Regulating two-factor authentication

When the Feds decide you need better security

When the Feds decide you need better security  New requirements for accessing the Criminal Justice Information System database require two-factor authentication, and if you're in law enforcement, CJIS is the air you breathe.

The next time you get stopped for a traffic violation, here's something to distract you from thinking about how much your insurance will increase: Back in the police car, the officer will need two-factor authentication to access the database to look up your license number. Don't you feel better? 

New requirements for accessing the Criminal Justice Information System database require two-factor authentication, and if you're in law enforcement, CJIS is the air you breathe.

Is this another busy-work mandate from out-of-touch federal bureaucrats? No, because they have the same concerns as every company with remote offices, home offices and mobile workers. When you connect your network to a remote network, whatever is on that remote network has access to your network. That’s why many companies go to great lengths to secure home office and mobile systems.

Warren County,Ohio (north of Cincinnati), coordinates multiple police departments, and it recently awarded a contract to the local office of MTM Technologies for a two-factor authentication system based on RSA Security’s RSA SecurID Appliance. Designed for SMBs, the RSA SecurID Appliance comes preloaded with RSA's Authentication Manager software.

We've talked about two-factor authentication before (which is based on something you know, such as a password and something you have like a token or smart card). Back in August I told you about CRYPTOCard's push to "Eliminate Static Passwords" and last November I examined that company’s "Happy Meal Security Pack". RSA leads the enterprise security market and aimed its SecurID Appliance at SMBs upgrading their security.

Geoff Green, Systems Consultant for MTM Technologies, helped propose and install the Warren County system. He says, "Initially we connected between 250 and 300 police officers for two-factor authentication for remote access. This system will grow to over 1,200 users eventually."

Warren County uses a Citrix MetaFrame cluster of servers to support remote communications. The RSA authentication goes through a Citrix Web portal. After authentication, users can access the databases they need for their jobs.

Police officers use Panasonic Toughbook notebook computers in their cars. RSA client software asks for a number from the USB keyfob carried by the officers. The client software uses the number on the keyfob to create the one-time password for system access.

Could we get out of a ticket because they can't access the database? Ha!  Although Warren County has a single data center, it has two SecurID Appliances connected to two different Internet links from two different service providers. The system provides the most redundancy possible in a single data center.

Police aren't the only groups impacted by new regulations. Green says his company has installed RSA appliances at hospitals that give doctors keyfobs and client software in order to protect patient records during remote access. And a small financial services firm customer with 60 about people ordered a SecurID Appliance to protect individual's financial records to comply with federal law.

Hardware appliances cost more than software-only solutions, so the price range for a small RSA SecurID Appliance system range from less than $25,000 to around $37,000, depending on client numbers and installation details. Once installed, adding more clients to an existing appliance costs little.

Is security expensive? Yes. But how expensive is no security?

If a police department can't access the federal law enforcement databases, are they a police department any more? How much is it worth to avoid seeing your business shut down by federal regulators? For many SMBs, the long arm of federal regulation reached out and touched them, and network security upgrades are now another cost of doing business.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

IT Salary Survey 2021: The results are in