SAN MATEO (02/14/2000) - As the RSA Conference entered its ninth year last month in San Jose, Calif., Art Coviello Jr. was at the helm, appointed as CEO of RSA Data Security Inc. just days earlier. In an interview with InfoWorld Reporter Brian Fonseca, Coviello outlined his views on his new position at RSA Security, the evolving complexity of IT security as business-to-business commerce and wireless grows, and the topics of interest expected to dominate the RSA Conference 2000 floor.
InfoWorld: What has been the biggest change in security since the first RSA conference nine years ago?
Coviello: I think we've gone from an era where [there were] engineers and folks who spied for encryption to my own mother using encryption to order her grandchildren's presents online at eToys. It's a pretty dramatic change. I think it's clearly the Internet that has converted security from being just an insurance thing that only technical people cared about to an area that people look at as an enabling technology for business-to-business and business-to-consumer and consumer-to-business commerce.
InfoWorld: What technologies do you think will lead the charge in 2000 in the security market?
Coviello: The big thing last year was that everybody wasn't concerned about doing much of anything because of Y2K. So one of the key enabling technologies for business-to-business commerce will be the implementation of public key infrastructures (PKIs). I see large numbers of pilot rollouts this year of PKI to enable business-to-business commerce to develop. Wireless, in terms of having the ability to communicate, will be another dominant theme.
InfoWorld: What does the growth of mobile, wireless, and Palm Pilots mean for security IT managers?
Coviello: Clearly, this will make it even easier to communicate, and the handheld devices will become a window into the Internet. That's because the Wireless Applications Protocol [WAP] will enable all of this to happen, and the good news is that RSA technology is already embedded to provide encrypted links on its wireless communications. The second thing is that you're not going to communicate over a wireless network unless you have encrypted action or an encrypted session. So that's great from one standpoint, but equally important is being able to identify the person on the front end of this session. Those handheld devices could become the physical part of the strong authentication, the something that you have and physically possess, [linked] with some kind of passcode.
InfoWorld: As wireless devices take hold, is the technology to get them on the market keeping up with the security that's essential to make them practical for users?
Coviello: I think businesses will have to drive this market and make people feel comfortable, but I think it will develop much the way consumer business is developed, and people will get an understanding of why things are secure and feel comfortable doing it. You should expect to hear partnership announcements [from RSA] with strong authentication technology over the next couple of months. With respect to the encryption technology we [already] have, we have licensed our V-Set technology to companies like Phone.com and Ericsson, which did the wireless operating system. I think wireless is very much [in] the embryonic stage, so I think it is going to be a topic for several years to come. We're already there and equal to the task, and we view it as a tremendous opportunity for ourselves.
InfoWorld: Why is PKI being tabbed as a major focus at this year's conference?
Coviello: That's a great question because, too often, security vendors [just like to cut] technology like PKI, and they don't explain why public key infrastructures are important. The reason that PKI is going to be so instrumental to business-to-business is that it solves a number of security issues. First, it can ensure that your transaction is private. Second, it can ensure that the transaction is unaltered. In other words, the integrity of the transaction is maintained. Third, you get the element of non-repudiation, which makes a commercial transaction legally binding with the PKI. In other words, the use of the digital signature. And finally, if you have a strong physical identifier, like a secure ID technology, then your digital credentials are protected, and you have a digital identity as well. So you have a digital identity, privacy, integrity, and non-repudiation as a result of the implementation of the PKI. It's the only technology that people are comfortable with in scale for the size and volume of transactions that will occur.
InfoWorld: Is there room for everyone in the PKI landscape, or is this something that's going to be dominated by the companies with the money to spend and technology to advance it?
Coviello: This is the dawn of a new era in security. PKI technology that was developed originally at RSA, is the building block for what will be deployed.
It's going to be a very lucrative market, and there will be certainly bits and pieces available. I think it will attract and has attracted a lot of players, but I think, as in any market opportunity, there will be several strong competitors, and we obviously aim to be one of those.
InfoWorld: Why has it taken so long for PKI to catch on in the security area?
