RSA SecurID

Abstract

This paper aims to provide very relevant information about RSA RecurID technology and on how it works in a company.  We know that security is always a “battle cry” for most companies, the impact and the effect it brings to the table in a company made it now an essential priority and not anymore as an option.  This paper provides that importance by providing intricate details as to how RSA SecurID offered some of its security features that can help a company to achieve that goal.

RSA SecurID

Introduction

            Many organizations about 10 years back, would not even bother to implement strict security in their operation.  Probably the main reason was most companies are usually operating in a very non-complicated IT infrastructure yet during that time and most are still either mechanical or manual systems.  But as time goes by many companies are embarking to computerized systems, where most people or employees themselves are not anymore doing the “hard labor” type of jobs, instead they are the ones engineered ,these processes and developed it into a computerized systems.  That is why security is always part of the agenda.

Part, in the sense that the organization are keeping or securing not only the hardware assets but most importantly the system and processes that is being kept in the systems itself.  Companies that ranges from in-house systems that works in a department from accounting to high-end production plant systems up to remote and internet-based systems that not only local employees and personnel can access but the entire supply chain collaborative organizations from different companies alike are performing and accessing the system.  In this paper, it will try to provide some of the impact of how RSA SecurID security systems can offer in order to have a well align business process and work smoothly to its users.

What is RSA SecurID Technology/ Tool and its Practices?

            Before getting into the details, we need to understand first what RSA SecurID is is all about.  It is actually a security mechanism developed by RSA Security, where RSA is the Security Division of EMC Corporation, which it’s headquarter is located at Bedford, Massachusetts, USA.  The said mechanism itself performs two factor authentications for a user in connecting to a network resource.  Alternative discussion in its mechanism is that, it consists of “token” or secured token, you may see it like a size of an oversized key which is a piece of hardware.  This is assigned to a designate PC that generates an authentication code at fixed intervals usually at around 30 to 60 seconds that uses a built in clock and the cards factory-encoded random key, which is commonly known as the “seed” and it is often provided as a *.asc file.  Each seed is assigned with different for each token and is being loaded in the RSA SecurID server.  (SecurID, 2007).

            In terms of technology, RSA focuses more on information-centric approach, which is solely to protect the integrity and most especially confidentiality of Level 1 or D1 documents or files, where those level means artifacts that should only be available usually to main stakeholders of the company.  Its high-end leading technology solution provides identity assurance and access control, encryption, and key management, compliance and most of all security information management and fraud protection.  This is why RSA has been part of most industries nowadays, because it gives customers assurance and confidence in performing business and organizing its operations.  (About RSA, n.d.).  The tool itself in terms of its actual use can be applied through wide variety of mission-critical and data application through: (1) VPN’s and WLAN’s, (2) E-Mail, (3) Intranet and Extranet, (4) Microsoft Windows PC’s, (5) Web Servers, and (6) Other Network resources.  (RSA SecurID, n.d.).

 As it became a common part of the processes on the organization, from opening of an employee’s PC upon arriving in the office, to encrypting or decrypting D1 files before sending to mail as attachment, as well as accessing remote servers from laptops or PC’s, these are just some of the very common practices where you can see RSA SecurID technology are being performed.  There are also some instances where it can also be observe, like a system administrator is setting-up virtual directories and database in the web server and database server, where all our highly secures by this technology as well.  No one can access it but only the administrator and within the application or program that the administrator access will also be authenticated and be well restricted automatically to intruders, whether it is accessed remotely or directly in the server.

How does RSA SecurID Technology/Tool and Practices works?

            In a typical organization, most especially those multinational ones, implementing security is not that as immediate as it can be, there are some processes that need to be well understood.  In this case, it is the Security Correspondent of the company who is taking charge in this task.  The Security Correspondent first need to orient the staff about the basic security procedures, ins and outs of the company policies which are relevant to security, like internet usage, mapping of drives, requesting for PC Anywhere or Remote Admin or even terminal services clients and most especially the security policy in installing new software in a PC without prior advise from the management.

It is only after that, and then you can start formally with the implementation or as to how the users can use the RSA SecurID in his or her own use.  There are actually four main key points that need to be followed, first, the user must obtain a Security ID token, second, Activation and usage, which can only be done by the Security Correspondent, third, replacing the token in case for damage or lost, and lastly, FAQ’s, if there will be clarifications by the users and again, this can only be under the task of the Security Correspondent of the company.

