Security Technology Executive

MAY-JUN 2018

Issue link: https://securitytechnologyexecutive.epubxp.com/i/994589

Contents of this Issue

Navigation

Page 13 of 79

Continued from page 10 A$$1Gn1ng $af3 C@m3r@ Pa$$w0rd$ TECH TRENDS Together we can Educate Heal Nourish certificates and other credentials. The provisioning of certificates tells the system that the device communicat- ing to it is really the expected device and not an imposter. KeyScaler automatically quarantines new devices until validated, or keeps a device quarantined and gen- erates an alert to the system administrator. To prevent theft of certificates and unauthorized use, the Device Authority agent stores the certificate and associated key pair in an encrypted state. The agent will make decryp- tion available only to authorized applications defined in the credential provisioning policy on the KeyScaler server. By binding the certificate to the device, KeyScaler can detect misuse of certificates that are stolen or copied to another device. In another approach to securely provision credentials, Bosch has partnered with SecureXperts to load CHAVE cameras with signed X.509 certificates, allowing trusted communication with these devices. Further, passwords are eliminated entirely by provisioning users with smart card credentials to allow device access. A Vendor-Agnostic Solution Both of the approaches highlighted have technical merit, but they also have a limitation on manufacturers they can currently work with. With many installations employing a mix of different devices, additional tech- niques would be needed to cover the remaining devices. Back in 2016, I wrote about an innovative password provisioning program implemented by security inte- grator Contava to securely provision passwords to security techs in the f ield (www.securityinfowatch. com/12242602). I circled back with David Sime, now VP of Technology for Paladin Technologies, which acquired Contava in 2017. The approach, which uses a product from Click Studios (www.clickstudios.com.au) called Passwordstate, involves VPN access from the field to a Paladin password server, which responds with a strong encr ypted password. Passwords are tied to specif ic devices through a device identifier. Sime says this effort was very successful, adding that "there was obvious resistance by our techs up front, but once we got them there, it took away a lot of their frustra- tions by having the information at their fingertips. It is a balance between usability and security." Provisioning updated passwords across the enterprise is more of an issue with this approach and involves a mass export operation – which in itself can have security ramifications. Sime is now evaluating an enterprise-level offering from 1 password to shed the requirement for an internal password server.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2018