Why ID Security Must EvolveEntrust's David Rockvam on How to Mitigate ID Security Risks
In the face of evolving threats and actors, traditional ID security strategies have been proven inadequate, says Entrust's Dave Rockvam. It's time for a security evolution.
But to raise the bar on ID security, organizations first must assess their current gaps and gain a better understanding on where attackers are seeing success, says Rockvam, VP of product management and marketing communications at Entrust.
In a video interview recorded at RSA 2014, Rockvam discusses:
- Why current ID security strategies are inadequate;
- Threat trends that are changing the landscape;
- How organizations can address their ID security gaps.
Under Rockvam, Entrust Certificate Services has seen a rapid expansion, more than doubling since the company went private in 2009. This growth has helped Entrust shift from a mainly perpetual software company to a cloud software-as-a-service company, deriving roughly 60 percent of product revenue from cloud, software-as-a-service or subscription-based offerings. Rockvam is a graduate of Texas Tech University where he received an undergraduate degree in international trade and economics. He also holds a master's degree in business administration from the University of Texas at Dallas.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.
Why ID Security Must EvolveTOM FIELD: It has been two years since we sat down and talked. How has Entrust changed in that time?
DAVE ROCKVAM: Well, it's been a busy time in the world of security. The bad things that are happening out there are getting worse, and we've had to evolve. It's been a big evolution for Entrust over the last couple of years. Last time I was here, we had just been acquired by a private equity firm and made a lot of changes; really got focused around identity and how to stop some of the bad things happening out there. [We've] seen real growth at our company, and we ended the year being acquired by the Data Card Group. That has been a really exciting time for the company.
Threat Landscape Evolution
FIELD: So how has the threat landscape evolved?
ROCKVAM: The threats are growing exponentially. I think the latest numbers...there are 300,000 new variants released every day. There is just no way that any one solution can help a company. You can't keep up with that. On top of that the threats are getting worse. They've gone from the movie "Ferris Bueller's Day Off," a kid hacking in to change the number of days he was out of school, to international actors performing interesting advanced persistent threats on companies and governments. It has drastically changed from the days of hack-[for]-honor to now hack-for-harm. There is big money, intellectual property and protection of individuals in the way they live their lives that's involved. It's been a very big change over the last two to five years as far as how the threat landscape is.
FIELD: What's inadequate about the way we secure IDs today?
ROCKVAM: What's inadequate is really when you look at identity. Each identity isn't created equal, right? Identities are exploding around the world; we've all gone from having one ID or a couple of IDs to now, you have 10s to 20s if you look at all the different applications [or] devices you have. The threat landscape has changed against those identities. There are so many places someone can try and attack you. When you look at it, you really have to put the right level of security to the transaction that you're trying to perform, or the data you're trying to access. There is a big difference from someone that checks their bank account once a month and doesn't do any transactions, to someone [who] is routinely making very large transactions in and out of their bank to different banks. Those are transactions that need a much higher level of security. What we've done is built a solution that helps bridge that from taking very low value transactions and securing those all the way up, to the very large mission-critical transactions that need a much higher level of security.
ID Security Evolving
FIELD: How does ID security have to evolve?
ROCKVAM: What we're seeing [it] evolve to very quickly is mobile. We're seeing companies, and even government agencies, that are taking desktops and laptops out of their employee's hands when they don't need high level applications, [and] giving them tablets instead. We have to evolve to be able to secure those types of devices. Think of what it can carry around, what it has access to. We have to evolve to take care of those kinds of issues, because that is what people want. BYOD is the hot topic. It's not, if-and-when you're going to handle BYOD; security has to evolve around BYOD. When you look at mobile there's five, 10, 50 different things you could use for authentication. Let's take the mobile device and utilize all [of] the different authentication.
Raising the Bar
FIELD: What is Entrust doing to raise the bar?
ROCKVAM: I think it is just evident of what we saw being acquired by Data Card Group. Data Card Group right now is a world leader in transactions in the financial world. Almost 90 percent of the world's credit cards have some type of Data Card solution touching those. They are also big into national IDs and passports. It's a natural fit for them to go from card and booklet to, as we go to the electronic world, E-Passports. We start to add chips to cards in the U.S., we're a little behind with EMV compared to the rest of the world. It was a really natural fit for the way the two companies come together. Now we [say], "How do we look at what's going on with financial transactions? How do we look at what's going on with border-crossing? How do we look at what's going on with national ID cards to use those across different applications in the government?" Take a look at those and all that is also then moving into mobile, so what we're trying to do is take the best of both company's solutions. Bring those together so we can bring a next-generation identity transaction protection to the marketplace.
FIELD: What kind of results are your customers seeing from these solutions?
ROCKVAM: Being here at the conference, getting the chance to see hundreds, if not thousands, of customers and potential customers and hearing their stories about what they are doing with your solutions is what to me is really exciting. One thing that we're doing is, "How do you authenticate and make sure that a mobile device on the network is the one that you want to receive data and information?" We're doing a lot of with mobile certificates; when we look at Entrust, we're the number two player in SSL. What we've done is build out that platform to take SSL for managing digital certificates, and [then] expanding on that. Now you need mobile device certificates, now you want a mobile smart credential; we're doing things to turn your laptop and your tablet into a virtual smart card. We can take and do all of that from one platform. Certificates used to be considered hard to manage; you [had] to build an infrastructure and needed the people to do it. We've built an SAS offering, and that allows all those certificates to be in one place, offered by one. You don't have to worry about all the policy stuff, or about having a bunker to put the PKI and digital certificate management, Entrust takes that complexity out and makes it a much easier process. It's things like that we're doing to help with mobile, with physical logical access, [to] live up to a lot of promise of what we've seen from identity in the past.
FIELD: How do you advise organizations to assess their ID security risk to know where they are and can plot a course to where they need to go?
ROCKVAM: That is a big question going on right now with all the breaches that have happened. We're actually testifying on the Hill in two weeks regarding some of the retail breaches that have just occurred, because people want to know, "What should I be doing?" I think it's about raising the awareness, it's about getting it up to the board level so they have that understanding of, "We've got to continue to increase profits, but look at the benefits we've been seeing from technology from mobility. Let's not forsake having those as solutions by not investing in the security and keeping the trust there for people.