Fri, Apr 21 2006 19:53
Now on the bus.... (to get from Fresno to where I'm going in Los Angeles you have to do a "train/bus/train" trip, heading over the Grapevine on Interstate 5 and I left warm and sunny Fresno to where it's now raining.... so now on the battery and checking blogs and I came across Keith Combs blog which pointed to Steve Riley's blog on two factor authentication. And there on the page is a discussion of kiosk access and use in an office. Funny because earlier today I was discussing this issue with someone just today.
Right now as I type, I have the ability to RWW back into the office (and I've actually done this with a cellular connection on the train/bus/train like this many times. But I always... ALWAYS only do remote access from a machine that I trust. From a machine that I can control. From a machine I can have access to. So Kiosk computers are never EVER allowed as an access means into my system. That's the rules. No ifs, ands, or buts.
During a project with the Center for Internet Security we discussed a baseline minimum security that was needed to protect sensititve data. And some argued that two factor was a minumum standard that was needed to provide access. And here I was, paranoid as I am, arguing against it, because in my mind it wasn't mature enough to be a minimal requirement.
Want to solve the problem of two factor authentication? Make it work on the standard SBS Cougar platform. No, seriously.... make it such that it can work out of the box on the SBS Cougar platform and the big firms will have no excuse not to deploy it. Now then... here's the hard part... "what" is going to be that second thing? My friends that I'm traveling to go see in Los Angeles use RSA secure tokens, but for my small business space they don't sell them in a quanitity that is reasonable. So problem number one that Mr. Combs and Mr. Riley need to somehow solve as an outside vendor is to ensure that whatever two factor that becomes the defacto ..that the vendors sell in small quantities. Next problem is the "oh we don't support " issue. Currently I'm still waiting to hear if DigitalPersona comes back and says they support SBS 2003's active directory. Right now they say that are in 'investigation' to see if it's supported.
So what do I want?
Besides the fact that I want a two factor solution that will work on OWA and Remote Web Workplace..... just have the SBS dev team design you a two factor solution. Why? Because they excel at wizards... at taking complex things and coding up easier GUI SBSIzed things.... you want to solve your two factor problem?
Just SBSize it.
Just talk to the SBS Dev team... they'll fix you right up....
P.S. If your employees TRULY need email on the road ..buy them a Windows Mobile 5 phone. The phone will provide your firm with secure remote access for email and the employee will have no need to use a Kiosk computer.
Filed under: Security