In the middle of last year, Kiwi Co-Op Dairies’ IT chief Mark Baker found himself faced with a major headache — one that in his own words, would compound a daily — no, hourly — IT problem by “6700 to the power of three”, and in time, increase by several thousand more.
Baker had to figure out how to control both the authentication and authorisation (A&A) of the potential users of Kiwi’s e-commerce site, FencePost.com. That is, 6700 dairy farmers, all dialling in for highly personal financial information — as well as thousands of other rural users.
The crux of his headache was that one slip up, such as a farmer seeing another farmer’s payment details, could spell the end for the site before it began. And the “power of three” was because each farmer could be a farm owner, a sharemilker on another farmer’s farm and an investor on another property or many — and they had to be allowed to see different levels of information for every farm location.
That’s a lot of farms up and down New Zealand.
Many IT managers can identify with Baker’s dilemma after setting up their own e-commerce sites. But worryingly, as Mark Easton, software development manager for web developer Terabyte, points out, the level of awareness about A&A is not what it should be. Easton says he has not heard one customer query access issues when asking for currently in-demand content management solutions (publishing solutions that allow users to modify website content in real time).
He also points out that the “importance of process” in an access solution is often overlooked. “What is the point of a password-based access control system if a simple phone call to a company employee will gain you that password?” he asks.
But the risks of ignoring this issue can’t be denied. This month, the FBI warned e-commerce sites to patch their Windows NT-based systems after it was found that more than 40 sites across the US had fallen prey to Eastern Europe and Russian hacker groups. The hackers gained access to the sites and took more than a million credit card numbers — which may have been sold to organised crime groups.
What’s often forgotten is that most of the time the risk comes from the inside — from registered users. Locally, we’ve seen two high profile cases. The first was in 1999, when early-mover computer distributor Renaissance acted swiftly to plug a breach after one of its resellers found that, as a registered user, he could gain access to other customers’ records by changing a number at the end of a URL.
And the other was last year, when internet registry Domainz launched its new browser-based system and name holders were emailed their passwords — but also the passwords of registrars.
The value of company data
Experts agree that managers contemplating A&A issues need to start with the basics: doing a cost versus risk analysis. Businesses need to ask themselves how valuable their data is — and how much worry it would cause if it got out into the open, says web developer Grant Straker, of Ponsonby-based Straker Interactive.
The two A’s also have to be thought about independently — authentication happens first, when the system verifies the person against their ID, and authorisation then ensures the user gets only the appropriate access to different files — denying or allowing them access.
“Every strategy is relative to the seriousness of the risk,” Straker says, while Terabyte’s Easton quotes US author Roger Sessions when he describes it as “a trade-off between paranoia and performance”.
Mike Lowe, a man with a foot in two camps, says this means out of the box, expensive enterprise-level A&A platforms may not be the go for small online businesses. Lowe’s co-founder of health start-up Alberon.com (also owned by ex-MP John Banks) and e-business solutions manager for vendor SolNet.
Lowe says for Alberon, the biggest A&A issue when starting up was with payment services, and removing itself from liability in the authorisation process. So Alberon went with an international service which ensures it never sees the credit card information. Other than this, Alberon, like many other small sites, doesn’t make customers subscribe or log on — but it is looking at having parts of the site made private, secured with Java-based user names and passwords, for its partners offshore. “We can handle that [at least],” he says.
Straker says after considering a risk analysis, businesses have three choices:
1. To simply authenticate against the web-based application, using a database table.
2. To authenticate against the operating system (more common when the e-commerce sites link into the internal systems of a business, and where issues such as using domains, directories, policy engines and single sign-on come into play).
3. To authenticate against a secure certificate, token or key.
Straker advises his small clients on tight budgets to go simple, and says the main thing is to separate their web server from the business server that holds financial details and customer accounts. For retailers such as Ponsonby-based kitchen company Milly’s, Straker has favoured using a Cold Fusion web server, hosted at his company, linked to the business server using XML. Straker says XML is a safe method because it essentially sends encrypted requests for information and is not a constant stream of data easily followed by a hacker.
He also favours setting up a virtual private network (VPN) because the network is then encrypted.
Straker says small companies can make use of functions within Windows 2000 such as a VPN and firewall software, and access control lists or active directories — that is, lists that control access rights to applications on the operating system. They can also get their web server hosted by a third party who can buy bulk bandwidth.