            Obtaining a Security cards, is done first though accomplishment of what is being called General Access Form or any control form used by the company that is given to the new employee.  This form includes all the declaration of policies and guidelines.  Actually, this can be accomplished upon request by the immediate supervisor of the staff to the Security Correspondent.  After accomplishment, the Security correspondent can now activate it for actual usage.  At this point there will be little orientation needed.  Just the do’s and don’ts and most especially hoe to secure it.  Then, there are instances that it needs to be replaced; the Security Correspondent will also be giving direction to the user as to how it will be done.  Lastly, understanding some of the FAQ’s.  Some of the common lists of questions are: (1) How does the Security ID work?

(2) Committing a mistake while entering the pin, how it can be corrected or cleared? (3) The system is asking about PRN number, what is the difference between PRN and PIN No? (4) What are the standard rules for SecurID Pin numbers? (5) If encounter error, password invalid or suspended, what needs to be done? (6) Invalid SecureID PRN, what needs to be done? (7) What are those small black bars to the left of the 6 digit number in the SecurID display? These are somewhat basic questions but sometimes most users may felt confused as to how they could attend to these issues.  The better orientation by the Security Correspondent the better and there should be a survival guide, probably a one pager and not the complete and none-customized manual, because most of it are shown in a very narrative and long discussion format.  Wherein the users would only want to know how and not much of what.  (SecurID Authentication, 2006).

            Just to provide more information as to how companies use RSA SecureID in their organization, the following are some of the good examples that it demonstrated how they actually applied it.

            In general, RSA SecureID technologies have broadened its reach and have well engineered its capabilities in supporting mobile phones, like the Nokia brands.  This was made possible because of the fully compatible feature of RSA to Java technology.  As technology starting to go to its full swing the security feature of RSA continues to evolve as well.

“It has been four years; RSA SecurID Software Tokens have been supported on other leading mobile devices including Microsoft Pocket PC, Palm Treo smartphone, and RIM BlackBerry devices. With new support for Java ME platform and Windows Mobile platform, RSA now provides two-factor authentication functionality for the majority of mobile platforms available on the market today. Certain devices, such as the high performance MOTO Q 9h smart phone, are also designed to provide integration between the embedded RSA SecurID Software Token technology and the device’s VPN client to seamlessly enable two-factor authentication for remote access, creating an easy-to-use, secure corporate network access experience for today’s on-the-go professional.”¹

            The reason why security are now starting to employ in most cell phones, like the one stated above, it is because most of it are already being used for e-mail, browsing through the web and even for chatting on-line.  With that virus and files may also pass through its connection in the internet.  (Vendor, 2007).

                        ¹ Vendor, RSA Broadens Reach of RSA SecurID Two-Factor Authentication Solution With Expanded Support for Leading Mobile Device Platforms. (IT Compliance Institute, 2007) par. 4

            With the full compatibility of JAVA technology, which now the latter is mostly used in development of systems because it is an open source development tool as well as its scalability, another company is also jumping into the “wagon” which is making use of the JAVA technology and the affectivity of RSA technology is Diversinet in Toronto Canada, the company is a leading provider of wireless authentication and access solutions that secure the personal identity, transactions and data of consumers over almost any mobile phone or handheld device.  How the company applies RSA is here below.

“The Company’s Provisioning Server helps to leverage widespread mobile devices that act as authenticators for secure remote access to confidential information by making it safe and easy for users to obtain, install and use the RSA SecurID Software Tokens provided to them by corporate enterprises – including financial institutions, healthcare providers and others. The Diversinet solution can be used by enterprises to extend their existing RSA SecurID deployments to their mobile workforces in the form of cost-effective software authenticators.”

“With new support for Java ME and Windows Mobile platforms, RSA now provides two-factor authentication functionality for the majority of mobile platforms available on the market today. The Diversinet Provisioning Server helps to make it even easier to deploy an RSA SecurID Software Token on a mobile device.

This provides a convenient mechanism for securely accessing network resources, and brings confidence, flexibility and choice in strong authentication to consumers and enterprises,” said Toffer Winslow, vice president of product management and product marketing, Consumer and Access Solutions at RSA. “With Diversinet’s help, we can help accelerate our joint customers’ business objectives by offering expanded security options and cost-savings opportunities, and build the confidence the market needs to sustain its growth by ensuring that confidential and sensitive data is being accessed in a well secured manner by consumers, customers, partners and even the employees themselves.”²

It only shows here that the partnership between the two company, has given wonders for their clients, most especially in the side of financial security.  Transactions are the ones that are being kept properly in this company, the way it should be well secure as well as how it can conveniently be available to anyone, makes security a very important for any processes in a certain organization like what the Diversinet with the help of RSA SecureID.  (Diversinet Provisioning Server supports RSA SecurID(R) Software Tokens with expanded support for leading mobile platforms, 2007).

