Identity Management, Authentication Shine At RSA

Identity management and authentication may not be the sexiest topics in security -- not during times when malicious worms and viruses are nearly constant threats -- but the former two

February 25, 2004

3 Min Read
Network Computing logo

Identity management and authentication may not be the sexiest topics in security -- not during times when malicious worms and viruses are nearly constant threats -- but the former two grabbed the spotlight at the RSA Conference Tuesday.

Sun Microsystems, for instance, took the unusual step of offering up an enterprise-wide identity manager for Microsoft Windows environments. Sun, a fierce rival of Microsoft, has often been at odds with the Redmond, Wash. developer over issues ranging from Java to competing business productivity suites.

Sun Identity Manager for Windows, based on technology Sun acquired in its November 2003, purchase of Waveset Technologies, lets organizations centralize the administration and synchronization of user identities across an enterprise's application environments, said Sun.

The new software, which went by Lighthouse when it was sold by Waveset, offers identity provisioning, and password and directory management capabilities for Microsoft products. It integrates with a host of Microsoft identity-enabled software, including Active Directory, Active Directory Application Mode (ADAM), Microsoft Identity Integration Server (MIIS), Windows 2000 Server, Windows Server 2003, SQL Server, and Exchange.

Sun's Java Enterprise System, which includes the Java System Identity Server, will integrate Sun Identity Manager for Microsoft in future versions, according to Sun executives at RSA.ID Analytics, meanwhile, used the conference to launch an identity risk management solution that promises to prevent all types of identity-related fraud both within the enterprise and among a company's customers. The new Identity Risk Management Suite consists of four separate modules which automates the process of authenticating suspicious identities, accesses risk before opening a new customer identity account, and pinpoints possible identity fraud. The suite relies on ID Analytics' global network of identity fraud indication detectors, which adds hundreds of thousands of new indicators each day, said the company.

On the authentication front, the big news from the 150-vendor RSA Conference was the announcement of a partnership between show sponsors RSA Security and Microsoft to lock down Windows with a two-factor authentication token.

Rather than simply enter usernames and passwords -- the default authentication scheme Windows users apply to gain access to, say, a desktop or laptop PC, or the corporate network -- the new authentication will rely on a known PIN (Personal Identification Number) as well as a one-time password generated and displayed on a key fob-sized token that plugs into the computer's USB port.

The one-time password, which changes every minute, is generated by RSA Security server software within the enterprise.

Windows users will have to wait a while for the RSA SecurID to hit their desks, however. Beta testing is scheduled to start in the second quarter, and if schedules are met, it should be available in the third quarter of 2004. SecurID will work with the Windows 2000, Windows XP, and Windows Server 2003 operating systems, and companies will need to deploy the RSA ACE/Server 6.0 Advanced, the RSA ACE/Agent 6.0 for Windows, and, of course, RSA SecurID tokens for end users.RSA Security and Microsoft touted SecurID as more than a way to strengthen authentication and access, but also as a means of complying with the host of government regulations, such as Sarbanes-Oxley and Gramm-Leach-Bliley, which require strict controls on access to confidential information. SecurID will capture all Windows desktop and domain login attempts, both remote and local, and log them to the RSA ACE/Server for monitoring and access policy enforcement.

A much smaller firm, the Hayward, Calif.-based Authenex, which produces authentication products, also used the conference to unveil its newest token, a hybrid USB/Smart Card device. The A-Key v3 Token, which comes in versions with or without one-time password capability, will be available by the end of the second quarter, 2004, said the company.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights