Token migration reveals an industry in a state of flux

IT staff at Mount Sinai Hospital in Toronto eventually found a preferred fix for the building’s secure log-on issues — the only problem was that it came a few months late.

The fix was part of a larger, two-fold project, said Steve Noyes, Mount Sinai’s director of information and communication technology.

“We wanted to give (doctors) remote access from outside their office,” something not lightly done given the security that must underpin patient medical records.

The other issue concerned login times for clinical staff. Most were accustomed to waiting 15 to 20 seconds to complete login to clinical software systems, and that was “just too long,” Noyes noted — enough to force some to abandon trying altogether.

Then there was the hospital’s desire to introduce token technology. Tokens are credit-card size devices (cards or dongles) that display a changing ID code. With it, a user may enter a password, prompting the card to display a login ID that will work at that moment. Such systems are designed to reduce unauthorized logins, and protect sensitive data.

Noyes began a rollout of token technology from Bedford, Mass.-based RSA Security Inc. in January. But three months into the project, he caught wind of a competing product, CRYPTO-Server 6.1, from Ottawa-based CyrptoCard Corp. Three features in particular caught his attention — its price, which he says he calculated to about half that of RSA; the fact that batteries in the cards themselves are rechargeable; and that the tokens themselves don’t need to be replaced after a pre-determined timeframe.

What also appealed to Noyes was a technology CryptoCard markets as “follow me computing” — using CryptoCard, a doctor could log out of his or her application with a smart card or USB dongle, move to another workstation anywhere in the hospital, log back into the system by reinserting the card, and continue his work as if he or she were uninterrupted. “So really, one package gives us the benefit of secure remote access,” Noyes said.

Malcolm MacTaggart, Crypto-Card’s president and CEO, said the feature addresses “(our) customers’ desire to move to server-based computing…(and) to some sort of LDAP schema.” Customers were also asking about how to encourage token users to log off, once logged in.

That Mount Sinai was an RSA customer is no accident — CryptoCard 6.1 is targeting RSA customers and the vendor even has an RSA migration plan. RSA declined to comment when contacted by ComputerWorld Canada.

Rollout began in March, but ran into a problem that could have been “potentially a showstopper.” A Windows NT 4.0 legacy domain wasn’t compatible with CryptoCard software, but “we were able to get the changes made,” Noyes said, forestalling a forced upgrade of Windows, which would have made the business case untenable.

The token front has been busy of late. RSA announced an agreement to add its authentication technology into Microsoft applications and management software.

VeriSign Inc., meanwhile, announced that it was organizing an industry-standards effort called Open Authentication to foster interoperability across token vendors’ products. All the token vendors’ products “use a different reference architecture,” a VeriSign spokesperson said. “Some are time-based, some are sequent-based, using different algorithms in a sequence of keys.”

Related Download
EMC Data Protection For VMWare-Winning In The Real World Sponsor: EMC
EMC Data Protection For VMWare-Winning In The Real World
Download this white paper for a deep dive analysis based on truly real world comparison of EMC data protection vs. Veritas NetBackup for VMware backup and recovery.
Register Now