After three decades of stove-pipe application development, companies are waking up to an Identity Management problem that is causing serious headaches. Now that Internet-facing applications have exposed, previously “protected” interfaces to sensitive data, the ability of most companies to secure themselves from attacks is diminishing day by day. The primary reasons for these headaches can be traced back to the following:

• Secret-key based authentication

• Single-factor authentication
• Distributed authentication databases
• Regulatory Compliance
  

Secret-key based authentication schemes were appropriate for closed networks in the '70s and '80s. It required physical access to a terminal or PC to be able to attack someone's ID. On the Internet, millions of users have access to a company's portal, making it susceptible to attack from anywhere in the world.

The explosion of Internet-facing applications creates a usability problem – too many user IDs and passwords for end-users to remember. In desperation, they resort to using just one or two passwords for almost all their user Ids, thus weakening the control organizations wield.

The exponential growth of distributed systems has caused the proliferation of password databases, which a security administrator must protect. Even as the cost of computing hardware decreased each year, the cost of securing that hardware has been increasing steadily.

Finally, the Sarbanes-Oxley Act of 2002 requires in Section 404, that a company's management assess the effectiveness of their internal controls around their financial reporting systems and processes. Unfortunately, since the user ID and password is incapable of distinguishing between an authorized user and an unauthorized attacker, an ID/Password-based authenticator would be deemed ineffective for access control.

Single Sign-On with User ID and Passwords

Companies are attempting to solve these problems by consolidating user IDs into some form of a Single Sign-On (SSO) solution. However, not recognizing all facets of the problem, companies are fixated on solving only one of the three symptoms – the proliferation of user ID databases.

Many companies are using LDAP-based directories as the lynch-pin of their SSO solution and tying legacy application authentication to the LDAP directory. While it may be reasonable for companies to deploy such a solution for the Intranet – where external attacks are not so prolific - when used for the Internet, it is inadequate: it doesn't address the remaining issues – the use of secret keys, the single-factor authentication and the ineffectiveness of the ID/Password for access control.

Single Sign-On with only Digital Certificates

Digital certificates based on public-key cryptography is an option recommended by some Identity Management solutions. While public-key cryptography, when implemented and managed appropriately, can be very secure, many companies may be deploying them insecurely - by storing the keys associated with the credentials, in files on the PCs. This gives the false assurance of strong authentication, but is just as easily susceptible to many forms of attacks on the PC.

The PKI Appliance^TM

StrongAuth, Inc. believes that the appropriate solution should address all facets of the problem. In order to simplify the process of getting started, StrongAuth, Inc. has created the StrongAuth PKI ApplianceTM. The StrongAuth PKI ApplianceTM is targeted at companies who want to pilot an SSO solution at a very low cost, as a precursor to a wider roll-out for the enterprise. It consists of:

• A 1U rack-mountable, hardened Linux/Solaris-based computer, with a core Public Key Infrastructure (PKI) that issues digital certificates for strong authentication, digital signing and encryption

• en external cryptographic tokens with readers and software
• Two days of customized services to get this running in your environment

The StrongAuth PKI ApplianceTM addresses the secret-key problem by using public-key cryptography. StrongAuth, Inc. addresses the “PKI complexity” problem by using the StrongAuth Reference PKI ArchitectureTM, honed after years of helping global enterprises build their PKIs. The StrongAuth Reference PKI ArchitectureTM, provides an optimal environment that addresses almost all of a company's PKI needs, while still providing the flexibility to address unique requirements. Specifically, it provides for:

• A Certification Authority (CA) that issues digital certificates

• A Registration Authority (RA) that off-loads the work of validating requests before submitting them to the CA
• A Publishing Directory (PD) that stores all digital certificates and lists of revoked certificates
• A Validation Authority (VA) that provides upto-the-minute responses on the validity of a certificate
• An Enrollment Directory (ED) that permits the preauthorized issuance of certificates, with a Pre-Authorized Issuance Tool (PAIT) to manage the business process of issuance
• A Key Recovery Manager (KRM) to escrow encryption keys, for emergency uses

While many companies might spend months, or weeks, setting up a minimal environment to perform these functions, with the StrongAuth Reference PKI Architecture^TM, such an environment can be up and running in days!

With the external cryptographic tokens – smartcards and USB-based tokens – StrongAuth, Inc. addresses the single-factor problem. Much like you need a bank's ATM card, and the associated PIN, to access a bank account at an ATM, strong authentication to an application or network resource requires the use of this cryptographic token, the trusted credentials on it, and the PIN protecting the token, providing higher levels of assurance for access control, thus supporting compliance to laws such as Sarbanes-Oxley's Section 404.

How to buy

Contact This e-mail address is being protected from spam bots, you need JavaScript enabled to view it to find out more.