Technical, Social, Legal and Economic Impact of RSA SecurID

From RSA Company itself, “Security and mobility for customers are two spearheads of our policy. Among other things, we want to offer our customers the possibility to arrange their bank affairs via Internet from any location. It goes without saying that this requires a quick and optimally secured login process. This is why we have deployed SecurID tokens by RSA. Approximately 50,000 customers can use these convenient devices from any location in the world to manage their investment portfolios, transfer money or use other banking services.”³

² Diversinet Provisioning Server supports RSA SecurID(R) Software Tokens with expanded support for leading mobile platforms. EETimes Online, Global News for the Creators of technology. (EETIMES, 2007) pars. 3-4

            ³ Diepen, Van Paul. Keybank Case Study, Customer Success Stories. (RSA, n.d.) pars. 1

            The impact it brings in terms of technology to the bank, has made transaction very much secured and even has provided satisfaction to its customers, because they can as well rest assured that their accounts will not be used to any fraudulent purposes.  (Diepen, Van Paul, n.d.).

            Also, in the medical field, the RSA technology becomes a very important part of its operation.  The main focus in its security was the patient’s information.

“M.D. Anderson, located in Houston, Texas, has built a worldwide reputation for excellence in cancer patient care, research, education and prevention. Since 1944, more than 600,000 patients have turned to M.D. Anderson for cancer care in the form of surgery, chemotherapy, radiation therapy, immunotherapy or combinations of these and other treatments. With a mission to eliminate cancer, the onus is on the IT department to remove inefficiencies and create secure and accessible systems that allow physicians and other healthcare professionals to focus on their jobs and not technical issues.“⁴

“24/7 access to patient information has become critical to the success of a healthcare organization. Physicians need to access patient information conveniently, wherever they are and whenever necessary. More importantly, this information needs to remain confidential. Prior to implementing a solution from RSA Security, employees accessing the network were only required to use simple passwords, presenting both a major security challenge, as well as a security headache.”⁵

⁴ The University Of Texas M.D. Anderson Cancer Center Deploys RSA SecurID Two-Factor Authentication to Enable the Mobile Physician. RSA, The Security Division of EMC. (Press Release, 2004) par. 2

            ⁵ The University Of Texas M.D. Anderson Cancer Center Deploys RSA SecurID Two-Factor Authentication to Enable the Mobile Physician. RSA, The Security Division of EMC. (Press Release, 2004) par. 3

            The impact of technology to the hospital plays a vital part in securing the patients records, which not only because all of the information are kept in a database, there might also be instances that if the hospital is not careful or even the MD’s themselves, the important diagnosis and treatment for these patients may also be lost and these are important most especially for return visits or follow-ups, because doctors, can only remember these records in print or in data records.  (The University Of Texas M.D. Anderson Cancer Center Deploys RSA SecurID Two-Factor Authentication to Enable the Mobile Physician, 2004).

For the social impact, security nowadays is not only digital or information is the only ones that it affects.  It also affects human being in many forms.  Just like what was stated in the 911 attack, actually it does not only link to technology or any other reason whatsoever.  It primarily involves human concern.  That is why for security, like using RSA, it impacts social being of a person in a way of anxiety, in the sense that most theft nowadays are very smart and they will caught you unguarded if not vigilant.  Take for instance a user that does not change his password for the last six months, his password might be used already by somebody, and can even used for the person’s bad impression, like accessing the internet by using the other person’s account.

“The study, conducted by Opinion Research Corporation under the direction of RSA Security, was initiated to determine changes in attitudes, perceptions and behaviors of consumers as a result of recent security threats. More than 1,000 consumers were asked a variety of questions relating to the impact of key security issues on their lives and purchasing habits. When asked the question, “Which of the following has had the most impact on your awareness of security issues,” 46 percent of the respondents listed the World Trade Center attacks and 22 percent listed identity theft. The war in Iraq and global computer viruses received 19 percent and 6 percent, respectively.”⁶

            It only proves in this paragraph that even a password may hurt somebody, because it is the credibility and the person’s trust is being used by the intruders.  (RSA Security Study Confirms Consumer Anxiety Over Threat of Identity Theft, 2003).

While on the other hand, in the side of legal and economic impact.  There are a lot of impact that goes with it, most especially countries are now establishing laws that can recognized that information security are now should be part of the system.  While in the economy, there are always impacts to it, because security can also be driven by business.  Like in the case below.

