transactions. I joined CA as part of the acquisition of Arcot Systems in 2010. At Arcot I led the development of products that provide multifactor and risk-based authentication. At CA I guide the overall architecture of our Security portfolio.
SecuritySolutionsWatch.com: We understand CA is closely involved with the FIDO Alliance. Please tell us about FIDO and CA’s participation.
Jim Reno: CA joined the FIDO Alliance last year to improve user authentication and solve some of the big problems leading to breaches and user dissatisfaction. We’ve been looking at how the FIDO specifications can work with our own security products; for example, we demonstrated FIDO integration with CA Single Sign-On, our SSO and federation solution formerly known as CA SiteMinder.
SecuritySolutionsWatch.com: Breaches at Target, Home Depot, JP Morgan, UPS, and the recent theft of over one billion passwords by Russian hackers have raised concerns about authentication and cybersecurity as never before. What is your perspective, Jim, regarding these recent cyber attacks and breaches? Are we seeing the prediction of Microsoft Chairman Bill Gates, a prediction he made several years ago, coming true regarding the “death-of-the-password”?
Jim Reno: A significant number of breaches can be traced back to some sort of stolen credential, usually a password. Passwords are fine in small doses – when things were simpler and you only had a few, they weren’t difficult to use. For example, 4-digit ATM PINs have been used successfully for many years by millions of people. But increasing computer power in the hands of attackers has led to a need for longer, more complex passwords at web sites. The proliferation of online business and mobile transactions and operations has created a situation where passwords aren’t always a good fit. The average person can’t possibly remember all of the complex passwords and typing a long password on a mobile device is one of the fastest ways to frustrate a user or customer.
We need a better solution. People have been making statements like ‘the death of passwords’ for a long time, but it doesn’t have to be that black and white. We need flexible solutions that are convenient to use. Those solutions might well continue to include passwords, if they can do so in a way that’s both secure and user-friendly. I think this will evolve in a way where multiple types of technologies whittle away at different parts of the problem. For example, federation technologies will help reduce the number of credentials a user has. Biometrics will provide options to passwords. Multifactor credentials, found in CA Strong Authentication, and new password management systems, which incorporate CA’s patented key protection technology, will improve security. Use of mobile devices for authentication will allow a user a single point of interaction, applicable at many sites.
SecuritySolutionsWatch.com: Can we discuss IoT for a moment? We all know the benefits of IoT, in seconds with our mobile devices…in seconds we can pay a bill, make a dinner reservation, sent a gift, or change the settings of the HVAC system at our home, but, are we also more vulnerable today to the bad guys out there? Your thoughts?
Jim Reno: IoT unquestionably introduces new avenues for vulnerabilities. As with many new technologies, IoT is moving fast in introducing new functionality, and security, which sadly is often an afterthought, lags behind. We need a different mindset about devices. A thermostat isn’t just a thermostat, it’s both a computer as well as possibly an active agent on a network.
There are two sides to how we need to think about connected devices. We first need to think of them as computers, on a par with any other computer system. They can be attacked by many of the same pathways. Once attacked, their primary function can be subverted. For example, your home security system might be made to unlock your doors.
The second side is to think of these devices as if they were users – that is, as active agents with identities that reach out on the network and do things. In doing so, the same sorts of security questions around identity arise as for any other computer or user.
For example, when a device gets an incoming request, how does it know who initiated that request, and whether it should be allowed? And when a device wants to make an outgoing request, how does it identify itself? So it’s clear that some of the problems are similar to those of protecting websites from breaches; and to authenticating users. But the scale is potentially much larger, with many devices, and the devices themselves have a wide range of capabilities.
SecuritySolutionsWatch.com: Any new solutions at CA regarding IoT, Mobility or Payments you’d like to talk about?
Jim Reno: We’ve recently released new solutions in several areas, including: identity management and access governance (CA Identity Suite); authentication with CA Advanced Authentication; API management to offer end-to-end security with our comprehensive portfolio — from a user accessing an app, to the app accessing APIs; and a ground-breaking solution to help combat fraud and increase revenue. CA Risk Analytics, a fraud prevention solution, incorporates sophisticated, patent-pending behavioral neural network authentication models for assessing risk of online, card-not-present (CNP) transactions. The neural network models are powered by machine learning techniques that capture data about user actions to better understand and distinguish legitimate behavior from fraudulent behavior. They can be applied to payment as well as enterprise use cases.
SecuritySolutionsWatch.com: CA’s brand recognition and track record in virtually every market segment is truly second to none. Are there any particular success stories, “wins” or customer voices you would like to talk about?
Jim Reno: Many of our customers recognize the power of blending identity and access security with API management to secure applications. I think one of our customers said it best in our recent Security announcement from CA World: “The breadth of CA’s identity-based access control portfolio can benefit forward-thinking companies who know security isn’t something you can just bolt onto an app after the fact. CA’s solutions protect and control user access to the application at the front end, while controlling application access to the API for a more secure experience,” said Myrna Soto, Chief Information and Security Officer of Comcast.
SecuritySolutionsWatch.com: Thanks again for joining us today, Jim. Are there any other subjects you would like to discuss?
Jim Reno: Thanks, I always enjoy an opportunity to discuss security issues, particularly those related to identity and access security, which have been at the heart of some of the biggest breaches in 2014. Whether it’s Target and the compromised credentials of a partner (HVAC vendor), or Sony, and the controversy of surrounding how insider credentials were breached — it all has to do with identity and access.