How many PDAs (personal digital assistants) and laptops have you or your coworkers lost? How well do laptop users guard their passwords when at customer sites? How many nightmares does that give the security techs back at the office?
Laptop and PDA security covers a wide range, so let's talk about one area today: user authentication, or making sure remote users are who they claim to be.
Passwords, you say, will do the job. No, they won't. The same users putting their passwords on sticky notes often use form-fill software to automatically fill in their passwords in their logon screens, so anyone taking the laptop gains automatic access. But even if users type in their passwords, they can be "shoulder-surfed" by someone just happening by and never know they gave away their password.
The trick to get people to trust remote security is to mimic the functions of an ATM, says Malcolm MacTaggart. (The cash machines, not the network technology). Make it easy for Mom to use, and corporate users will follow the rules.
Hence the two-part system developed by MacTaggart's company, CryptoCard in Kanata, Ontario. On one end, a secure authentication server sits on the corporate network. On the other, each client laptop or PDA uses either a software token, a key chain token or a smart card and reader to gain access to the authentication server.
With a soft token, the user types a PIN into the system, which in turn generates a one-time password. With the key chain token, the user pushes a button on the fob, which generates the one-time password that the user types in to gain access. With the smart card and reader, the user puts the card into the reader, then the client generates a one-time password to permit access.
See the advantage? The key fob or smart card has one number, while the computer or PDA client software has another number, and both must get involved to gain access to the data. Lose the smart card and there's no breach. Lose the laptop but not the token, and security remains safe.
PDAs need a software token, but laptops and desktops can use either a software token, a smart card reader or the key chain token. Administrators typically give mobile users key chain tokens or smart cards so they can access multiple systems and provide those who access one system software tokens.
Dave Slabodnick, chief information officer of Mercy Health Partners of Western Ohio, replaced his existing RSA SecureID security system with CryptoCard back in September. Tracking 246 physicians and their remote offices and staff required a more flexible system.
"We can give physicians smart tokens or smart cards to use with any computer, laptop users [get] soft tokens, and doctor's staff people get tokens that limit their logon to office hours from particular computers," he says.
Downloadable evaluation software on CryptoCard's site installs easily, says Lee Chamberlain, Slabodnick's network administrator: "We were up and running almost immediately." Lost key chain tokens, smart cards, laptops or PDAs can be locked out of the system in less than 2 minutes at the administration end.
CryptoCard's back end server, CryptoAdmin, starts at US$2,500 for 100 users, and clients (software, key chain token, or smart card and reader) run from $35 to $90. Though not publicly announced, MacTaggart says new smart cards coming in July will have enough capacity to store the CryptoCard token and access information for security doors. That way, when you lose your card, you lock yourself out of your computer and your office.
James E. Gaskin writes books (13 so far), articles, and jokes about technology and real life from his home office in the Dallas area. Gaskin has been helping small and medium sized businesses use technology intellingently since 1986. Write him by clicking here.