“Business acceleration through information-centric security — it is a simple concept, and one that is catching on fast. We help our customers accelerate their businesses by solving their most sensitive and complex security challenges – and freeing them to realize new business possibilities. RSA’s information-centric approach protects information from its core, and we’re proud to offer our customers an integrated set of security solutions to protect valuable information assets throughout their lifecycle.”⁷

            With customers being satisfied, outcome of it is success and increase in the bottom line of the business, like what happen in RSA’s, even though it started just in 2000, the company already not only established its business but gaining profit as well.

⁶ RSA Security Study Confirms Consumer Anxiety Over Threat of Identity Theft. RSA, The Security Division of EMC. (Press Release, 2003) par. 2

            ⁷ RSA provides security solutions for business acceleration to over 8 000 customers in Q4 2006. Secure Data. (Global Research Partners, 2007) par. 5

The nice things about RSA, it can strike a balance between its customers and its employees, because what was worked done well in its customers also made wonders in RSA company itself, because it practice what they sell.

Why is it Relevant to Information Assurance Management?

            Information Assurance Management actually aims to protect the integrity, confidentiality and availability of data or information.  RSA SecureID technology is very much relevant in the sense that it is the tool and technology that can be used to properly implement and apply the (IAM) process.  Because in every organizational process, there will always be a tool to be used and based on the needs and technology available in the market, it is RSA that much in line with it.

How would you justify its Purchase and Implementation?

            First, it is important for the company to see first its current need, the amount of information that it needs to keep, in terms of vulnerability, the confidentiality and availability.  These are the main factor that needs to be considered before buying this tool.  There should be a business case that needs to be presented.  And to make it more presentable and appealing, there should be feasibility study and previously conducted POC’s if there is any, to back up the business case which btw, the most important document that will prove that RSA SecureID is very viable and important because it can generate a lot of savings and can provide increase in its profit.  Justification will all depends on study and situational analysis based on the current situation of the company, how it may affect the entire operation may also be included.  Because affectivity must not be affected if it will be implemented.

Conclusion

            In this paper, it shows how important security in an organization, with some of the proofs through companies that were presented, it only shows that it is not anymore an option but as a mandatory requirement in all organization.  The impact to its operation, that goes even to its customers, employees and the lost of information, has made us convinced that it is important to implement it.  RSA SecureID technology is also considered one of the best tool and technology that can be used in order to secure all pertinent information.  Its proven effectiveness that was also discussed in this paper may just be enough to say that this tool can be used not only securing the process but improving it as well.

References

“About RSA.” RSA, The Security Division of EMC. n.d. < http://www.rsa.com/node.aspx?id=1002>

Diepen, Van Paul. “Keybank Case Study.” Customer Success Stories. RSA, The Security Division of EMC n.d. <http://www.rsa.com/success_stories.aspx?id=1183&node=12>

“Diversinet Provisioning Server supports RSA SecurID(R) Software Tokens with expanded support for leading mobile platforms.” EETIMES OnLine. 30 April 2007 < http://www.eetimes.com/press_releases/prnewswire/showPressRelease.jhtml?articleID=X602833&CompanyId=1>

“RSA provides security solutions for business acceleration to over 8 000 customers in Q4 2006.” Secure Data. 1 February 2007 http://www.itweb.co.za/office/securedata/0702010818.htm

“RSA SecurID.” RSA, The Security Division of EMC. n.d. <http://www.rsa.com/node.aspx?id=1156>

“RSA Security Study Confirms Consumer Anxiety Over Threat of Identity Theft.” RSA, The Security Division of EMC. 15 April 2003 <http://colombia.rsa.com/press_release.aspx?id=2468>

“SecurID Authentication.” Information Protection and Security. Rutgers, The State University of New Jersey. 6 December 2006 <http://infoprotect.rutgers.edu/pswdcds/sid.php>

“SecurID.” ­Wikipedia, The Free Encyclopedia. 20 October 2007 <http://en.wikipedia.org/wiki/SecurID>

“The University Of Texas M.D. Anderson Cancer Center Deploys RSA SecurID Two-Factor Authentication to Enable the Mobile Physician.” RSA, The Security Division of EMC. 12 January 2004 < http://www.rsa.com/press_release.aspx?id=3314>

Vendor. “RSA Broadens Reach of RSA SecurID Two-Factor Authentication Solution With Expanded Support for Leading Mobile Device Platforms.”IT Compliance Institute. 30 April 2007 < http://www.itcinstitute.com/display.aspx?id=3502>