|
The recent announcement of new federal mandates for laptop encryption and two-factor authentication for civilian agencies has put considerable pressure on organizations. Following a wave of high profile data thefts and major security breeches involving remote access or the theft of government laptop computers containing sensitive personal information, the Office of Management and Budget (OMB) gave federal agencies until August 7, 2006 to implement new data security requirements to protect sensitive data. Among the recommendations is the encryption of all sensitive data on mobile devices; token- or card-based two-factor authentication for remote access and the tracking of data extracted from federal databases.
Complying with these mandates is no small feat given the inherent security risks associated with VPNs (virtual private networks), which have been a mainstay in security schemes. Despite the best efforts to secure VPNs (virtual private networks), security is still not bulletproof enough to withstand the onslaught of threats – especially when managing the proliferation of laptops and other mobile devices that access these networks. This is having a profound impact both on how enterprises manage their networks and their ability to conduct business and instill confidence.
A number of corporations are moving down the path of least resistance by restricting access and privileges to a smaller number of users, while others are retracting their VPN infrastructures altogether in an effort to regain control and meet their compliance needs. However, restricting remote access to corporate information is counterproductive to creating efficiencies in the workforce and/or generating revenue through ecommerce activities.
A critical element to achieving a fully secure network environment is the adoption of a public key infrastructure (PKI). Stringent security requirements can be achieved by employing cryptographic keys, particularly when combined with two-factor authentication. However, many enterprises are quickly discovering that the cost of deploying and administering a traditional PKI is far too expensive and complex for their IT departments – and budgets – to handle. In addition, the timelines for establishing PKI are simply too long to meet current deadline demands.
A major breakthrough in this area has been the development of remote access technologies integrated with a managed PKI service that enables fully protected access to a user’s desktop applications from any location. This new model – which leverages smart card-enabled technology in an ultra-portable, key-sized device to deliver security levels that meet the most stringent requirements – bridges the gap between organizational needs to fully secure their networks and user requirements for remote access and flexibility.
This article will look at the challenges of VPN in dealing with today’s security and legislative requirements. It will then review the growing importance of PKI and two-factor authentication and how new technologies are enabling the transition to this security model.
The VPN challenge
One of the emerging challenges in VPN deployment and security is the escalation of remote computing devices and random nodes appearing and attaching themselves to corporate networks. While VPNs were once well controlled, this growth has led to a management nightmare because of all the security threats that go with multiple access points.
Despite the best efforts of network security managers, VPNs are quickly becoming the most prolific source of viruses and worms on corporate networks. The crux of the problem is, although VPNs do secure the transport layer of an enterprise, they do not necessarily secure entry points that are added at random. Any connection on the part of the user admits access to the corporate network. This means that any inadvertent use of a remote computer (e.g. a child playing an Internet game in the evening, or random plug-in) could easily transmit malware back to the corporate network on the next login.
There have been a number of attempts made to step up VPN security that have improved the cause, but had a marginal effect on overall security. For example, some have set up a VPN gateway to enforce virus scans on devices gaining or blocking access. However, the anti-virus tends to be a reactionary approach. If a new type of virus is detected on a connection, organizations are left scrambling to find a defense. In the meantime the damage has started.
Minimizing the amount of entry points is an exercise in futility for many. A VPN infrastructure by its nature is designed to provide multiple authorized users with access – even if that access is reduced to a single entry point.
Identity and Access Management
A number of identity management strategies have been tried and tested in the effort to improve VPN security. These strategies for authenticating and authorizing users with access to VPNs carry a number of pros and cons.
Some organizations have opted to implement multi-password and other challenge response schemes, such as time limits on passwords in an effort to lock down VPN access. A major complaint with these types of solutions is user acceptance. The number sequences are often difficult to read and punch in. For schemes where the password is changed every minute, users often run out of time before they can complete the sequence.
More often than not, any attempt at simplifying the process is typically at the cost of security, which is the challenge that has been plaguing enterprises for years. For example, some managers have tried to address the complexity issue by embedding “soft” tokens on laptops or desktops that automatically generate and/or submit a password. Yet this approach creates another kind of security issue if the laptop is lost or stolen, or someone copies software from those machines to plan an attack.
