Security Gets Some Legs

Getting digital credentials for secure e-business has always been cumbersome. Securely roaming among multiple servers is even tougher. But a slew of new products is poised to simplify both.

RSA Security this week will roll out a Web-based digital credential store designed to simplify the deployment of digital IDs. Such IDs travel poorly when used with a different browser, PC or location. But with RSA Keon Web Passport, digital certificates can be downloaded and stored in a secure LDAP directory. That way, mobile professionals can "roam" and pull down their credentials from anywhere via the Internet. This eliminates the need for deploying desktop software that could be susceptible to tampering or hacker attack.

Several other security vendors, including Arcot Systems, Entrust Technologies and VeriSign, are also offering roaming and transparent integration with Web applications. However, RSA is offering two-factor authentication--a password and a randomly generated PIN--through its secure ID token cards to fortify the servers or "secure containers" in which digital credentials are stored.

IT managers welcome any efforts to simplify public key infrastructure (PKI) deployment.

"Understanding the technical underpinnings of PKI is challenging. Anything that makes it easier to deploy and interoperable [with Web applications] is a good move," said Chris Smith, vice president of IS at EasCorp, a wholesale provider of credit union services. The company uses Keon certificates to verify the identity of credit union employees who have access to EasCorp Web servers.

Web Passport can be used with any standards-based, PKI-enabled applications including Web browsers, e-mail and virtual private networking. This will help ease the interoperability problems users face working with browsers from different vendors, according to Mark Diodati, senior product manager of desktops for RSA Keon.

If a Microsoft Internet Information Systems user is issued a certificate, he is locked into a Microsoft world. To use that certificate with a Netscape browser requires a standard cryptography tool kit and installing it on a CD, Diodati added.

With Web Passport, a user goes to a URL to conduct a transaction and verifies himself by using an RSA SecurID two-factor authentication token or a secure password. The Web Passport plug-in is then automatically downloaded to the user's PC. Once the transaction is complete, the user's virtual smart card is deleted from the system.

While two-factor authentication is RSA's strength, the Web Passport could be expensive for those users who don't already have RSA SecurID tokens and servers installed, said John Pescatore, research director at Gartner Group. Tokens cards can cost as much as $50 per user.

To avoid deploying tokens and other expensive authentication methods, such as smart cards and biometrics, Union Pacific Railroad chose WebFort from Arcot Systems Inc. as the standard for supporting its B2B applications.

Union Pacific has 50,000 employees plus numerous suppliers and customers that use its extranet, so it would have to distribute smart card readers to each user.

"Lots of people are moving to digital certificates, and I didn't want to go the path of buying tokens and associated readers and deploying them," said Rick Holmes, Union Pacific's senior director of security and quality assurance. "It would be a pretty expensive proposition."

WebFort self-destructs if an unauthorized user opens it. "It has a unique ID and digital credentials embedded in a tamperproof container, with a PIN to open and use it," said Chet Silvestry, president and CEO of Arcot.

Because software by its very nature can be stolen, Arcot guarantees that even if the software container is opened, it can't be used because it renders itself useless.