Security Architecture - Beyond Passwords?

a voice in the crowd asks: "We're investigating different PKI technologies to introduce support for strong authentication, single sign-on and secure messaging. There seems to be a broad range of both companies and approaches out there. I'm looking for success and horror stories from those who have taken point on this issue. Your help is appreciated." Read on for more information on what is being evaluated and the critical questions being asked.

"Some of the pieces currently under review include:

• Verisign's Onsite Lite
• USB Token holders (aladdin, hasp, etc)
• smart cards

Some of our questions include:

• What headaches is key recovery going to be?
• Is there any meaningful long-term competition?
• How reliable is the hardware once deployed?
• How is vendor support?
• Is the integration with Win2k, Notes, etc both functional and seamless?
• What policy administration issues do we need to be aware of?
• What best-practice documents are available?
• How locked in will we be?
• Will our Blackberry 5810's grok the secured messages, and if so do they represent a point of vulnerability for the certificates?
• Can we enforce non-trivial PINS
• What changes to your help desk workload and practices have resulted?

Most importantly, Do the users like it?"

Some traps

[XoXus]

What headaches is key recovery going to be?

Are you sure you want this? Chances are you don't. Perhaps what you really want is key resetting.

Can we enforce non-trivial PINs

Be careful of the scope with this. You might want to ban affine PIN sequences (e.g. "1234", "3579", etc.), but if you ban too many things it will massively reduce the keyspace, making brute-force attacks easier.

An interesting approach to PIN "goodness" that I just thought up would be to look at the (algorithmic information theory) complexity of the string. This would also easily generalise to whole passwords, too.

Just remember that the weakest point in your security is almost certainly going to be the people involved. An ultra high-tech security door is no good when someone leaves the side window open.

Remeber the users.

[Neck_of_the_Woods]

We deployed, then yanked it right back out. I am not going to bore you with the product, because it really does not make a difference.

After deploying the secure solution, which worked just as promised and proposed to everyone. In fact it worked very well, it was still yanked. Why you ask? Ever tried to take something from someone they have had for over 2 years? Ok multiply it by 600 people. Take those 600 people and have thier managers bitch about having these things taken away from them, then have thier manager bitch, and on up the chain until it gets to the CIO that folds like a little kid with a skinned knee.

What am I trying to say here? Get approval in writing. Make it known what your going to do as soon as you can. Let them know 4 months ahead of time if you can(not 2, because that seem not to be enough). Lay it all out, get it all on the table, and get them to replay with issues, bitches, etc... Of course they are not going to call you until it goes in, but at least for 4 months they where told, warned, and when it comes it is not a surprise.

People by nature ignore what they don't want to hear, and say they never heard it. Say it 30 times. Make sure your CIO has a backbone, and get ready for a war. I hope you don't waste 2 weeks like we did. Good luck.