Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .
A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.
There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.
I will post my feedback on the official website, but a few of my suggestions are as follows:
There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.
The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.
Tags: BGPSEC, CA, Cyber Coordinator, DNSSEC, Federal Government, Howard Schmidt, HP, IBM, IPSec, Liberty, Microsoft, Microsoft Geneva, National Strategy for Trusted Identities in Cyberspace. nCipher, Novell, NSTIC, Open ID, Oracle, PGP, PKI, Project Higgins, RSA, Shibboleth, Symantec, Thales, Venafi, Verisign, Web services Posted in Uncategorized |
DNSSEC is nothing new. The initial RFC was written in 1997 and the first specification was published in 1999. In spite of these efforts, secure DNS languished during the early 2000s as it wasn’t a requirement for most organizations.
Things have changed, however. DNS security has been called to question many times through cache poisoning attacks and the infamous Kaminsky vulnerability. To address these security weaknesses, DNSSEC efforts are underway. The DNS root servers have all been signed, as have the .gov and .edu Top Level Domains (TLDs). The other TLDs will be signed soon. These efforts will eventually establish a root/chain of trust for all sub-level DNS servers.
Yes, DNSSEC will take years before it is fully deployed, but the foundation is nearly in place. The U.S. federal government is leading the transition to DNSSEC, which means that federal system integrators and leading technology vendors will follow suit. In terms of the market at large, ESG believes that the transition to DNSSEC means:
This migration will mostly fly under the radar, but it will be a lucrative opportunity for smart vendors with the right products and services at the right time.
Tags: BIND, Bluecat, BT, DNSSEC, Infoblox, Microsoft, Neustar, Verisign Posted in Uncategorized | No Comments »
Symantec’s acquisition of the Verisign security assets closed earlier this week. This frees Symantec to tell the world what it bought and the role the Verisign services play.
Good thing. Symantec caught a lot of flack for buying a legacy SSL certificates business. In truth, this deal could be much more–a SaaS authentication and PKI offering to broker trust relationships in B2C and B2B transactions.
I believe this could be a very good acquisition, but Symantec can’t assume that anyone other than PKI nerds understand this. To satisfy Wall Street and maximize the ROI on this deal, Symantec must:
Symantec needs to prove to the market (and especially Wall Street) that it can back vision and money with execution. The Verisign deal was fairly significant, around $1.2 billion. Symantec needs to execute ASAP to demonstrate that this deal was well thought out and that the money was well spent.
Tags: PKI, SSL, Symantec, Verisign, X.509 Posted in Uncategorized | No Comments »
I am pretty bullish on the upside of Symantec’s acquisition of Verisign. Frankly, I don’t understand why Gartner is such a downer and focused on SSL alone. Oh well, to each his own.
Regardless of whether you think this is a good or bad deal, Verisign’s divestment is just the latest sad chapter for a company that once had a market cap in the tens of billions of dollars. I know that this was a long time ago during the Internet boom. Heck, even GiantLoop, the fly-by-night CLEC I worked for raised about $200 million back then with no business plan.
That said, Verisign survived the Internet boom and bust cycle and GiantLoop was appropriately sent to the failed startup dust bin. So what did Verisign do? It diversified like crazy into a series of unrelated businesses. Perhaps company executives started reading 1970s business school case studies about conglomerates like Textron. That’s the only explanation I can fathom.
Ultimately the market has verified what I always believed, that Verisign’s moves didn’t make business sense. Furthermore, the company’s execution has been spotty even in its core businesses.
One reason why I believe Symantec can wring more value out of Verisign’s business is that I’ve heard anecdotal stories for years about Verisign’s poor execution. Having acquired lots of companies, I think Symantec can fix this over time.
The technology industry is programmed to look forward in a constant search for what’s next. That’s a good thing in general but let’s not forget about the lessons learned from the past. It’s worth examining the troubled history of Verisign as a case study of what not to do.
Tags: Gartner, SSL, Symantec, Verisign Posted in Uncategorized | No Comments »
When Symantec bought Veritas, a lot of people didn’t get it. After all, what did server backup have to do with PC antivirus software? In fact, storage and security work hand-in-hand in something the feds call Information Assurance. Symantec saw this synergy before most of the market.
Fast forward to yesterday’s news about Symantec acquiring Verisign‘s security business. Yes, SSL certificate sales drove Verisign security revenue, but Symantec gets a heck of a lot more with this acquisition. Add Verisign to PGP and Symantec, and you get:
Finally, it is fashionable to talk about cloud computing and how cloud security is the long straw. If you it boil down cloud security, however, some of the key components are identity management, data security, and compliance management. Verisign covers the identity piece, PGP handles data security, and Symantec already has a leading IT GRC platform. Symantec can now sell you the pieces or provide the whole enchilada as a SaaS cloud service.
If this isn’t an exciting security business model, nothing is.
Tags: cloud, PGP, Symantec, Verisign, Veritas Posted in Uncategorized | 1 Comment »
Your email: