Cisco's Peterson agrees, with a caveat. "The concept of going down to a more granular user reputation or online identity reputation is very powerful, but it's still in its infancy. It's definitely the way of the future, but it is a challenging problem for a couple of reasons," he says.
One is making sense of all the myriad online identities -- is ppeterson99@yahoo.com the same person as ppeterson99@linkedin.com, for example? -- and applying reputation scores appropriately. Plus, IP reputation services providers can't as readily collect behavioral information from proprietary social networking, Web mail or blogging sites.
Working with authentication services
Still others see an increasingly important role for reputation-like services in the authentication realm.
Think of this scenario: A hacker hijacks the identity associated with a reputable Web address, and the IP reputation service allows the connection because the score falls within the range allowed by the access policy. That could be bad. What's really needed is not just reputation at the network level but also reputation-like access controls at the application layer, says Torsten George, vice president of global marketing at ActivIdentity Inc., a credential management company.
In other words, much like an IP reputation service, authentication software would collect attributes and determine risk scores. On top of normal authentication procedures, for example, the software would look at behavioral information and the IP address of the computer. Does the user normally only request applications during business hours, but now suddenly he's doing so at 2 a.m.? Does the request typically come only from a desktop computer and now it's coming from a notebook? This is the kind of reputation-like input needed for advanced authentication, George explains.
Keith Ward, director for enterprise security and the identity management program office at Northrop Grumman Corp., agrees. Reputation-like strong authentication already has become an imperative for the company, as well as for eight other aerospace and defense companies and the governments of the U.S., U.K. and the Netherlands participating in the federated Transglobal Secure Collaboration Program (TSCP).
As an example, he points to secure collaborative e-mail, a TSCP-developed specification supported by Northrop Grumman, Boeing, Lockheed Martin and the other participants in the federated environment. "The application, sitting on top of Microsoft e-mail, is secure and collaborative because it's tied to the vetting and proofing of employees specified for participation in the federated environment," he says.
The process is similar to reputation scoring. "If any of an employee's attributes changes, we have an 18-hour window to notify everyone in the federated environment and change access control policies for physical building entry, logical applications or portal access," Ward explains.
Clearly, reputation services are playing increasingly important roles in enterprise security, be it for spam and malware control, to safeguard at the perimeter or improve application access controls. And while much of this is new and unproven, IT security managers shouldn't be put off. As Opus One's Snyder says, despite the unknowns, "I encourage people to start playing with this stuff as soon as it comes out."
Schultz is a freelance writer in Chicago. She can be reached at bschultz5824@gmail.com.