Published: 01 Apr 2007
GOLD | RSA SecurID
Price: $2,995 for an annual subscription
For Andy Pruitt, chief technology officer for Backstop Solutions Group, an on-demand platform for hedge funds, RSA was the only vendor that worked with the firm's particular integration needs. "They took the space seriously," says Pruitt. "[Other vendors] didn't get it. The integration level we needed was deep because we had to be able to control the administration."
Web-based services, compliance and the continual onslaught of data breaches are fueling the market for stronger authentication. As a vendor with more than 20 years experience, it came as no surprise that RSA Security and its SecurID came on top.
The reasons it edged out its competitors: ease of use, integration and compatibility, according to readers who use the product.
When Backstop Solutions Group started to look at authentication products last July, it brought in a number of vendors. Initial meetings went well, but when Backstop started to get more specific about its needs, "that's when things started to fall apart," says Pruitt. Backstop's development environment was JBoss, "and when you are Java-based there is no comparison [between RSA and other vendors]," Pruitt says.
While Pruitt was willing to make the authentication investment because his users are high net-worth customers, traditionally cost has been a barrier to the market's widespread growth, industry watchers say.
Toffer Winslow, vice president of product management and product marketing for RSA, disagrees. While RSA SecurID tokens appear higher priced, he admits, "when you evaluate total cost of ownership and the amount of integration, we are much better [priced] than the competition," he says. Because of a rigorous certification process, RSA has been working with 300 of the top applications. "We know they work with SecurID," Winslow says.
In fact more than three quarters of readers surveyed said they were pleased with the ROI and felt they were getting their money's worth from SecurID.
And RSA has continued to innovate beyond tokens to secure other types of devices and applications. At RSA Conference 2006, the company unveiled the SecurID Toolbar Token and RSA SecurID SID900 Transaction Signing Token to secure online transactions through digital signatures. The company, now a division of EMC, also recently announced partnerships with Research in Motion, SanDisk and Motorola, among others, to use its technology to secure BlackBerries, cell phones and USB flash drives.
"The goal is to get RSA credentials everywhere," says Winslow.
SILVER | VeriSign PKI
Price: $19.95 per certificate
VeriSign took silver with its range of PKI services. The company edged out the competition due to its top scores in the ease-of-use and response categories, where more than 70 percent of readers rated it highly. During the past year the company has expanded its reach with the acquisitions of GeoTrust, an SSL certificate supplier, and SnapCentric, a provider of online fraud detection solutions that help companies comply with FFIEC regulations. VeriSign also announced its Extended Validation (EV) SSL certificates that support Microsoft's IE 7 and Vista and incorporate technology that enables Windows XP clients using IE 7 to display the same green address bar for Web site authentication as Vista clients.
BRONZE | ActivIdentity Smart Cards
ActivIdentity, formerly known as ActivCard, took the bronze. Readers were pleased with the scalability of its products and end user ease of use. ActivIdentity offers solutions including physical/photo ID, logical access using SSO to incorporate resources, secure remote access, and digital signature and encryption of email and documents. Within the past six months, the company has broadened its solutions for the Sun, Novell and Microsoft platforms. It recently bolstered its health care suite with SecureLogin Kiosk and announced that its Mini Token OE and ActivIdentity Authentication SDK support the HMAC One-Time password algorithm developed by OATH.
In the trenches
Token support isn't enough
Hidden costs can derail strong authentication rollouts
Implementing strong authentication is about planning, education and simply accounting for the foibles of human nature.
One of the most common stumbling blocks is user acceptance and the resulting support costs to roll out such an implementation.
"It simply makes authentication harder," says Peter Gregory, a senior security specialist at a company that provides on-demand business services. "There are more pieces on the critical path for a user who needs to access systems.
"There are difficulties simply because people can't find the token, they lose the token, they accidentally drop the token in water, etc. All of this translates into support costs," says Gregory.
As a result, security managers should have a detailed, mapped-out plan, according to users who have gone through this process.
"Support personnel including help desk and desktop services must be ready to field calls from users who are confused," says Ron Woerner, information risk manager at ConAgra Foods.
Gregory agrees, and adds that companies need to account for all the hidden costs. The cost of implementation--getting people trained, provisioned and supporting them--probably exceeds the cost of the token itself.
Depending on the size of the organization and type of authentication used, training can be cumbersome.
Training and rollout can be especially difficult when large organizations try to do it en masse. "It's usually an all-or-nothing deal," explains Woerner. "In large organizations, it requires a lot of coordination to ensure there are no gaps."
Furthermore, with today's highly distributed workforce, logistical rollouts aren't simple. You can't walk down the hall and hand out tokens. It makes it more time consuming, Gregory says.
And while the second factor provides additional security, it is not foolproof. "For fobs or number generators, there is still a worry that the second factor does not necessarily ensure that it is really the user in question. I can steal a fob and with some other social engineering I can log in to the system," says Ernie Hayden, CISO of the Port of Seattle.
For that reason, biometric devices are more secure, but also come with their own headaches, Hayden says.
A headache to avoid is a biometric implementation that doesn't integrate with Active Directory or the GINA (Graphical Identification and Authentication) for Windows systems--the primary systems used for user authentication. "You need to be absolutely sure that all aspects of privacy are addressed in the specification, procurement and implementation," says Hayden.
Strong authentication "isn't a panacea but it does close one of the avenues of weakness," says Gregory.