Information Technology Reference
In-Depth Information
pair-to-pair system where there are no centralised mechanisms that can accumulate the
various audit trails which allow me to trap such a problem. With a centralised solution
such as a Co-sign, I also give you an audit trail. You either receive a statement once a
month, where you have all the digital signature transactions that you have performed
over the past month and you have the chance to go through them and say that you do not
ever remember making this transaction, or you can login and view the audit trail.
Authentication if the easiest key to manage. You can give someone an authentication
key or a token and he loses it; he comes back to the organisation's security officer and he
is given a different key. Nothing happened when you lost the key. So, you can use
certificate-based authentication for the authentication but use digital signature keys
centrally.
Handy
: There is a human engineering problem regarding the technology we use. If I
have two or three bank accounts, a secret account, or an unclassified US account
eventually I have got so many keys and so many passwords that they have to be written
down. Is there a solution employed for that?
Aharoni
: A good point but again an authentication question and it is a difficult
problem. Various people try to solve it in various ways; there are for example smart cards
that manage all your passwords for you, so you will have to remember the password for
the smart card and then the smart card sends the password for you depending on where
you are connected to. It is a good system because it also allows you to use a very
sophisticated password. So when you logon to the network you can have a password that
does not have to be a combination of the names of your kids or your ex-girlfriend
because you never actually change the password when you move to a new girlfriend. It
can actually be a very long and lengthy password stored on a smart card. You
authenticate the smart card and the smart card authenticates you to the system. This is
one way of solving it although there are other ways. Again this is an authentication
problem and it can be solved in various ways, perhaps by convincing some organisations
to co-operate.
Amaral
: Firstly you said we needed to use PKI to solve security problems. Then you
said it is hard to do it even for an enterprise, so do you have a solution? Hearing the
discussion, it seems security is complicated and there are many things that technically are
difficult to solve. Security culture is not well-understood by everybody. I also hear that
security is one of the main problems in not allowing business to connect to business or
business to connect to consumers and everywhere there is continuous growth but
everybody is afraid to put their visa card number on the computer. I wonder if there is
any hope. What is your opinion? I would say there is no hope for the next twenty to
thirty years, perhaps even more. Security will continue to be a problem and your solution
is not the solution to this main problem. This is a people's problem and not an enterprise
problem.
Aharoni
: If you look back a couple of years or more, we had a complete VPN remote
access solution that I myself was trying to sell in 1995. And I could not and I tried to
persuade people to use remote access, but you have your employees connecting from
goodness knows where in your organisation. Do you feel comfortable doing that without
any security? It was difficult getting people to understand why it is important to install a
Search WWH ::
Custom Search