Securing Remote Data Access
Smart cards and tokens add layers of authentication protection.
How do you provide mobile employees secure access to their data,
without providing a possible pathway for intruders?
To approach the problem, you need to avoid buying or implementing
a solution until you've defined what you want. That may mean a survey
of the current cutting-edge technologies, after which you make a
shopping list, and then judge solution providers by how close they
come to your goal.
For convenience, I've divided the challenges of remote data access
into three parts. First, the data center must be secure. It won't
do you much good if the remote connection is locked down, but anyone
can walk right in and out with a data drive or stolen data on their
own hard drive.
Second, the other side of the connection — the user's laptop
— needs to be locked down and protected from theft.
Finally, your remote users must be able to access resources from
anywhere at any time, over a secure connection. This piece of the
puzzle is the one on which the other two may hinge. Here are the
major things to look for:
- Encryption: data in flight must be
- Authentication: reduce the risk that
someone else can pretend to be one of your remote users
- Integrity: data must not change when
traveling from point to point
The key is how authentication is managed. It doesn't matter if
the encryption is solid if anyone can guess or crack a password.
Although I'm willing to use a very long password to reduce that
risk, there are better ways to secure authentication. I'm thinking
chiefly of smart cards or tokens.
A smart card solution would be great. If I was implementing it
for an organization, I'd use Windows Server 2003 Enterprise Edition,
a protected Certification Authority (CA) infrastructure, native
smart card support, VPN and trick out my users' laptops.
If properly implemented, the server will authenticate via certificate
with the laptop, and the connection can be secured end-to-end. Because
smart card enrollment can be done via the Certificate Services Web
interface, users can obtain smart cards for themselves. Because
smart cards can use custom-tweaked certificates that are restricted
to authorized individuals, it will be difficult for an intruder
to get one.
Since a secure smart card implementation depends on a secure public
key infrastructure (PKI), the solution's security depends on solid
organizational policy, having trained and experienced IT staff,
the right equipment and software and maintaining ethical practices.
If you're contemplating this scenario, start with some research
on PKI and smart cards. Take a look at Microsoft course 2821 "Designing
and Managing a Windows Public Key Infrastructure."
Another good alternative is tokens. Both smart cards and tokens
can be used in wired LANs, wireless and VPN solutions, and both
require a secure PKI implementation. Tokens, however, can add additional
safeguards. Smart cards provide two-factor authentication; tokens
can layer in another requirement.
A key component of some tokens, such as RSA
SecureID, is that they require synchronization between server
and client. Numbers are generated independently at both computers
but are guaranteed to match. The number must be entered on the client
within a short period of time in order to match the one on the server.
Thus, the number becomes part of the authentication process.
Details of how to use RSA's solution in conjunction with Microsoft's
Internet Authentication Service (IAS) are in the white paper "Enterprise
Deployment of Wireless & Remote Access with RSA SecureID and
Microsoft Internet Authentication Service." Find it at http://snipurl.com/9bkj.
Now you've got the start of a specification. I'd be interested
in hearing from you if you've built a remote access solution like
this, or if you offer a protected data storage service to the public.
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.