Issuing fobs or tokens for user identification also creates security challenges. These solutions can leave organizations vulnerable to man in the middle attacks. If properly orchestrated, hackers could intercept the password entry from the fob, appearing to connect legitimately to the system.
The Promise of PKI
PKI has been acknowledged by the industry to be one of the most effective authentication services, because it provides flexible and scalable access control, while providing the extra measures needed to identify and authorize users and applications. A key attraction of PKI is the ability to integrate two-factor authentication to identify that the user is indeed who they claim they
are, as well as to determine the information they are permitted to access.
PKI is effective because it uses two asymmetrical, mathematically related keys (one public, one private). The public key, which is used to generate a digital certificate of identity, can be published and distributed, while the private key remains secret. Each party in the transaction has their own pair of keys. At the time of a transaction or the initial establishment of communications, one key can be used to verify the operation of another. For example, the signature on a piece of information generated by a private key can be validated with a public key. Alternatively, something encrypted with a public key can be decrypted with a private key.
While PKI holds the most promise in terms of network security, there are some logistical challenges to be addressed. One is lack of portability. Once a certificate is issued, the private key material is stored on and tied to a specific computing resource. If the certificate is on a particular desktop for example, users can only access that information through that one device. While it is possible to move the certificate onto another machine, this opens the door to more risk and reduces IT’s control over where material resides.
While many see PKI as the solution to secure information to meet increasingly stringent legislative requirements, it is complex and costly to implement. Building a road to PKI takes more time and up front investment than most IT departments can afford. To put together a proper PKI infrastructure would be difficult to accomplish in less than one year. Establishing procedural guidelines and laying the groundwork in the way of risk assessment and policy development alone are monumental tasks that can take months to complete. At the same time, there is overwhelming pressure for federal governments and enterprises to achieve the levels of security that PKI could offer within very limited time frames.
A Powerful Combination
In recent months, the cost and time issues have been addressed through the availability of managed PKI services, which can help alleviate the administrative and financial burden for government and large enterprises, while delivering the security levels required. Innovations in smart card technology have also been instrumental in addressing the portability issue. State agencies in Florida, including the State University System, the Department of Education and the Public Service Commission to name a few have opted to utilize this model to provide secure remote access to desktop and network resources in full compliance with the new federal mandate.
The Florida Public Service Commission for example has now enabled 45 remote users access to their desktop applications with the help of a managed PKI infrastructure. In achieving higher security levels for remote access, the agency is also able to open up more applications to remote users beyond limited email access, since data is fully protected at all times and no data is transferred over the network.
Access is enabled through devices the size of a key that can plug into any remote computing device. As smart card-enabled devices integrated with a managed PKI platform, they provide fully secure connectivity to all enterprise applications from any PC while data remains within the boundaries of the corporate firewall. This breakthrough has been instrumental in addressing the cost, complexity and portability limitations of VPN, and represents a viable and highly secure alternative that promises to have an enormous impact on how enterprise computing resources are accessed and managed.
The two-factor authentication/managed PKI model fills in a number of inherent security gaps found with VPN. For one, it reduces risk by eliminating the need to install software on remote PCs to enable access to enterprise applications. In addition, because the device connects users to the enterprise computer, no data is transferred and nothing is ever written to the hard drive of the remote device in use. When plugged in, the user is literally working on their enterprise desktop, which means data is never moved in or out of the corporation and never placed at risk. This model also allows for centralized control of security and policies within strict parameters and eliminates the risk of random access points.
Since it utilizes a tamper-resistant smart card, the key itself is fully secure and can only be activated through a two-factor authentication process (both the key and a password are required for access to the enterprise desktop resource). If it is lost or stolen, the key is completely ineffective and can be deactivated remotely if required.
With the security challenges facing government and enterprise networks today, and the recent federal mandates for laptop security, there is a compelling need to find cost-effective and easy-to-deploy solutions that meet legislative requirements, while offering the flexibility to conduct business online. Rather than closing the doors to VPN access, smart card technology combined with a PKI platform, is helping organizations keep the lines of communication open at a reasonable cost without putting data at risk.
About the Author:
Jerry Iwanski is Chief Technology Officer at Route1 (www.route1.com).
Go Back
|
