RSA Security has open standards

Before organizations can fully embrace the world of e-commerce and e-business, they need to create an infrastructure through which people can more securely conduct transactions and receive information.

This is what the University of Toronto (U of T) had in mind when it began beta testing RSA Security Inc.’s new Keon 5.0 PKI product.

Currently U of T staff members use a token along with a PIN code to access files. Wilfred Camilleri, U of T’s manager of computer security, hopes to make that access more secure by issuing certificates to his employees. For now, students can do little more than add or delete courses on-line, but Camilleri hopes that by eventually rolling out the Keon product to students, the University can increase the kind of information students can access through the Internet.

“In the future, as we give students access to more data and give them the ability to change information through a Web-based system, we would need to have a more robust authentication and security system. That’s really the impetus of what we’re doing,” he said.

The Keon system is promising organizations like U of T a more secure infrastructure, said RSA Security’s Canadian general manager Michael Kennedy in Toronto.

Some vendors put certificates on a workstation accessible through a password, he said, but “that’s like having a stainless steel lock and putting on a cardboard door. Pretty much everyone accepts that common static passwords are not very secure. Having your private key and certificates protected by a password is pretty much absurd,” Kennedy said.

To avoid this, Keon users can protect their certificates in two different ways – by unlocking credentials through a token, or by not having them on their workstation and instead downloading the certificates through an authenticator.

Keon 5.0 combines the RSA Keon Security Server and the RSA Keon Desktop components.

The system was designed with open standards so that companies can obtain their certificate from the certificate authority of their choice.

“Keon is fully interoperable. It supports open standards. We can use other people’s certificate in our product line,” Kennedy said.

U of T’s Camilleri said the school eventually wants to let students access their records, view marks and change key information, such as their addresses, over the Internet. This would give students the ability to access records anywhere, anytime.

“One of the key factors here is security. A lot of the information would be confidential information. That’s why you need to have a good security (system) around being able to access and change that information. In the end, there would be an impact on administration because people don’t have to come in person to do certain things,” he said.

So far, the university has only rolled out RSA’s Keon product to a small number of users – and though the system is working fine for now, it’s too early to tell how it would withstand the pressure of thousands of users accessing the system at once, he said.

Implementing security infrastructures like PKI can be a costly process, but it’s an undertaking that all businesses need to consider, according to one analyst.

“If you’re going to open up your corporate data to all of your users and if you’re going to open up your supply chain, if you don’t have a good security mechanism in place, you are toast,” said Jonathan Eunice, analyst and IT advisor with Illuminata Inc. in Nashua, N.H.

“RSA is one of the progenitors, and the first and the most strongly associated with this kind of ubiquitous security infrastructure.”

However, he said, the main challenge any PKI solution faces today is the fact that a standard does not currently exist.

“The problem is that the world, as it stands right now, has no common mechanism of even the basics of this kind of global security infrastructure,” he said.

RSA Security in Toronto can be reached at (416) 368-9980.