Security Watch

Securing Remote Data Access

Smart cards and tokens add layers of authentication protection.

• By Roberta Bragg
• 09/27/2004

To approach the problem, you need to avoid buying or implementing a solution until you've defined what you want. That may mean a survey of the current cutting-edge technologies, after which you make a shopping list, and then judge solution providers by how close they come to your goal.

For convenience, I've divided the challenges of remote data access into three parts. First, the data center must be secure. It won't do you much good if the remote connection is locked down, but anyone can walk right in and out with a data drive or stolen data on their own hard drive.

Second, the other side of the connection — the user's laptop — needs to be locked down and protected from theft.

Finally, your remote users must be able to access resources from anywhere at any time, over a secure connection. This piece of the puzzle is the one on which the other two may hinge. Here are the major things to look for:

• Encryption: data in flight must be kept confidential
• Authentication: reduce the risk that someone else can pretend to be one of your remote users
• Integrity: data must not change when traveling from point to point

The key is how authentication is managed. It doesn't matter if the encryption is solid if anyone can guess or crack a password. Although I'm willing to use a very long password to reduce that risk, there are better ways to secure authentication. I'm thinking chiefly of smart cards or tokens.

A smart card solution would be great. If I was implementing it for an organization, I'd use Windows Server 2003 Enterprise Edition, a protected Certification Authority (CA) infrastructure, native smart card support, VPN and trick out my users' laptops.

If properly implemented, the server will authenticate via certificate with the laptop, and the connection can be secured end-to-end. Because smart card enrollment can be done via the Certificate Services Web interface, users can obtain smart cards for themselves. Because smart cards can use custom-tweaked certificates that are restricted to authorized individuals, it will be difficult for an intruder to get one.

Since a secure smart card implementation depends on a secure public key infrastructure (PKI), the solution's security depends on solid organizational policy, having trained and experienced IT staff, the right equipment and software and maintaining ethical practices. If you're contemplating this scenario, start with some research on PKI and smart cards. Take a look at Microsoft course 2821 "Designing and Managing a Windows Public Key Infrastructure."

Another good alternative is tokens. Both smart cards and tokens can be used in wired LANs, wireless and VPN solutions, and both require a secure PKI implementation. Tokens, however, can add additional safeguards. Smart cards provide two-factor authentication; tokens can layer in another requirement.

A key component of some tokens, such as RSA SecureID, is that they require synchronization between server and client. Numbers are generated independently at both computers but are guaranteed to match. The number must be entered on the client within a short period of time in order to match the one on the server. Thus, the number becomes part of the authentication process.

Details of how to use RSA's solution in conjunction with Microsoft's Internet Authentication Service (IAS) are in the white paper "Enterprise Deployment of Wireless & Remote Access with RSA SecureID and Microsoft Internet Authentication Service." Find it at http://snipurl.com/9bkj.

Now you've got the start of a specification. I'd be interested in hearing from you if you've built a remote access solution like this, or if you offer a protected data storage service to the public.