RSA: CA takes charge on security management

Computer Associates International Inc. this week announced it is spearheading an effort to establish common industry specifications for building security information management products, which are used to gather and make sense of data from information-security equipment such as firewalls and physical security systems such as electronic badge-readers.

With the RSA Conference as a backdrop, CA Executive Vice-President Russ Artzt introduced the Open Security Exchange, flanked by executives from initial backers Tyco Safety Products, Pinkerton, Gemplus SA and HID. Although these physical security vendors say they are in CA’s camp, the rest of the industry has yet to endorse the group.

“This will change by July at the CA World conference,” Artzt pledged. CA is wooing Check Point Software Technologies Ltd., Cisco Systems Inc., IBM Corp. and Symantec Corp., among others, he said.

The group’s initial goal is to develop core specifications for a “common credential,” whether in smart card or other form, which could be used for physical access through doors and cybersecurity access to networks. The specification would describe a common management framework so critical information from distributed devices could be shared at a single console that also could be used to control and audit those devices.

CA is developing two SIM products, Command Center for cybersecurity and eTrust 20/20 for physical security, set to be unveiled later this year.

While CA’s products will use the new group’s specifications, the forum is destined not to have broad effect until it gains other members. “Without expanding to other players, success will be difficult,” said Alex Mandl, CEO of smart-card manufacturer Gemplus.

CA’s bid to close the gap between physical and information security reflects some real-world concerns inside large organizations such as the U.S. Department of Defense.

In what remains an uphill battle despite years of planning, the Defense Department has issued 2 million of its public-key infrastructure (PKI)-based “Common Access” smart cards to military personnel, with 2 million more expected by year-end. About 400,000 people enter or leave military ranks each year, which is giving the Defense Department a workout on issuing and revoking these cards.

The cards are supposed to be used for both workstation access – e-business signing and encryption of documents – and physical building access.

But the full network and application prerequisites are not in place around the world to take total advantage of the cards’ capabilities, said Mary Dixon, director of the Defense Department’s access-card office, during a presentation at the RSA Conference.

“We now have about 150,000 workstations with logical access and logon for the cards,” Dixon said. “We’re shifting our focus to usage.”

The U.S. military has only begun to address the use of the Common Access card for physical security. But a lot of these issues might not be worked out until the next version of the card is completed. That version will likely contain support for biometrics, perhaps including fingerprint or iris scans and the person’s PKI certificate.

The U.S. Department of Homeland Security is working closely with the Defense Department on the design of the Common Access 2.0 card, says Joseph Broghamer, senior security architect in the office of the CIO at the newly formed agency.

He now uses a dozen different cards or badge readers to get into his computer, the Pentagon, different federal agencies and parts of the White House. One card would be better, particularly because sometimes the identification cards and readers aren’t properly revoked in a timely way, he says.