One of the coolest security implementations I have seen for a while was Entrusts Identity Guard. As Mr Gates (latest industry affectation) said in last year’s Keynote the day of the Alpha Numeric Password (even with special characters and punctuation no less) is just not considered secure. The two schools of thought are PKI (delivered on Smartcard) or Token.
Certificates (PKI) are excellent but need secure storage and a reader to make them fly. Storing of a Certificate on your local hard disk is by many not considered secure as you are storing your encryption/signing key with your data that is only protected with a password (remember them). The secure option is to have your Certificate stored on some kind of credit card that can server as a physical biometric (photo ID) and perhaps even building access. The problem with this technology is you need a reader, the new way of approaching this is to deliver this solution through a USB device.
Tokens come in all shapes and sizes but all work on the basic same principle. The user takes the number on the token (changes every so often) and adds a secret number only they know to the front of the number. The resulting code is entered into the password filed if all the numbers match up your granted access. Cool bit of technology portable but does not allow you take advantage of many of the features offered by Certificates. I forgot to mention certificates have the added advantage of giving you pseudo single sign-on. A number of banks have taken this technology and implemented it in retail banking. You can also use the same method for transaction signing.
The only problem you have with both of the above is they both require me to send something physical through the mail (not strictly true in the case of certs or soft tokens). Interesting nugget from this years conference is that the NSA consider FedEx as a viable method of transferring confidential information, although I hasten to add not Top Secret. The current lag is five working days for getting something to all parts of the world. Even with this you have a problem of the enrollment ceremony has how can you attest to the fact that the recipient is the one you sent the device to. That of course comes down to Mr Process.
The reason I like IdentityGuard is that I can cheaply create a portable limited lifetime token that can be distributed by say a secure website. I have a client collaboration space I need to share. I add in my clients and it asks me to add the users details required to get access. For each user I get given a URL that I paste into an email asking them to join this space. At time of enrollment the client (who I know) calls me and I take him through the process over the phone. Now I know its not so secure as the other two methods but its easy to expire and looks on the face of it very viable for securing data that is High Value but of limited lifetime.
No comments:
Post a Comment