Michael Barrett, CISO of PayPal; Joseph Moorcones, vice president for worldwide information security at Johnson & Johnson; and Lynn Mattice, vice president and CSO for Boston Scientific, are among the industry's most outstanding CISOs. Here these well-respected security executives offer their insights on New Data Center-style, next-generation security, as well as give tips for securing everything from budgets to WANs.
Who: Michael Barrett, CISO, PayPal
Career highlights: Before joining PayPal, an eBay company, Barrett was vice president of security and utility strategy at American Express. He perhaps is best known for his groundbreaking work on identity management. He was a driving force behind the creation of the open-standards Liberty Alliance, and served on the group's management board, including as president, during its early years. That role twice earned him a spot on Network World's annual list of the 50 most powerful people in the network industry.
Barrett's thoughts on:
Microsoft's CardSpace identity management technology
"I have two views on CardSpace. The technology stacks that it is using are great, but I wish the whole standards issue - essentially, fighting about what we did with Liberty - hadn't occurred. Now the Liberty Alliance is working to bridge that protocol divide so we have only one family of protocols. But CardSpace is good work. It very clearly follows the Laws of Identity that Kim Cameron [identity and access architect at Microsoft] laid out in May 2005 . . . and Vista is shipping with CardSpace, which will help give it critical mass with consumers."
Phishing and PayPal's response, an optional public-key infrastructure (PKI) token called Security Key
"PayPal's Security Key technology is powerful . . . but phishing is a complex crime. If we want to disrupt phishing, we need to get much better about digitally signing e-mails. E-mail from PayPal and eBay are digitally signed. As a consumer, you can differentiate between legitimate e-mail and fake, if you know how to do it. Let's use those signatures and work with ISPs to drop improperly signed e-mails."
But confusion about standards clearly has slowed adoption of e-mail signatures, he says: "It's important for PayPal and eBay to demonstrate technology leadership. We'll absolutely support multiple standards if that's what it takes to get the job done."
"There have been various proof-of-concept attacks on the mobile device platform, but they haven't been very widespread. As more commerce occurs on mobile platforms, we'll see more attacks. Companies like Symantec and McAfee do have perfectly good antivirus platforms for those environments; no one's buying them yet, as people don't see such attacks as much of a threat."
Those technologies will grow more popular as attacks rise, he adds, "and platforms like PayPal Mobile [a secure text-messaging and voice-activated method for accessing a PayPal account] will be more significant, too. . . . We don't view PayPal Mobile as the endpoint of where we're going with [mobile security] - we view it as our first toe in the water."