INTERVIEW: Arthur W. Coviello Jr., RSA's cipher chief

 

Connecting state and local government leaders

Arthur W. Coviello Jr. has been president and chief executive of RSA Security Inc. since 1999, overseeing the growth of its authentication technology.

Our roots are in strong user authentication by at least two factors. We generally use something you know, such as a personal identification number, and something you physically possess, such as a token or a cell phone. The combination of two factors together is much stronger than a static password.We're one of the few start-ups from the early 1990s that's still around and prospering. We said we would add value to the security hierarchy in four ways.First, identify and authenticate the person you are doing business with or whoever is trying to access your computer resources.Next, define the privileges that user has once he's gained access. Third, ensure that the information remains private and confidential as it flows across the network. And finally, have a record that is nonrepudiable.You'll notice I didn't say anything about firewalls, antivirus software, intrusion monitoring or detection. Those are other elements in the overall security market. What I described is authenticity. It's not about defense, not about keeping people out. It's about letting the people in that deserve to be in, securely. Yes.Most corporations would be envious of some government agencies, particularly Defense and intelligence. Many civilian agencies would envy the commercial environment.The government is realizing that the issue is too big to supply its technology for itself. The security industry has grown up to a point now where the government can take more off-the-shelf products. The government has been good at defining the standards and requirements for security that the industry engineers into products. I think the change is in the sense of urgency. I haven't seen all the funding that I would like. Security was important before and is ultra-important now. It's time to stop studying and start implementing. I don't think so. Unfortunately, just as with the airline industry, where threats were real before Sept. 11, the same cyberspace threats were there before. What's changed is the attitude about addressing them and the recognition that bad things can happen. One, disaster recovery. If something gets knocked out, how do you get it back online? That's the belt-and-suspenders application that people recognize they need.Second, assessment of vulnerabilities and intrusion monitoring. Once you've deduced where your vulnerabilities are, that tends to generate policies to mitigate or eliminate them. And that leads to defensive things'keeping antivirus software up to date, using virtual private networks, having a firewall that's implemented correctly.So how do you keep the bad guys out? That's where authenticity comes into play. You could have a firewall that is set up properly and a virtual private network for the administrator, but if the authentication is just a static password, almost anyone could crack it in a matter of hours. And then a terrorist would have a beautiful encrypted pipe through a firewall, because you hadn't properly authenticated at the front end.Decide what could happen to your mission if there were an attack. And then bring maximum force to bear in the areas where you have major vulnerabilities, where you cannot afford to be compromised. Work it backwards. I don't think people have understood what PKI is capable of doing. It can give you a digital identity, it can set up an encrypted session and it can give you nonrepudiation, so that no one can deny after the fact that something has taken place.But if you access a digital credential on a desktop PC or server through a static password, then you have the same vulnerability as a static password would have in the first place. That was an early mistake people made.The federal government is actively promoting smart cards. The Defense Department's Common Access card lets you protect your digital identity on a card that has encryption built in. By the way, that encryption comes from RSA.A smart card requires a reader. How many government computers come with smart-card readers built in? Virtually none. So we're missing a reader infrastructure. Next we have to get all of the infrastructure deployed. The smart cards have to be personalized. How do you get the digital credentials downloaded to the smart card, how do you get it issued?The Veterans Affairs Department has a good-sized implementation; DOD also. If it's just something like time-synchronous tokens, which give you very strong authentication, you could roll out thousands in a matter of days.If you want to have software that defines privileges, there is a lot of scoping-out work for individual users, and that could take weeks or longer. It's likely to require some professional services.Because it's the most complex, because it can get into the very fabric of individual applications, a public-key infrastructure could'but doesn't have to'take months.Any Web application can understand a digital certificate that is presented to it, because every Web server has keys that recognize credentials from a public-key infrastructure. The problem is that client-server applications and mainframe applications cannot distinguish a digital certificate from the rear end of a truck.So if you're trying to roll out PKI to a client-server application, you might need a Web front end or you might need some kind of custom agent.That's a truth-in-advertising thing that I don't think a lot of PKI vendors explain. We're into strong user authentication, however it's accomplished, but there are limitations based on the current technology for biometrics.First and foremost, it's still fairly costly. Second, there are still too many false positives and false negatives in reading and scanning. And third, and perhaps most problematic, is that there are security issues about storing the biometric information itself.For example, say I can get a copy of the digital representation of your thumbprint or your retina or perhaps your voice. If it's compromised once, it's compromised forever.You could give yourself a new digital identity, but you can't give yourself a new thumb. So the protection of that biometric information, once it's been digitized, is critically important.We produce the software that manages digital credentials. We do and will produce the software that manages and protects biometric information, so we have no particular ax to grind about any particular technology.

WHAT'S MORE

  • Age: 48

  • Family: Wife; a son, age 23; two daughters, ages 19 and 12

  • Last book read: War in a Time of Peace by David Halberstam

  • Sports and leisure activities: Running and coaching baseball

  • Dream job: General manager of the Boston Red Sox
  • Arthur W. Coviello Jr.

    Arthur W. Coviello Jr. has been president and chief executive of RSA Security Inc. since 1999, overseeing the growth of its authentication technology.

    The Redwood City, Calif., company's revenue grew from $25 million in 1995 to more than $280 million in 2000.

    Coviello has a degree in business administration from the University of Massachusetts and is an accountant with a professional background in finance.

    He made the jump to operations management at CrossComm Corp., an internetworking company where he was chief operating officer before moving to RSA. He said the move to a security company was logical, because internetworking opened up the security industry. Heading up RSA has not been easy, however.

    'There were real problems from an operating standpoint,' he said. 'We needed process and systems and discipline to sustain the growth we had.' But the security market gave the company the time it needed to regroup, he said, which was 'a pleasant surprise.'

    GCN senior editor William Jackson interviewed Coviello by telephone.


    GCN:What areas of security does your company work in today?

    COVIELLO:









    GCN:Is the government ahead of or behind the private sector in IT security?

    COVIELLO:





    GCN:How have you seen the needs of government customers change since Sept. 11?

    COVIELLO:

    GCN:Have threats to the federal IT infrastructure changed?

    COVIELLO:

    GCN:What needs to be done to secure the infrastructure?

    COVIELLO:







    GCN:Public-key infrastructures seem to be slow in taking off. Why?

    COVIELLO:









    GCN:How long does it take to implement encryption and strong authentication? A full-blown PKI?

    COVIELLO:











    GCN:Do you see a move toward biometrics as one of the two elements of strong authentication?

    COVIELLO:







    X
    This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
    Accept Cookies
    X
    Cookie Preferences Cookie List

    Do Not Sell My Personal Information

    When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

    Allow All Cookies

    Manage Consent Preferences

    Strictly Necessary Cookies - Always Active

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data, Targeting & Social Media Cookies

    Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

    If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

    Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

    Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

    If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

    Save Settings
    Cookie Preferences Cookie List

    Cookie List

    A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

    Strictly Necessary Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Functional Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Performance Cookies

    We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

    Sale of Personal Data

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Social Media Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

    Targeting Cookies

    We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.