White Paper
Simplifying Security with
Copyright and trademark notice
© 2003 Datakey Inc. All rights reserved. Version 1.0 No part of this document may be reproduced or retrans-mitted in any form or by any means electronic, mechan-ical, or otherwise, including photocopying and
recording for any purpose other than the purchaser’s personal use without written permission of Datakey, Inc. Datakey is a registered trademark of Datakey, Inc. Datakey Axis and Rapid Deploy Technology are marks of Datakey, Inc. Microsoft is a registered trade-mark of Microsoft Corporation. Windows, Windows 2000, and Windows XP are registered trademarks of Microsoft Corporation.
Datakey Axis Single Sign-On White Paper
1
Introduction
Passwords aren't going away anytime soon. In a recent survey by Information Week magazine, over 90% of U.S. companies reported that passwords were their pri-mary method of access control. This number has changed very little over the years despite the myriad of strong authentication access control products available on the market. Why do passwords continue to have such predominance in the industry, even with all the vulnera-bilities, user frustrations, and management costs associ-ated with them? Because passwords have become embedded in our social and corporate cultures —mov-ing away from password-based systems would require a major shift in both our social ideology and in our corpo-rate infrastructures.
This white paper takes a closer look at the password dilemma and at the access control alternatives that have been used in an attempt to replace passwords. It then introduces Datakey Axis™, a new product by Datakey, Inc. Datakey Axis uses automated Single Sign-On (SSO) enabling technology (patent pending) and inte-grated smart card and USB token technology to provide the broadest application coverage while reducing the administrative burden, cost, and user pain associated with password-based access controls. All this is vided while enhancing security and increasing user pro-ductivity.
Surveying the Access Control and Single
Sign-On Landscape
Passwords aren't free. As the number of applications that each user must access increases, the cost associated with managing these passwords and their impact on the user keeps rising. IT organizations are confronted with the following realities surrounding the use of pass-words:
• The number of systems, Web sites, networks, appli-cations, etc. requiring user name/password authen-tication is increasing. Users are confronted with a growing list of passwords to remember.
• Passwords are subject to sniffing, sharing, brute force attacks, dictionary attacks, theft, social engi-neering, personal information gathering, and just plain guessing.
• Strong password policies are difficult and costly to enforce. A strong password typically consists of a random set of characters, is at least 8 characters long, and is changed frequently. However, the more complex the password, the harder it becomes
to remember. Users either end up writing down their passwords and saving them someplace for easy access (completely undermining security) or they forget them, requiring a call to the help desk to reset their password. Significant industry statistics indicate that 30% - 50% of a help desk's resources are consumed in managing and resetting passwords. • End-user resistance to strong passwords remains a major obstacle. Unless this obstacle can be removed passwords will continue to be abused and will con-tinue to pose a serious security vulnerability. • Government regulations being imposed on certain
organizations are requiring their respective IT orga-nizations to impose better access control mecha-nisms. At a minimum these regulations will require the enforcement of stronger password policies. Some of these regulations are listed below.
Gramm-Leach-Bliley Act, Title V: Requires
financial institutions to have a written, comprehen-sive security policy to protect the security and con-fidentiality of a customer's non-public, personal information.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): Requires that health service
providers ensure the security and privacy of health-care information.
Sarbanes-Oxley Act of 2002: Requires more
strin-gent reporting requirements, mandating internal technology controls on financial reporting systems. In response to the need to address the realities associ-ated with passwords, a variety of access control prod-ucts have become available over the past several years that have displaced traditional passwords with other, stronger authentication mechanisms. Examples include dynamic (one-time use) passwords, digital certificates, biometrics, symbol manipulation, and cookies. One goal of these products, in addition to enhanced security, is the attainment of a single sign-on solution in which the user only has to authenticate him/herself once during a session. However, the acceptance of these single sign-on solutisign-ons has not been universal because they have not adequately dealt with a variety of objections. These objections are the primary reason that passwords retain their widespread use. Table 1 describes a variety of approaches that are employed by existing products and the objections that restrain their wide-spread deploy-ment.
Table 1: Single sign-on approaches and objections Approach Objections
Password Synchronization
• Limited SSO application coverage. Each application or server needs an agent installed on it.