Coviello: It's the application that will drive it. Up until now it's been a technology in search of a problem. Now the problem is well known, and that's solving security issues for business-to-business commerce. One of the things you should be looking for [at the RSA 2000 Conference] is interoperability.
It's not just about generating the digital certificates; it's also about managing them. So we can take certificates from Microsoft and Netscape and verify and manage those certificates and apply them to multiple applications, which is, I think, the significant advantage that we bring.
InfoWorld: What will relaxed federal-export encryption laws mean to security businesses?
Coviello: We think that it's going to add a tremendous boost to the field and to the development of a lot of our applications in customer sites outside the United States. It'll be more of a global outlook and less of a U.S.-centric view. There will be the ability now for companies around the world to develop standards that will allow things to be interoperable for wide bases. In the fall, we were very excited to hear about the fact that the government planned to do this, but naturally we were cautious in one of those 'the devil will be in the details [modes].' And when the first draft of the details came out, we were not particularly happy. Very few vendors were happy. So we went back [and talked to the government], and they listened and listened well. So we are optimistic that the final version -- which we haven't seen yet -- will be what it would take for us to do our jobs.
InfoWorld: Are the lines between enterprise management and enterprise security becoming blurred?
Coviello: The answer is yes and no. One is not necessarily going to dominate and replace the other. Now, managing the enterprise generally is about network infrastructure and getting the network to work. Security tends to be around the user population, so what is needed is for one management system to complement the other, and they have to be tightly linked with things like Java API and C-language API. Most companies have already started to do this and recognize that it's an issue. Directories will be another thing that may help, and most have a plug-in architecture [so] that one thing plugs in to another.
InfoWorld: Virus and hacker hype: Legitimate or overblown? What about Y2K?
Coviello: Yes, it's legit, and yes, it's overblown. We're starting to see with most of our customers that they're increasingly being able to discern what is important from a risk management standpoint and as a result, they're deploying technology accordingly. I don't want to confuse the Y2K phenomenon with the ongoing issue of virus and hackers. But let's take one at a time. I think the IT and RSA industry should be proud of the way they handled Y2K. The reason it was not a story is that everybody did their jobs. Who knows if we hadn't spent all that money what degree of trouble we might have gotten into? It's a heck of a lot better to wake up on Jan. 1 and Jan. 2 without problems, having spent the time and energy to ensure that there weren't, than to have treated it cavalierly and wake up on Jan. 1 and 2 with a huge problem.
InfoWorld: What types of security threats are toughest to protect against, external or internal?
Coviello: All security in the early nineties was bought very much on a reactionary basis. And what companies really started to do approaching 1995, 1996, 1997, and through today, is to start with a good security policy. From that developed a security architecture and implementation of the security applications. And, at the front end, you saw the proliferation of intrusion-detection and intrusion-monitoring tools that helped pinpoint where the weak spots were. But there are always lots of things to do. The area of application-access control could be more automated, policy management stuff can be more automated, and I think that you'll see continuing improvements there.
Obviously the implementation of PKI will have a dramatic effect as well.
InfoWorld: What has the data-security merger meant to RSA?
Coviello: We've done a number of things to integrate the operation of both units, and as a result we're far more cost-effective. We're getting synergy across all of the product lines that were developed in both businesses. RSA brand is now more recognized than ever before, and it's great to be a hot company again.
InfoWorld: InfoWorld: As the new RSA CEO, what products and focus do you see RSA offering in the coming year?
Coviello: This is an especially exciting time for the company at a point where business-to-business is about to take off. We're going to continue to drive our leadership position with the pure ID authentication products. You'll also see releases for stand-alone Keon [a security product from RSA] that strengthens the product as well. I will tell you that there will be a few surprises.
InfoWorld: Do you feel added responsibility as the new CEO of RSA, guiding one of the most recognizable leaders in the security industry?
Coviello: My philosophy is that we're not an engineering-[driven], or sales-driven, or marketing-driven company. We're a company where all the executives take an equal place at the table and take cues from customers. I think the course is set for us, and I think it's up to me and the management team to drive it. It's a bit cliche, but unless you're the lead dog in the sled team, the view is always the same. We want to maintain that leadership position.
RSA Security Corp., in Bedford, Mass., can be reached at www.rsasecurity.com.