Milly’s has also added another level of authorisation for debiting credit cards, where the money is held by the bank, only changing hands when Milly’s financial controller confirms the order is dispatched.
(While most specialists agree small businesses should be safe with such measures, Baycorp ID Services chief executive David Young says it is a myth digital certificates are out of their price range. Young says small businesses can expect charges of up to $400 with a $350 annual fee and digital certificates for their customers at around $40 each. More on this later.)
Using A&A solutions held against the operating system becomes more important when a site has a mix of internal users, staff on remote access and/or outside partners and users.
At this level, authorisation becomes more interactive with the server denying or allowing access to individual resources, applications or domains when a user tries to access them in turn.
Any strategy starts with directories such as the common Lightweight Directory Access Protocol (LDAP). Directories are inherent in networks run using Windows NT or Windows 2000, with its Active Directory, and are even within applications such as email packages and Lotus Notes. Every network handles data and users in different ways, so IT managers must plan a coherent directory strategy, and think of ways to combine and synchronise directory administration.
But the strategy for corporates must be more than this.
Gaining favour is single sign-on (SSO), a method that stops users having a list of different passwords stuck on post-it’s on their computer. SSO means letting a user log on to a primary domain, but also giving them access to other secondary domains without the need for subsequent passwords or “logging on” efforts.
At its simplest, the IT manager specifies a particular platform or server as the primary authenticator, which then passes user ID and password information to other domains as needed. But administrators must still set up separate accounts for each user for each domain.
A more robust, if complex, approach is an SSO based on a policies or rules engine. Managers set policies for individuals and groups giving appropriate access to network resources. The SSO determines what policies apply to that particular user ID and then vouches for the user to other systems. So if a programmer or clerk with certain access rights quits, or receives a transfer, only the SSO system needs to be updated, and that person’s automatically locked out of the old department’s systems.
As Computer Associates business development specialist Warren Grant puts it, SSO “happens automatically behind the scenes as you navigate through applications — it’s an end to end solution”.
SSO can represent a single point of failure for network security — but Grant says this is balanced by the fact that 80% of breaches occur from internal staff — and with a policy-based engine you can disable that person instantly. Staff are also less likely to give a friend their password if it is their password to everything instead of just one application, he says.
CA is one of many companies offering products in this area — others include Massachusetts-based Netegrity, Securant Technologies, Tivoli and the consortium behind the iPlanet suite.
Netegrity Asia-Pacific head Duncan Fisken says SSO and policy-based engines are driven by the need to “offer a seamless customer experience” — as well as a way that administrative and support costs can be significantly reduced.
“With a small number of rules you can achieve a large number of users and it’s not necessary to update every new employee,” Fisken says.
Netegrity, which operates locally out of Australia, has one New Zealand client to date — a major telco, still under wraps. Other customers include Cathay Pacific and General Electric. But Fisken says his product is not for small businesses, with the average first-time deal costing $US100,000 to $150,000.
Other vendors promote the importance of directories. CA’s Grant advises corporates to add to a policy-based server what he calls “the cream on the cake” — a X.500 standard directory. He says this industry-wide standard — first used by large telcos — is robust enough to be a corporate backbone, and can scale up as a business grows. (For more information, see www.iso.ch.)
SolNet’s Lowe — whose product range iPlanet uses Netegrity — is adamant corporates “have to look at an out-of-the-box authentication product”, saying propriety systems “can be the most limiting factor to your success”. He emphasises a single, unified directory, used with token-based access: a system that must be set up with the schema dead right, he says. (Lowe points people looking for information on schema to http://standards.nortelnetworks.com/dif-sp-dna/index.html.)
While a single directory clearly has operational advantages, IT media in the US indicate many large organisations will not be able to standardise anytime soon. And there is much debate over which standard to focus on.
But something all the SSO and policy-based engines boast is the ability to combine their technology with a parallel trend — authenticating using digital tokens and smart cards, combined with digital certificates. Big digital certificate players overseas include Baltimore, Verisign and Entrust Technologies. Locally, the two publicly certified authorities to date are Baycorp ID Services and PricewaterhouseCoopers.