• Single point of weakness. Use of the same password for all applica-tions reduces security.
• Strong password must still be memorized. • Limited to password-based security levels. • Must still enter a password for each access request.
Authentication Server • Limited SSO coverage. Agents need to be installed on each appli-cation, host and server. Also, solutions are generally limited to net-work, VPN, and remote access authentication.
• Tokens, which are bulky and inconvenient to carry, are limited to providing a single security function.
• Need to configure separate server(s) and often separate user data-bases.
• Time consuming for the user to generate and enter a one-time pass-word response.
• Complex management. • Expensive recurring costs. Web Access
Management
• Provides SSO coverage for Web enabled applications only. • Requires Web server and/or application plug-ins to be installed. • Need to configure separate server(s).
Proximity (RFID) Card • Single factor (weak) authentication. • Expensive reader technology.
• Servers need to be installed and configured.
• Reliability issues exist when multiple card holders are in close proximity.
Certificate-based • Requires a PKI to be installed (complex and expensive). • Private key protection is always a concern.
• Growing but still limited set of applications are PKI enabled. Traditional Client-based
Approach
• Weak credential protection with software based security or memory smart cards and tokens.
• No central management control. The end-user controls password management.
• Scripting often required for expanded application coverage impos-ing time and expertise demands on IT resources.
Datakey Axis Single Sign-On White Paper
3
Simplifying Security and Single Sign-On
Single sign-on solutions do not have to be complex, lim-ited in their application coverage, or a burden on the end user. The single sign-on solution that IT is looking for and which removes the objections to existing products is here today. It is Datakey Axis, which provides IT with: • Comprehensive SSO application coverage.
• Centralized management of application access and password policy.
• Simple and fast set-up and deployment—not requir-ing an IT project.
• Acceptance by the user community, removing the burden from the user to remember or manage multi-ple passwords.
• Enhanced security with two-factor authentication and automated enforcement of strong password pol-icies.
• Immediate cost savings that will allow deployment within existing budgets.
Datakey has made this simplified security and single sign-on solution possible with the integration of two key technologies: Datakey’s smart card technology and Datakey's Rapid Deploy Technology™. Each of these technologies is discussed in detail in the following sec-tions.
Smart Card Technology
Smart card technology is now a mature technology that has opened up tremendous new opportunities for enhancing and simplifying security solutions. Because of their familiar and acceptable form factor (either a credit card-sized card or a USB token), their processing power and storage capacity, and their certified mecha-nisms for securing digital credentials and other data, smart cards are becoming a preferred approach for securing access to on-line services and applications. Microsoft has validated this belief with their greatly expanded smart card support in Windows 2000, Win-dows XP, and the WinWin-dows Server 2003 product suites. A smart card (and its USB token equivalent) is a hard-ware device that is used to store private information. The information stored on the smart card cannot be accessed unless the owner of the card logs on to the card with a pass phrase or PIN, much the same way a person enters a PIN to use an ATM card. Smart cards enable what is known as "two-factor" security: something that you have (the smart card) and something that you know
(the passphrase). Two-factor security controls access to the card's cryptographic functions and private informa-tion.
Typically, smart cards have only been deployed as vehi-cles to provide secure storage for private keys and cer-tificates in PKI and VPN environments. Cryptographic smart cards have been the perfect complement to VPN solutions for enterprises that needed secure remote access to enterprise networks. However, multi-func-tion smart cards, such as those provided by Datakey, have many additional capabilities that enable stronger, yet simpler, security solutions while providing organiza-tions with increased value-add and benefits. Some of these benefits include:
• Security: Independently certified protection (FIPS 140-2 Level 2) for your private information. • Portability: Your digital credentials and private
information go wherever you go.
• Flexibility: A smart card can be used to store a vari-ety of information and be used for a varivari-ety of secu-rity functions such as cryptographic functions, credential storage, physical access control and logi-cal access control.
• Simplicity: Your many passwords can be stored securely on a single smart card. In addition, you are less likely to lose a smart card than forget a pass-word.
• Ease of use: Simple insertion of a smart card into a reader and the entry of a passphrase unlocks a vari-ety of automated security functions when used in conjunction with Datakey Axis.
