Lieberman Software

PRIVILEGED IDENTITY MANAGEMENT NEWS LINE
 
Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on YouTube                                                                                                                                                               March 2012

Top of Mind

New Smartcard & Certificate Support

Philip  Lieberman, President & CEO
Lieberman Software

Over the last few years we have implemented all sorts of authentication and authorization mechanisms within our products to match the needs of our corporate and government users. Our integrated authentication solutions include LDAP servers, Kerberos, NTLM, RADIUS, as well as a very rich OATH implementation for multi-factor authentication (in addition to RSA SecurID).

Many of our key customers also use PKI for authentication and authorization as well as smartcards, but up until now, our product PKI support has been usable, but not exactly exciting or as flexible as it should be.

Improved Smartcard and Certificate Support

For the next version of Enterprise / Random Password Manager (ERPM), also known as 4.83.4, we decided to do a full blown PKI support implementation of certificate enrollment, authentication and authorization in collaboration with some of our major US Government accounts and major commercial accounts. Our goal was to make it easy to use all of the different smartcards and certificate formats including PIV.

We know that many of our government account users have been asking us to provide a better solution for PKI and we now have something very exciting to try out  – keep reading!

The Back Story

I have always been a huge supporter of PKI, FIPS 201, PIV , HSPD 12  and certificates for authentication, encryption, signing and other usages where physical possession of the crypto device/container can provide both the power and physical security that is needed to really create a secure environment.

One of the inhibiting factors (up until now) in adopting smartcards by ISVs and customers has been the poor situation regarding smartcard middleware and internet browser integration. For reference, in this discussion, the middleware layer provides a standardized way for the operating system and web browsers to read from and manage smartcards and certificates.

Starting in Windows Vista and continuing into Windows 7, Microsoft implemented a really nice certificate and smartcard middleware layer that ships with the operating system (standardized), and also provides drivers for the card readers and cards. Drivers for readers and cards are installed automatically from Microsoft Update when the drivers and cards are first plugged into a computer running Windows Vista or Windows 7 (also Server 2008 and 2008 R2).

In older US Government desktops running Windows XP, and CAC cards, everything including reader and card device drivers, middleware and libraries were extra cost items and proprietary. The exclusive use of proprietary solutions in older generations of desktops meant that if a company such as ours wanted to support the government CAC smartcard standard, it was a gigantic pain that required that we obtain development kits and software from proprietary vendors (who were notoriously uncooperative). Since the vendors of CAC cards, readers and middleware generally had little interest in supporting ISVs, very few commercial software packages supported CAC cards were developed much to the dismay of the US Government.

A New Day: Universal and Documented Smartcard Support

With the new universal and well documented smartcard support within Windows, it is now a breeze to support these devices. Microsoft now provides a well documented programmer interface (API), as well as middleware and transparent access to drivers for common devices and smartcards. Gone is the need to beg for support from middleware vendors who could care less about ISV needs.

This new technology allows the US Federal Government to move forward past the CAC debacle into the era of PIV cards with a fresh operating system that has all of the drivers and middleware built-in or readily available via automatic updates.

The McAfee Connection

We were further inspired last year when we saw the latest version of McAfee ePO (one of our integration partners) and their certificate handling in ePO 4.6 at the last Focus 11 show where we were exhibiting our latest ePO integration.  

What We Are Doing

In our latest release of ERPM that is now in beta, we have provided an easy way to manually enroll client certificates, transparently verify certificates on smartcards and local storage, configure rights and privileges for certificates and more within the console of ERPM.  

You can now configure ERPM for transparent web logon (yes, Internet Explorer and Firefox in a cross platform environment) using the certificates and/or use a combination of shared secrets (user name + password) plus the smartcard to both identify and authorize specific usage capabilities.

Beta Program

If you are a government agency that has been mandated to support PIV (HSPD 12) or a corporate site using smartcards/PKI certificates for authentication, we would like to work with you to test out our latest beta build of ERPM. Please contact me (Phil@Liebsoft.com) to request the beta that incorporates these new capabilities. 

This latest beta has a lot of cool new features besides enhanced PKI support, so even if you are partially interested in PKI, but want to try out some of our other new capabilities (i.e. visualizations and reporting), we also are interested in working with you by having you join our beta program.

What do you think? Email me at: Phil@liebsoft.com. You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.
 

Tech Tip of the Month

Automated Password Synchronization

It's not always easy to keep your passwords in synch across all of your computing platforms. But with Server-to-Server Password Synchronizer your passwords can stay synched across multiple hosts. Here's how.

 
What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • Washington DC E-Voting Exploit Could Have Been Prevented. While Super Tuesday was underway in the presidential elections last week, reports surfaced about an electronic voting platform whose security was compromised after the election board invited external researchers to test its systems...

Events / Press / Analysts
  • Clean Up Easy to Hack Admin Passwords with Password Manager EPRM. InfoTech Spotlight - Password Manager Feature Article. You've probably got a lot of passwords in your network that are extremely easy to crack and that's because they're built-in administrator passwords. Leaving them in once you've started using the network is kind of like leaving in that picture that comes with the frame when you buy it. Wouldn't you rather be using your own password manager?
  • IT Security: The Scary New Hacking Trend. The Data Center Journal. Starting with Operation Aurora — the brazen 2009 cyber attacks on Google and other large enterprises — through to the recent high-profile data breach that shut down certificate authority (CA) DigiNotar and the recent breach of VeriSign, hackers have learned to exploit a frightening and frequently ignored lapse in network security to gain control of victim networks.
  • Lieberman Software says e-voting flaw could have been prevented. Global Security Mag. As Super Tuesday got under way in the US elections last week, reports started coming in about an electronic voting platform whose security was massively compromised after the election board invited external researchers to test its systems.
  • What's hot at RSA 2012. Network World. Enterprise Random Password Manager's new "known password discovery" feature scans your network, detecting and securing default and well-known privileged logins that make it easy for unauthorized individuals and malware to access private data.
  • Securing privileged accounts. IT Web Security. From Operation Aurora, the 2009 cyber attacks on Google and other large enterprises, to the recent breach of VeriSign, hackers have learnt to exploit a frightening and frequently ignored lapse in network security to gain control of victim networks.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.
Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
                 Liebsoft.com    |    (01) 310-550-8575  |   newsletter@liebsoft.com