To use digital certificates and key technologies both parties must have corresponding gadgets — that is, the senders and recipients use two sets of keys: one public, one private — to encrypt and decrypt communications. The corporate’s server has a digital certificate and so does either one’s client browser or one personally (ie. a token, which is essentially a tiny mini-computer, or a smart card carried on one’s person), which exchange encrypted communications.
Baycorp ID Services chief executive David Young says his company’s technologies have been rolled out in clients such as law firm Buddle Finlay and in government departments such as ACC, where all staff now access their system using tokens.
Young says his company, formerly known as 128I, has also developed a software package it now plans to sell to overseas after it found most desktops are not set up to incorporate digital certificates easily.
Young’s PKI Installer software — used to help ACC roll out its token system — fixes bugs, checks for problems in installation and configures the system to work in with Baycorp’s directory.
Young says the next level of security for corporates using digital certificates is to consider installing hardware security modules (HSM) on their web servers to foolproof hackers from pulling out the private key stored there.
Young says his software and HSMs will help improve satisfaction and reduce helpdesk calls, and he is confident smart cards will “take off” in New Zealand.
“Digital certificates will be around no matter what,” he says.
FencePost does it its way
Despite these packaged applications, FencePost’s Baker chose to go with a customised solution. He says his decision had a lot to do with the fact his site wasn’t just to service the dairy industry — but also livestock, wool and others. This meant any solution had to support a lot of verticals behind the scenes.
Baker says his team spent 60% of their total prelaunch time working out all the relationships a farmer could possibly have, based on the three basic IDs of farmer, sharemilker and investor.
They came up with a three-tiered IT approach and, with Christchurch firm Jade, built a middle-ware integration application that sits between the internal site and the FencePost site, also hosted by Jade, and, using XML, provides a safety-net extraction layer. Baker says the system uses LDAPs as a synchronisation tool, but he avoided pervasive directories “because their failure effects everything”.
His system uses single sign-on (which requires a thorough registering and authorisation process run by Kiwi Dairies head office), with a password and ID generated by what relationship type(s) the farmer fits.
Essentially, messages are passed through the integration layer first to a SQL server running a ATG database, which validates the ID, then sent back and out again to a Jade application which holds details of each level of ID and business rules. That application compiles these rules and a message is sent back telling ATG how to build the user’s web page.
A second round of thought had to go into FencePost’s Interwoven content management system, which has several dozen people around the country contributing to its content. They have a separate, private website address to FencePost, and use SSL and NT authentication.
“The biggest thing was realising that our internal system would never be any good for external access,” says Baker, who has submitted his process for a BMC qualification for A&A excellence, the first company in Australasia to try for it.
Baker says discussion of A&A issues is growing, but won’t become widespread until IT security is considered a management function.
Baycorp’s Young points out one factor sure to promote discussion are the issues raised by the Electronic Transactions Bill, meant to be passed in June. While the bill’s final form is still unclear, people may want to consider what form of identification will be seen to be valid in a legal dispute. It seems that password-protected accounts won’t be enough to certify a business was dealing with the right person, not an impersonator — but more costly digital signatures authenticated by a third party publicly certified authoriser will be — (see the most recent discussion document, Electronic Transaction Bill: issues raised, version three available at www.lawcom.govt.nz).
The future is here
Coming soon are James Bond-style biometrics solutions. Thumbprints and retina scans for A&A are being trialled overseas — Verisign has formed partnerships with several vendors, while CA says it has a proof-of-concept pilot in New Zealand — and the science is now moving to physical and behavioural characteristics such as facial structure scans and voice patterns.
But the remaining challenge is to address large-scale biometric deploy-ments in complex governmental and commercial systems. There’s no doubt that biometrics will only be used in conjunction with other technologies, says research house IDC analyst Charles Kolodgy. “You can expect to see a lot of biometric authentication devices popping up in hand-helds and phones in 2002 or so.”
Beyond that, all vendors and experts agree A&A will become pervasive, sooner rather than later. They say prices will drop for policy-engines and tokens over time, or vendors will introduce less fully functional versions for smaller business. But the real problem yet to be overcome is “the culture of indifference” plaguing password security, with easy to guess passwords and staff or imposters ringing help desks. This has led several industry commentators to suggest we need to authenticate their password-reset requests ... and so it goes on.