Tokens Or Cards The Key To Securing Enterprises

How many more miserable Mondays like today will it take before network administrators really start hollering for better ways to secure their networks? From his weak promises last week about security enhancements for Windows, it's obvious that Bill Gates and Microsoft aren't moving at the speed of light on this topic. But there was some hope for help last week in other presentations at the RSA Conference, where VeriSign and Sun Microsystem advanced well thought-out plans for using tokens or smart cards to authenticate network users.

Tokens for logons might seem like a burden, but anyone who works on a corporate campus is already used to carrying around a card for building access. It makes sense to extend that same security model to the virtual world, especially since so much of enterprise business is conducted on the world's wires, fibers and wavelengths.

As part of his keynote speech, VeriSign CEO Stratton Sclavos outlined the company's Open Authentication reference architecture

(which they call OATH), a plan that seeks to set standards that would let companies build open-architecutre ways to combine user IDs with a software or hardware token (a card, fob or other device) to form a combined credential that validates identities for network or application access.

"It's time to rethink authentication," Sclavos told the audience at his Wednesday talk. "We need a new ecosystem to build better [security] products, that work together."

So far, VeriSign has some good lip service from some potentially strong partners for OATH products. VeriSign also has plans to move some of the authentication procedures into the network, which could potentially ease the pain for network administrators, going forward. At the very least, IT pros should make OATH compliance a check-list item whenever security vendors come calling.Sun, meanwhile, had its new vision of desktop authentication presented by Jonathan Schwartz, Sun's executive vice president of software. Schwartz made some strong points about the need for authentication, using cell phones and automated teller machines as examples of how ubiquitous authentication methods help e-commerce succeed with a high degree of safety.

"The expense of anonyminity to date has been borne by those of us who are authenticated," said Schwartz. "We want to turn that around."

By using Java cards, Sun's identity manager system proposes to bring ATM-like security and management back to enterprise networking. While the message is powerful, some of the strength is lost when Schwartz follows CEO Scott McNealy's tiresome tradition of tweaking Microsoft in just about every other sentence of a public speech. Guys, get over it. Everyone uses Microsoft products, whether they want to or not. Instead of wasting time with snide comments, use that creative energy to bring those innovative products to market sooner, rather than later.