Review: Imperfections aside, TACS v3.1.1 is a viable tool

By Steven Weil, Contributor 06 Jan 2006 | Information Security magazine

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Authentication systems are increasingly under attack, and organizations are scrambling to deploy secure but easy-to-use systems that won't quickly become obsolete. TriCipher's TriCipher Armored Credential System (TACS) v3.1.1 offers a clever solution using multi-part credentials.

TACS is intended for organizations that need a highly available product to quickly authenticate thousands of users -- and it's priced accordingly. Its implementation features a three-appliance mirrored configuration and includes several APIs that can be used to expand functionality (e.g., using TACS as a secure vault for sensitive information). TriCipher claims TACS can handle up to 5 million users and 450,000 authentications per hour.

One part of a credential is stored on the TACS (a FIPS 140-1 level 2-rated appliance), and the other part is kept with the user. To successfully authenticate, both parts of the credential must be combined, making it difficult for an attacker to steal an entire credential and eliminating the need for password files.

The user's part of the credential can be derived in multiple ways using up to three factors: a password, a password plus a key stored on a computer, or a smart card, USB memory stick or device with flash memory. This flexibility enables security managers to issue credentials of multiple strengths to different types of users.

User credentials that are based on just a password or that use browser-based two-factor authentication (with an encrypted browser cookie or browser certificate) require nothing to be installed on the client. Client software is required to use two- and three-factor credentials.

To upload large numbers of users, TACS can be synchronized with an LDAP server, or a batch user import file can be used.

Administrators can assign granular privileges to specific roles. For example, a security manager can review user accounts, but a systems manager cannot. The tool used to configure and manage TACS is solid, but lacks a user dropdown list and a help menu. TriCipher also provides a tool for generating and managing certificates.

Following TriCipher's thorough documentation, we were able to create, issue, modify and revoke different types of authentication credentials for multiple users. We were also able to establish rules that limited the use of credentials to a single computer and allowed users to roam to other computers with their credentials.

TACS produces detailed logs, which can be exported to a syslog server. Backups can be performed to the built-in tape drive or sent to another device via SFTP.

Reporting could be better. The general report is cryptic, and producing it makes the TACS unreachable for up to 10 minutes. The user reporting tool provides only limited information. We'd like to see more detailed reports about significant system events and user actions.

These limitations notwithstanding, TACS offers a clever, robust solution for securely authenticating large numbers of users. It's not cheap, but it's a viable tool for enterprises that need to manage complex authentication requirements efficiently.

This product review originally appeared in the January 2006 issue of Information Security magazine.

Tags: Security Awareness Training and Internal Threats,  Two-Factor and Multifactor Authentication Strategies,  Access control,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked Access control Access security with KoolSpan's SecurEdge 2006 Products of the Year: Identity and access management Review: With ID-Synch v4.0, you can easily manage many users

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary