Reading, RG7 4TY
SecurEnvoy makes the use of dedicated tokens superfluous
Author: Johann Baumeister
There is continuous demand for mobile access to centrally stored information. More and more employees want and need access to corporate data when on the move. For this purpose, one usually uses VPN or similar secure channels. And to make sure the connection is secure, traditional authentication methods are used. But as is already widely known, a simple access security measure such as a username and a password can hardly be classified as safe. In order to make access safer, there should be a double layer of security - two-factor authentication. For this, a combination of "knowledge" (password) and "possession" (hardware token) is usually used. This combination of different criteria (2-factor) provides the best possible security.
Tokens are considered to offer greater security, but have the disadvantage that they must be procured, distributed and administered. In addition, small tokens can be lost or stolen. To circumvent this disadvantage, SecurEnvoy uses common devices such as mobile phones or smartphones as tokens in its SecurAccess authentication method. As with a hardware token, the user receives an access code that is sent to the phone. There is also less risk of loss or theft than with a dedicated hardware token, as the absence of their mobile phone or smartphone would be noticed very quickly by most users.
The SecurAccess architecture The SecurAccess architecture is based on a radius access server, which serves as the starting point for user authentication. The software itself is easy to use and understand. The access data and all other information are stored in existing directories, such as Microsoft Active Directory or Novell eDirectory. SecurEnvoy supports all common directory systems: as well as the Active Directory and eDirectory already mentioned, compatible systems also include the LDAP Directories, Open LDAP, the Sun Directory Server and Lightweight Directory Servers.
SecurAccess can send the access code to the user via various channels, such as to a mobile telephone via SMS or as a smart token using a special app for smartphones. As already mentioned, these various channels involve the use of various technologies to make the access code available. Furthermore, the security tool enables a wide range of code types and validity periods to be utilised. SecurAccess uses the term 'token type' in this context. One of the special features of SecurAccess is this wide range of communication channels and token validities. SecurEnvoy thereby aims to cater for all manner of scenarios.
Specifically, SecurAccess supports the following token types:
- "SMS" - this involves sending the access code to the user's mobile telephone in a text message.
- "E-Mail" - with this token type, the user receives an e-mail containing the access code.
- "Pre-Load-Code" - a new code is sent for the next login whenever the user logs in.
- "Three Codes" - with Three Codes, the user receives three valid codes in a single text message. This is intended, for example, for situations in which it is difficult to establish an Internet connection or mobile phone reception, or in which sending three user codes will make life a little easier for the user.
- "Real Time" - with this token type, the access code is communicated to the user in real-time during a login operation. This is comparable with the online transaction authentication numbers commonly used for telephone/online banking.
- "Day Code" - permits any number of logins during a single day.
- "Soft Token" - for use with smartphones. This requires an app that can be acquired from SecurEnvoy.
The above list of tokens illustrates the various channels that are available in principle for the transmission of codes. SecurAccess also allows the user-specific assigning of various tokens to different users.
Central administration The administration of the solution is split into two distinct areas. The administrator takes care of the centralised administration of the entire system, including users, tokens, alarm handling and all other central settings. In turn, individual users can establish their own device-specific settings and make the permitted token selection. These settings include the token type or mobile telephone number. For example, if the user changes from a traditional mobile telephone to a smartphone, he/she can make the necessary configuration changes himself/herself via a central website.
Because of the tight integration between SecurAccess and the existing directory systems, SecurEnvoy recommends installing the software modules on the directory systems, as with the domain controller in a Windows environment. Anyone who wants to test this can download a demo version of the software that is valid for 30 days from the SecurEnvoy website. The software should then be set up with AD on the domain controller. According to SecurEnvoy, SecurAccess requires little CPU power and can therefore be installed on a server with AD and Microsoft authentication services without any loss of performance. The software can also be run in a virtual environment such as Microsoft, Hyper-V, VMware vSphere or Citrix XenServer.
Following the setup of the administration modules, the user receives a link to the administration homepage. The SecurAccess administration console is clear and tidy. It is divided into several tabs, and the following administration blocks are provided by the tool:
- "Config": This group includes the majority of the administration functions relating to licenses, the token types in use, and the administration of PINs, accounts and other passwords.
- "Radius": SecurAccess includes a radius access sever. Its configuration settings can be amended here.
- "SecureMail": SecurEnvoy can send e-mails featuring passwords and access links to users. These can be configured here.
- "LogViewer": The system's logging settings are configured here and log files can be viewed.
- "Users": Administration of users and groups. As mentioned, the users are administered in conjunction with the directory system. For example, Active Directory users can very easily be incorporated into the SecurEnvoy network using Windows group administration.
- "Reporting": This group provides tools for creating reports and assessments.
- "Alerting": In the Alerting block, alarm handling is carried out and error notifications are issued to administrators.
- "Help": SecurEnvoy's online help.
Administration carried out by users SecurEnvoy makes use of devices such as mobile phones and smartphones rather than dedicated hardware tokens. These devices are often procured and administered by the users themselves. This is also true of the type of device (mobile phone, smartphone), the telecommunications provider and its dialling prefix number and, for example, the user's network coverage. It is often the case that none of these aspects are or can be controlled by the central administrator. Consequently, SecurEnvoy grants responsibility for these issues to the user. As a result, users can make many of the configuration settings themselves, within centrally defined limits.
This local administration carried out by users is performed via a central website, where users can log in and then establish settings tailored to their individual needs. For example, if a user replaces a mobile phone with a smartphone, a new telephone number is often allocated and can be updated on the website. In such cases, the type of token can also be changed from SMS to smart token. SecurEnvoy ensures comprehensive administration of the entire life cycle of devices. If, for example, a device is replaced with another, the old access data is automatically deactivated.
Summary With its SecurAccess solution, SecurEnvoy provides a two-factor authentication method that dispenses with additional dedicated devices (tokens). Instead, the security specialist utilises commonly-used devices, such as mobile telephones, smartphones, tablets and the like. This makes things more straightforward, as no special equipment needs to be purchased, distributed or administered. And, at the same time, the two-layer access control method ensures the required level of security for the use of corporate data by employees on the move.
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to email@example.com.