• Upgradeability: Smart cards are easily upgraded to support biometrics, PKI and other security func-tions without needing to replace existing user cards.
Datakey’s Rapid Deploy Technology
Datakey's Rapid Deploy Technology features an intui-tive drag and drop "training" mechanism (patent pend-ing) for collecting the intelligence needed for recognizing the application login or change password dialogs. It forwards that intelligence into an "informa-tion store" for use by the user client software. This "training" process incorporates technology and pro-cesses that are unique in the industry and that has the ability to address the various types of GUI technologies employed by applications without being dependent upon costly and time-consuming scripting. This pro-vides the administrator with the ability to rapidly set-up single sign-on coverage for all applications.
Datakey's Rapid Deploy Technology also integrates additional technologies to address IT’s need for simplic-ity, cost reduction, and user transparency. These addi-tional technologies include:
• A client-based architecture that does not require any applications or hosts to be "touched" by agents or plug-ins, or for new server components to be installed and maintained.
• The leveraging of the Microsoft Installer (MSI) installation standard for easy and automated deployment and automated updates of policy client software.
• The centralized management of application access privileges and of credential and software update maintenance.
Datakey Axis is the first product to tap into the full potential of smart card technology and redefine the way smart cards are used, enhancing the strength of security solutions and bringing simplicity to all involved (admin-istrators and end users).
The Datakey Axis Solution
General capabilities
Datakey Axis is a smart card-based solution that simpli-fies access control. Organizations that are not in a posi-tion to displace their current password-based security infrastructure, but who need relief from the cost of man-aging these passwords, can get that relief while at the same time enhancing security with automatic enforce-ment of stronger password policies. Additionally, with Datakey Axis, you can take advantage of a variety of additional uses for smart cards within your organization, both in PKI and non-PKI environments. An organiza-tion may wish to enhance their password-based access control within their current non-PKI environment, but leave open the possibility for migrating to a PKI-based access control solution or a biometrics solution in the future. Datakey Axis allows this migration to occur with ease. It also enables an organization to use the same smart card for employee badging and/or facility access control purposes.
Single Sign-On capabilities
Datakey Axis provides one of the simplest, and broadest application coverage, single sign-on solutions available on the market. It allows a user to log on to their smart card and then never have to worry about entering another user name and password. The user names and passwords are all stored securely on the user's smart
card and automatically retrieved as needed when the user requires access to a service or application. The Datakey Axis client software has the intelligence to rec-ognize the login dialog box for each application. It automatically retrieves the necessary login information from the smart card, enters the information into the proper fields, and then submits the login response on behalf of the user. If a change password dialog appears, this too is automatically recognized by Datakey Axis. A random, strong password is generated and stored as the new password on the user's smart card. The user no longer needs to remember (or even know) their pass-words, since they are managed automatically without user involvement.
With Datakey Axis, users are given an access control solution that enables them to be a security advocate. The user no longer needs to write down passwords, put sticky notes on the PC monitor, or pack their wallets with critical organization security codes. The only item in their wallets or on their desks is a secure, tamper proof smart card.
How Datakey Axis Works
Datakey Axis is a client-based product that an adminis-trator can configure and install from his/her workstation. A powerful Datakey Axis Management Center allows the administrator to easily integrate with Microsoft Active Directory for user/group definitions and to bind them to the applications they are allowed to access. The Microsoft Certificate Authority is also automatically engaged if digital certificates are needed. Support for additional Directories and Certificate Authorities is planned in the near future.
The Datakey Axis Policy Client software that is installed on the user's workstation is pre-configured by the administrator with the permitted functionality plus application access privileges. The Datakey Axis Man-agement Center includes patent-pending "training" tech-nology that enables the administrator to use a simple drag-and-drop process to interrogate the login and change password screens for each application and insert the captured intelligence into the user's Policy Client software. This enables the client software to automati-cally recognize the login and change password screens for each application, retrieve the appropriate user cre-dentials from the smart card, insert them into the appro-priate fields and submit the response back to the application. Once the user's Policy Client software is pre-configured it is then automatically distributed for installation on the user's workstation via Microsoft GPO, SMS, or some other 3rd party MSI-compliant
dis-Datakey Axis Single Sign-On White Paper
5
tribution tool. The end-user is left with a simple initial enrollment process that captures their existing applica-tion login informaapplica-tion. All subsequent access control needs are automatically provided for via the smart card and Datakey Axis.
