-
August 29th, 2011, 05:54 PM
#1
Junior Member
Hardware based password managers vs Cloud?
I'm looking for a small business password solution. The recent Lastpass breach concerned me, then I read this article http://mylok.ii2p.com/blog/cloud-bas...they-safe.html
and am almost over the fence on using a hardware based solution for our employees.
Does anyone have any experience in using either method on a business level? Success/Failure?
-
August 29th, 2011, 07:41 PM
#2
For business and home I've always used PC's with a trusted platform module (hardware) that allows the use of security devices such as SecurID cards and biometric devices.
I'm now retired but I would neither recommend using cloud services for any business critical function nor recommend storing data in the cloud. The two primary reasons are security and loss of control.
-
August 30th, 2011, 10:00 AM
#3
steve is a douche, but he's right...usually companies use cards, as opposed to biometrics...'swipe your ass on the door game'.
Every now and then, one of you won't annoy me.
-
August 30th, 2011, 01:38 PM
#4
My daughter works for a printing company (mostly forms and labels) that uses biometrics extensively for simply things such as time clocks, door access, etc. Surprisingly they have no security on their PC's, just a userID and password. That isn't real security.
@bludgeon
I don't know which Steve you are referring to since Mr. Jones didn't post in this topic. No matter, lay off the personal attacks.
Last edited by ua549; August 30th, 2011 at 01:42 PM.
-
August 31st, 2011, 11:21 PM
#5
Junior Member
But what about a USB device? You have control and they don't utilize a cloud based system. A private company I previously worked for used cards but also had a serious security breach a couple years back.
-
September 1st, 2011, 12:51 AM
#6
Security is only as good as the administration thereof. Every security system has weaknesses. The networks I managed/consulted were Orange Book C2 secure with all removable media devices disabled, if they were present. We used time-synchronous authentication where the password changed every 60 seconds. I retired in 1998 so I'm sure there are better methods today though my bank still offers it to their customers for online banking.
-
September 1st, 2011, 12:21 PM
#7
Well, I guess I have used most variants.........plastic keys, RFID, swipe cards, tokens, user ID and passwords.
I think that you need to distinguish between physical (access) security and system security.
Biometrics and keys are fine for physical access, with biometrics being superior in that you cannot lend them to anyone or lose them
RFID is pretty good as you can use it to control doors and track a persons whereabouts, so you know if there is a non-registered RFID device on the premises or if a person is in two places at the same time.
Tailgating is a problem with a lot of these systems, as once the door ois open there is usually no control over how many people pass through.
This can be catered for and biometric systems are probably superior in this area as well.
In a small business this shouldn't be an issue as everyone should know everyone else?
For systems security I would go for a card but the plug-in type rather than a swipe (they are more reliable in my experience). This is worn round the neck and if removed without logging out will lock the workstation. Make sure that the door access is driven by the same mechanism or one permanently attached to it. That way you force them to logout or lockout if they want to leave the room
Otherwise I would use a token (RSA for example), that continuously generates one variable part of a two part authentication.
In both cases you must have a regular user ID and password so that you need both parts to gain access.
USB is not a security solution, it is a connection type, and a singularly unreliable one at that................I would steer well clear.
We used time-synchronous authentication where the password changed every 60 seconds. I retired in 1998 so I'm sure there are better methods today
I am not so sure, I was using it many years after that!
My daughter works for a printing company (mostly forms and labels) that uses biometrics extensively for simply things such as time clocks, door access, etc. Surprisingly they have no security on their PC's, just a userID and password. That isn't real security.
Actually it is probably perfectly adequate given properly implemented physical security and effective HR. You would still have to get into applications, which have their own user ID and password.
I am assuming that only machines in particular locations are permitted to connect to specific servers and applications suites, and that users are similarly restricted.
-
September 1st, 2011, 02:52 PM
#8
Your mention of tailgating reminded me of Barnett Banks of Florida, now part of Bank of America. On their headquarters campus they eliminated tailgating by a) tracking a person's location, b) controlling access in both directions through a door and c) using single person turn styles or rotating doors on all entrances and exits for each campus building. If one got caught someplace where the computer did not have them located, they had to call security to get released. A security infraction was a major black mark for employees and visitors alike.
-
September 1st, 2011, 03:13 PM
#9
Junior Member
Originally Posted by nihil
I think that you need to distinguish between physical (access) security and system security.
True, I'm talking system security. I've seen security tokens, but we're not near that level. I want to make sure our passwords and files are secure, without it being too complicated. You know the type...
-
September 1st, 2011, 03:15 PM
#10
Junior Member
Originally Posted by ua549
If one got caught someplace where the computer did not have them located, they had to call security to get released.
A little too big-brother-ish for me, that's crazy.
Similar Threads
-
By NeonWizard in forum The Security Tutorials Forum
Replies: 5
Last Post: August 13th, 2004, 06:54 PM
-
By 5150 in forum The Security Tutorials Forum
Replies: 2
Last Post: February 19th, 2002, 12:24 PM
-
By uraloony in forum The Security Tutorials Forum
Replies: 2
Last Post: January 2nd, 2002, 03:40 PM
-
By uraloony in forum The Security Tutorials Forum
Replies: 3
Last Post: December 19th, 2001, 02:50 PM
-
By Ennis in forum Security Archives
Replies: 7
Last Post: December 15th, 2001, 02:23 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|