[CALUG] seeking RSA advice
Bryan J. Smith
b.j.smith at ieee.org
Wed Jul 1 11:35:56 EDT 2009
Daniel Deighton <ddeighton at aplura.com> wrote:
> A client of ours uses RSA SecurID. In general, they
> are happy with the technology. However, they recently switched
> from running their own server to an appliance solution. They
> very much regret the decision.
What was the technical or other reason for this switch?
We're they decommissioning the server? The entire OS platform?
E.g., running on Novell eDirectory, which was being abandoned?
I only mention it because, IMHO, RSA is a "no brainer" if you're
already running Novell eDirectory or Sun One. The enterprise-wide
authentication in eDirectory and One is RSA already.
> Have you looked into alternatives to RSA SecurID?
Agreed, which I hinted to earlier.
I always stress the importance of evaluating _all_ solutions,
including building a set of factors for your business (including
interoperability with existing systems), etc...
Regardless of who I work[ed] for and my client(s) now and over
the years, there are only two things that I focus on, both client
- Risk mitigation (long term)
Clients make decisions on infrastructures and systems, and that
should drive what you recommend. Sometimes the client doesn't
like what you have to point out.
I kid you not, I will recommend Microsoft Partner solutions. Why?
Because when a client has chosen an infrastructure stack that is
Microsoft, it's the one that fits best.
I don't know how many times I've heard, "well, we can't afford that."
I have to answer, "understand you made that decision when you decided
to base your entire infrastructure on this Microsoft solution, and
you should have budgeted upgrades to changes made every 30 and 60
month cycles because of it."
It's very, very profitable to be a Microsoft Solutions Provider for
a reason, and why many products are pushed in different ways.
The second thing I hear the most is, "why doesn't Linux / open source
solve this problem for us?"
Again, I have to answer, "Linux and open source will never solve the
problem of clients choosing vendor lock-in, especially the latest
lock-in in a forced upgrade cycle, and can only offer a way out for
companies that finally decide to choose to not lock themselves in
> I'm very interested in checking out WiKID
> It's an open-source two-factor auth system.
It's a software-based system using a J2ME (so it works on mobile
devices, as well as full J2SE/J2EE VMs) that standardizes certificate
support. It's one of many approaches using the same, certificate-based,
open standards support.
In reality, any certificate service will do the same, as long as
a device supports such standards-based authentication. You also
have the option of SmartCards, which put the private key in hardware
(and is very difficult to expose**). The obvious problem with
SmartCards is that they require a reader and support on the end-system.
But you could always fall back to software-stored certificates for those
**NOTE: Short of EMF recording equipment and extensive analysis of
the circuit in the card. One of the reasons Schiender's Twofish lost
to Rijndel in the AES finals was due to the fact that Twofish, like
Blowfish, makes heavily use of adds. While it makes the circuit fast,
a "ripple adder" in typcal Clocked Boolean Logic (CBL) sends out one
heck of a discrete EMF signature. ;)
Bryan J Smith Professional, Technical Annoyance
b.j.smith at ieee.org http://www.linkedin.com/in/bjsmith
I don't have a "favorite Linux distro." I use, develop
and support community efforts, often built around Linux.
Technology and solutions are my focus, not dragging in
assumptions, marketing and other concepts which dominate
non-community developed software, which I left long ago.
More information about the CALUG