Because the Datakey Axis architecture and design is built upon proven smart card technology, Datakey Axis
is able to remove the objections encountered with other SSO products.
Table 2 summarizes the many features and benefits of Datakey Axis.
Table 2: Datakey Axis Features and Benefits
Datakey Axis Features Datakey Axis Benefits
Comprehensive single sign-on coverage. Virtu-ally all Windows, Java, custom, mid-size/main-frame applications as well as internet and intranet sites.
• Win32, Java and HTML GUIs • Citrix/Terminal Server • Terminal emulators
• Reduced administration costs - a single product supports SSO to all applications.
• Increased security with the ability to enforce a consistent and strong password policy across all applications.
• Increased user productivity by reducing the number of passwords a user needs to remember to one (no longer a need to write them down). • Drastic reduction to the Help Desk resource
burden for resetting passwords. Rapid Deploy Technology that provides:
• Patent pending drag & drop administrator control (and optional user control) of client software training for automated applica-tions login.
• Client based architecture that works out of the box.
• Windows installation standards (MSI) com-pliant automated deployment.
• Centralized management with administrator control over application access.
• Simplified deployment (does not require an "IT Project"). Also, provides an ROI in 6 - 12 months.
• Reduced cost of deployment and maintenance -no additional servers or agents/plug-ins to install and is non-intrusive to existing infra-structure.
• Centralized management control of password policy enforcement and application access • Increased user productivity with transparent
automated updates of client software and user credentials.
• Reduced deployment costs with highly auto-mated set-up and installation
Integrated smart card technology that provides: • Certified (FIPS 140-2 Level 2) secure
con-tainers for user credentials and data. • Multi-function flexibility
• Non-PKI and PKI environments
• Easy integration with physical access secu-rity systems
• Security solution flexibility and portability. • Easy migration paths from passwords to
stron-ger access control solutions such as PKI and biometrics.
• Enables use of a single ID badge for building and computer access.
Conclusion
Previous access control products have not adequately addressed the needs of IT organizations for a single sign-on solution that is simple and fast to deploy, enhances security, removes user resistance and is able to integrate with existing access control infrastructures. Passwords will continue to be the primary means of access control, despite all their deficiencies, because they are so deeply entrenched into the infrastructure and culture. Therefore, rather than attempt to replace them, access control products must embrace them and remove the deficiencies surrounding them.
Datakey Axis has been designed just for this purpose. Its client-based approach leverages the strengths of smart card technology to enhance security while remov-ing the user burden of havremov-ing to remember numerous and complex passwords. Datakey Axis is easy and fast to deploy, doesn't impact server software management, and provides the administrator with centralized control of access to applications and the enforcement of strong password policies. The mixture of technologies inte-grated by Datakey Axis makes it the ideal single sign-on solution for most organizations.
Automated credential management that pro-vides:
• Automated password changes
• Automated updates of user credentials and client software.
• Automated and transparent PKI certificate issuance
• Drastically reduced administrative costs to manage and enforce password changes. • Reduced security vulnerabilities with
auto-mated strong password changes.
• No impact on your users resulting in increased user productivity
SSO support for multiple authentication mecha-nisms:
• User name and Password • PKI Digital Certificates • One-time passwords • Biometrics
• Preserves investment in tokens and software as organizations add new applications and authen-tication mechanisms
• No user impact to migrate to PKI enable appli-cations
Standards-based implementation: • ISO 7816
• GSC-IS V2.1 • PKCS #11 V2.0 • Microsoft CAPI V2.0 • Microsoft MSI • PC/SC
• Ease of integration and interoperability with other infrastructure components
Table 2: Datakey Axis Features and Benefits
Datakey Axis Features Datakey Axis Benefits
Datakey Corporate Headquarters 407 West Travelers Trail Minneapolis, MN 55337-2558 Phone: (952) 890-6850 Toll-free: 1-888-328-2539 Fax: (952) 890-2726 Web: www.datakey.com E-mail: [email protected]
