The key to remote access at Manitoba Telecom

Sep 1, 1997 12:00 PM, CHALMERS F. CARR

A hardware token protects corporate data and allows users to access the company's computer systems from basically anywhere.

Like telecommunications providers all over the world, Canada's Manitoba Telecom Services Inc. (MTS) is facing increased competition due to deregulation and changes in technology.

To become more competitive, MTS looks for improved ways to use technology. One of the technologies that has enhanced MTS' flexibility and responsiveness is remote access to the enterprise network, which allows employees to access the company's computer systems wherever they are-from home or in the field.

But the security risk of remote access concerned MTS manager of information system security John Berti, who has the job of protecting the information assets of a company that has more than a half billion Canadian dollars in annual revenue.

MTS is really four companies: MTS Net, the local telephone service division; MTS Com, which focuses on high-level business customers; MTS Mobility, the cellular and paging division; and MTS Advanced, which offers directory service, Internet service, and other advanced networking services. Berti's responsibilities extend across all of them.

"Our information is one of our most important assets. We have to protect it. At the same time, we are building networks and systems that people rely on, and they need to be able to use the systems on the go. We needed something to protect our information and, at the same time, allow users to access the information from basically anywhere," says Berti.

Furthermore, the systems that employees wanted to be able to access remotely were the systems that could cause the most damage if a competitor or other invader were to get into them. Giving customer service representatives in the field remote access to the company's customer information system could improve MTS' ability to compete, yet unauthorized access could jeopardize the company's well-being.

The need for remote access was great enough that the company allowed it initially on the basis of user name and password, but Berti worried that an invader would eventually learn one of the passwords. Although no break-in attempt was ever detected, he decided not to wait.

An embedded key unlocks data

Berti invested in the VACMan/Server and AccessKey II security tokens from Vasco Data Security, Lombard, Ill.

The security industry recognizes that passwords represent only the first level of authentication security. The three components of authentication are commonly expressed as:

* What you know-a password or PIN; * What you have-a security key or token; and * What you are-a fingerprint or retinal scan.

While the third factor remains exotic for some purposes, a combination of "what you know" and "what you have" is usually adequate for protecting sensitive information. The "what you have" portion can be implemented in hardware as a physical key or token, or in software as a numeric key stored as a binary file. Software keys are convenient since they can be distributed electronically. However, Vasco's approach is to control access to crucial corporate data by embedding the security key in a hardware token.

Generically, Vasco provides a challenge-response system. The VACMan security server generates a numeric code, which is displayed on the user's screen as a bar code-a "challenge" the client must answer before gaining access to a secure system. The AccessKey II reads the bar code and generates an appropriate cryptographic response, which appears as a numeric code on an LCD screen, and which the user must type into the computer before gaining access to the application.

Now anybody dialing in or having remote access to our enterprise network has to have three things: the user ID, a password and the challenge-response token. We can be 99.9 percent sure that the person getting into our system is authorized to do so," says Berti. "The hardware token provides an extra level of certainty." A token can be used from any workstation, including office, laptop or home computers.

"On a per-user basis, we can know exactly what users are doing, and we can dictate exactly what servers they can and cannot see on our enterprise network," Berti explains.

MTS has used the system for remote access successfully since fall of 1996.

There was some resistance to the introduction of the tokens, but Berti says it dissipated rapidly. "There's a learning curve involved with everything, but the tokens are easy to use. The only problem we saw at the time was that the tokens are a little bulkier than, say, a credit card, so it isn't something that people can just stick in their wallets and carry around. But it is something that people can carry attached to a keychain."

Berti also thinks the system may make things easier over the long haul by using the same authentication process for all applications. "We want to authenticate users based on the tokens so all they have to do is flash the thing up on the screen, and the system will know that this is John Berti and he's allowed into the Internet, the corporate modem pools, certain critical systems and accounts payable and receivable. Everything is going to be included in the tokens," says Berti.

Additional security functions

Berti is investigating a third-party building security system that would use the AccessKey II to unlock doors. The idea is to use a proximity sensor in conjunction with the token, replacing the separate key cards employees now carry.

Another possibility is to use the code generated by the security token for encrypted transmissions across the network.

Integrating the security system with existing applications has proven remarkably easy, says Berti, even though they are running on a variety of server platforms. Remote access is provided by a U.S. Robotics modem pool.

"We haven't had any problems with the server itself or the tokens themselves," Berti says. The manpower demand of the implementation has also been minimal.

Berti remains cautious about using the technology on the Web, however. Although MTS is taking some first steps toward electronic commerce, Berti sees inherent risks in doing business on the Internet. While a hardware key could reduce some of those risks, he sees a practical limitation. "I don't think we want to issue a token to everyone who wants to do business with MTS," he says. But he concedes that there might be some business-to-business Internet transactions for which issuing tokens to large customers might make sense.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue