The Firewall and the Wandering Workers
Corporations with strong firewall defenses didn't take long to figure out that their greatest threat was from employees who log on from outside the building. Executive Tech columnist Brian Livingston outlines some new solutions to this security hazard.
With laptops, Palms, Pocket PCs, and even cell phones accessing your enterprise databases from God knows where, you're in for a nasty surprise one day if you're not using tough authentication measures before you let those devices communicate. An innocent-looking login might actually represent a malicious hacker posing as some vice president.
There's a whole new wave of solutions to this problem. Let's first look at the types of hardware offerings that are currently available:
• Smart cards have been around for years, but are gaining new life as a way of letting your trusted employees into your network and keeping hackers out. The devices look and feel like an ordinary credit card. But they contain sophisticated electronics that can't be duplicated by script kiddies.
If you want to use USB smart tokens as well as smart cards, it's possible to combine both worlds. Plugging a small smart-card reader into a computer's USB port conveniently provides a home for an employee's smart card.
Authentication on the Fly
All tokens such as these serve at least one primary function. When someone is trying to log on to your corporate network from a distant location, what proof do you have that that person is really one of your authorized users? After all, they might be an intruder who captured a password over-the-air at a typically nonsecure wireless cafe.
Tokens handle this problem, not by storing passwords, but with much more sophisticated security. The process, overly simplified, goes like this:
• Log in. When a user attempts to log in to the enterprise network from afar, the token — which is plugged into the laptop or handheld — sends the network a short, encoded string.
• Challenge. The network server, reading the code, sends back a numeric string that represents a "challenge" that the token must solve.
• Response. The circuitry within the token is able to convert the challenge string into a response that only it would be capable of generating. In combination with other measures, such as a password known only to the bearer of the token, this authenticates the person trying to log in, and he or she can then access network resources.
The Latest Tokens from Innovative Players
Numerous parties design and manufacture tokens, but the following have some of the most interesting new offerings:
• Raak Technologies (pronounced "rock") specializes in making it easy for enterprises to obtain 1 to 5,000 smart cards or USB tokens — pre-customized for each roaming worker — without requiring your company to program and manufacture its own secure devices. A name-imprinted T8 USB Token from Raak lists for $64.95 and rapidly declines in price in larger quantities.
• Aladdin Knowledge Systems offers its USB eToken in two encryption strengths to suit enterprises with varying needs. The company doesn't publish a price list, but an Enterprise Starter Kit with 10 eTokens, licenses, and software for setting up a trial project runs as low as $772, according to Mike Lang, Aladdin's vice president of channel marketing.
• Athena Smartcard Solutions recently announced what it calls the first PC keyboard with an integrated smart-card reader and Flash upgradability. This will interest those companies that require the form factor of smart cards — which can hold employee photos and other ID that a USB token cannot — for their desk-bound employees who regularly need to prove their identity. Athena's ASEDrive III KB offers you developmental flexibility without the need to replace keyboards every time smart-card technology changes.
These are far from the only developments taking place to make remote computing as secure as in-house computing. The fact that the small SIM cards found inside all GSM-type cell phones are smart cards has prompted the formation of the WLAN Smart Card Consortium. This group — with heavy-hitting members such as Texas Instruments, Visa, and France's Alcatel — just last month released version 1.0 of an international standard to make wireless LANs, such as Internet cafes, secure for all who choose to use the specification.
When I see the nonexistent security at many wireless access points in hotels, airports, conference centers, and elsewhere, recommending that you set up smart tokens to authenticate your traveling workers is a no-brainer.