Single-Sign-On Redux

Cylink, Securant work to get partners logged in securely

A pair of security vendors is giving the concept of single sign-on another go, hoping combined architectures and technologies will allay the fears of administrators and CIOs and broaden the possibilities for e-commerce.

Cylink Corp. and Securant Technologies Inc. this week will unveil a partnership that will marry the companies NetAuthority and ClearTrust SecureControl solutions, respectively, producing what officials at both companies said will be a truly secure single-sign-on platform.

The partners arent the first to attempt such a feat, as heavy hitters such as Entrust Technologies Inc. and RSA Security Inc. have already tried single sign-on. But Cylink and Securant officials said they believe theyve solved many ease-of-use and administrative headaches that have plagued PKI (public-key infrastructure) solutions.

Under the Cylink-Securant partnership, Cylinks NetAuthority PKI product will issue X.509 digital certificates to users, while Securants ClearTrust SecureControl policy management software enables single sign-on and can also be used to limit access to a predetermined set of applications.

The goal is to give a companys customers, partners and employees a secure avenue of access to the corporate network.

Administrators said such a combination could provide a needed increase in the amount of security governing the millions of online transactions taking place every week among partners, customers and suppliers.

"Its getting tough to know all of your customers and partners, so this kind of security really is a major thing," said Scott Woodison, enterprise security strategist at CheckFree Corp., of Norcross, Ga., a Cylink customer and a provider of financial e-commerce services and software. "The big problem with PKI is the infrastructure part of it, and if that can be made easier, youre on your way."

However, critics of single sign-on and PKI say the combination of these two notoriously problematic technologies is bound to cause more problems than it solves.

Indeed, Cylink and Securant officials acknowledge there are many issues to overcome. "Theres always a trade-off between security and convenience," said Eric Olden, chief technology officer at Securant, of San Francisco. "The marketing people want it easy and pretty, and the security people want it to be secure. In general, the user-centric approach [to security] doesnt really work."

Later this month, Securant will roll out a related technology that will automate much of the permission and access-control processes inherent in single-sign-on applications. The software will search all of a corporate networks information repositories—much like knowledge management products do—and extract data on each user to help set or update permissions and access levels.

Cylink is also working on a new technology that will enable its software to issue subordinate certificates. With this feature, a user who logs in to the network once and then tries to access other applications that require a different permission level will be asked for another certificate. By contrast, Entrusts TruePass product uses a single password and digital certificate for associated applications and uses persistent encryption to hide the password throughout a users session.

While the addition of subordinate certificates would bolster the platforms security, it would also somewhat defeat the purpose of a single-sign-on solution, which doesnt bother Cylink executives.

"Im not a believer in single sign-on in the strictest sense. Its bothersome," said Bill Crowell, CEO of Cylink, of Santa Clara, Calif. "You need strong authentication and the ability to manage permissions application by application."

In the end, however, security is still the No. 1 priority for customers. "Security is the key to the whole e-commerce process," CheckFrees Woodison said. "It has to be there for anything else to work."