Mark Bregman | True identities

Featured eBooks
Changes in State and Local Government Workforces
A New Era of Social Media Regulation
Chasing New Industry
Insights & Reports
City of Minneapolis Accelerates Digital Accessibility and Cuts Administrative Time in Half by Using Smartsheet to Process Event Permits
Presented By Carahsoft
Download Now
Cyber-Informed Engineering for OT Security and AVEVA PI Users
Presented By Carahsoft
Download Now
By Joab Jackson
 

Connecting state and local government leaders

By Joab Jackson

|

The new chief technology officer for Symantec Corp. is thinking hard about how to define the elements that make up a person's identity and how that individual can assert such an identity in cyberspace.

Who are you? Mark Bregman really wants to know. The new chief technology officer for Symantec Corp. of Cupertino, Calif., is thinking hard about how to define the elements that make up a person's identity and how that individual can assert such an identity in cyberspace.

The real issue in the network world is not how I manage your identity once I've established it'that's what public-key infrastructure does. The real issue is how do I establish my identity in the first place.



Most people think of Symantec as providing protection from computer viruses and worms or, if you're a system administrator, as a provider of software for backing up computer files across an enterprise. The company, however, has been realigning itself as one that can help organizations manage risk in their IT infrastructures. And, as Bregman points out, identity management is a crucial element in risk management. We talked to Bregman about identity management as well as other security concerns of late, such as botnets and the rapid proliferation of spam.


GCN: In public talks, you've been speaking about how identity plays an increasingly important role in security. Elaborate.

Bregman: What we've started to see over the last 12 months is that there is another layer above the information that is becoming more important to security, and that is the interactions. If you want to access a bank or an e-commerce site, you're interacting with that service. How do you know they are who they say they are? How do they know you are who you say you are?


GCN: How will Symantec tackle this problem?

Bregman: The real issue in the network world is not how I manage your identity once I've established it'that's what public-key infrastructure does. The real issue is, how do I establish my identity in the first place?


In the physical world, when you come to work for a company, [human resource personnel] do a lot of background checks'they meet you face to face, they check some physical identity documents. They do a background check and then they issue you a credential, like a badge or a password'and that is sort of a credential to manage the access and authentication.


[We are becoming] a broker of identity so you can, as an individual, establish your identity with us through some set of processes. And having done so once, you can use those credentials elsewhere [in cyberspace], because we're trusted by the third parties to establish your identity.


GCN: That sounds like Passport, a failed attempt by Microsoft Corp. to establish a universal log-in service.

Bregman: Well, yes and no. Passport was a little too heavy-handed in the way it was administered. Microsoft wanted to control the identity. The key issue, I think, is that individuals need to control their own identity. It is your identity, not Symantec's, so we will be a broker, as opposed to being the owner, of the identity.


GCN: Would you seek government input?

Bregman: Clearly, at some point, the actual source of the identity will probably come from the government, but that will take some time.


In the meantime, there are mechanisms we could use that would be analogous to a credit rating. If I want to get a loan, the bank will go to Equifax to learn about my credit-worthiness. Equifax does not certify my credit-worthiness, it [offers] a collection of publicly available data that has been correlated to offer a picture.


The same thing is true for identity. Without having a government-issued identity, I can assert to somebody that this is my name. I could say I have an address and you can look it up. I have some records that say where I lived in the past. And if I weren't Mark Bregman, maybe you wouldn't know those addresses. You could ask what the last item was that I charged on my credit card. So you start to narrow in on confirming or establishing my identity.


Now [that approach] might even be better than a government-issued identification card. Even in the physical world, it is not that hard to get a fake ID. You show up with a birth certificate. What is a birth certificate? Well, it's a piece of paper that says someone was born with that name, but it doesn't have any DNA, fingerprints or anything. The person [applying for the ID] has to be the same sex and around same age, and that is pretty much it. We could build a history of someone's life, and that might be better as a form of identity.


GCN: Elsewhere in the security field, we've been hearing a lot of botnets, or networks of user computers surreptitiously controlled by spammers. What does Symantec see in this area?

Bregman: One of the general trends is that the vast majority of threats have moved in the past few years from being very visible to being indiscriminate. In the past, there was a lot of what was effectively graffiti, or vandalism. The whole point of the people perpetuating it was to get attention.


It has gone from vandalism to being real crime for financial return. Criminals aren't stupid. The best way to break in and steal something is to not let you know they are in the house until you've discovered what is missing. ... Cybercriminals are doing much more subtle things and much more targeted things.


That is why we're seeing a shift from worms and viruses that are visible and cause problems on your machine to [those] that are not visible. The best ones are not visible. If you don't know they are there, you're not going to get rid of them.


I had a conversation with a guy who founded a small company. ... He said, 'I don't understand it. The only machines in our offices that get viruses are the ones with antivirus software. The other machines never have a problem.' So I say, 'Do you notice that they are getting slower and slower?' He said, 'Well, after nine months I have to replace them, they just wear out.'


Of course, computers don't just wear out. They get filled with junk. I just think people aren't thinking about it that much. They're seeing this 80 percent growth in spam, but they haven't yet recognized that ... it is not just the spam that is the problem, but it's the botnets and other things.


I think government is realizing this. If you're an intelligence agency or a defense agency, you certainly don't want uncontrolled stuff running on your machines.


GCN: Recently our reviewers praised a spam filtering appliance from Sendio Inc. that uses a novel form of spam filtering called challenge-and-response [GCN.com/730]. What do you think of this approach?

Bregman: This is something we've looked at. The problem is that it is very cumbersome. ... The first time you e-mail someone, you get a challenge back. Then you send back something, which puts you on the Safe List. And that is fine until you change your e-mail address, and then you have to do it again. It is not clear how well it scales. And of course, there are ways to get around that. And soon as you know what a challenge response is, you can automate a response.


One of the real challenges of security is to not just protect things but to do it in such a way that ... you [don't] spend all your time on security. ... Think about airport security. It's almost to the point where it takes you so long to get through airport security you might as well take the train.

NEXT STORY: Grants services pay off for ACF

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.