Q&A with RSA Security's Art Coviello
EMC's acquisition of RSA was one of the biggest stories in the industry last year. How is the
integration progressing and how have your respective customers reacted to the change?
The reaction from customers once we explained the strategy is absolutely phenomenal. When you put
security in the context of EMC's information infrastructure strategy, they get it. Now, the
question is, how do you put all of it together? One thing is Infoscape, which allows the tagging of
structured and unstructured data and from there you can decide what to encrypt. Also there are ways
we can combine access control and incident monitoring to see how we can work with document
management. When you take the strategy down to the street level like that, customers get it. I keep
hearing these comparisons of this deal to the Symantec acquisition of Veritas. There's no
correlation with Symantec. EMC is five or six times the size of Symantec, and they make a bold move
in acquiring us and they have a lot more credibility to work with. Symantec is about protecting the
machines. Ours is more information-centric security. We protect the access to the information from
the inside out. For us when we talk to customers, we talk about the need to solve the problem of
protecting data at rest. It's less about products for us.
| "...when we talk to customers, we talk about the need to
solve the problem of protecting data at rest. It's less about products for us."
president of the RSA Security division of EMC
Strong authentication is still one of the major concerns for
enterprises, and part of the reason more of them haven't deployed it is the cost. Do you believe
the hardware token business will still be viable in the coming years?
definitely are going to be big business for us for the foreseeable future. Every year we hear about
the demise of tokens. In 22 years we've sold 24 million tokens. In the 18 months ending in December
2006 we'll be in the process of protecting 100 million consumer accounts. That's a combination of
SecurID tokens, the SecurID toolbar and other tools. But the game has changed dramatically in
authentication. You need a number of solutions that satisfy a number of dynamics, such as low
volume, high value accounts or high volume, low value accounts. You need methods of going from very
passive to very active authentication to give customers confidence. A customer might want a SecurID
token for online trading, but maybe Site Key is enough for online banking. We have to be able to
adapt. People accessing information or performing transaction don't always do it in the same way
each time. How much of an effect have regulations such as FFIEC and Sarbanes-Oxley had on driving
demand for your products, especially the authentication line?
has been absolutely huge for us. We've gotten hundreds of financial institutions as customers
through that. It has had a dramatic impact on sales of tokens especially. And I would expect that
How does RSA plan to address the growing popularity of
on-demand services? What's the opportunity there for you?
There's actually a lot that we can do in terms of access control, permissions, authentication. You
will see us spreading out to more on-demand services in the future. As we've seen at the RSA
Conference in past years and will again this year, some of the biggest players in the tech
industry, including Cisco and Microsoft, are pushing hard on security and building more and more
functionality into their products. Does that make it more difficult for independent security
companies to survive over time?
Well, it's interesting. That's a great question. I think security does need to be built in and not
bolted on after the fact. That's just the more efficient and sensible way of doing it. I don't
think that over time you will see an independent security industry in the future. I see this as
security coming of age. Our perimeter defenses are way too porous. We need to fill in those holes
somehow. And if products overlap, that's not necessarily a bad thing. It's better to have overlap
than to have holes. But as [EMC and RSA] integrate, we will support the security work that
Microsoft and Cisco and others are doing. But I think there will always b a requirement for
products to work in a heterogeneous environment, regardless of who makes them.
<< Return to our special coverage of RSA Conference 2007