CrossNodes Briefing: Authentication - Page 2
The Importance Grows
The emergence of e-commerce systems and the acceptance of digital signatures as legally binding consent also pushed developments in authentication. The World Wide Web provides a flexible platform, but that flexibility comes at a loss of privacy and security. Still, financial institutions, retail sites, and companies seeking to create electronic links with customers and suppliers, see the appeal of a convenient, easy to use, and pervasive network. The full growth of e-commerce, however, remains limited by security concerns.
Vendors are addressing the problem. Microsoft, for example, included the Security Support Provider Interface (SSPI) in Windows 2000. SSPI supports a range of APIs that can perform authentication, context management, and message security. The developer also released a digital certificate and electronic signature system called Passport. Through this system, registered users can submit payment, and the authentication system assures companies that the transaction is legitimate.
In addition to Microsoft, such vendors as IBM, Hewlett-Packard, Oblix, Securant Technologies, and Tivoli systems, offer security suites that include authentication utilities.
A Search for Standards
The market needs standards, and these will emerge. Several committees exist to look at creating secure network connections and transactions. An XML standard, called Security Assertion Markup Language (SAML) focus on securely transferring authentication and authorization information. Under SAML, security can be built into the XML code based on the content being transferred. This shifts control to the content provider.
Obviously, implementing an authentication system can be complex. The network manager must register each user and the associated systems. This information generally resides in a database, but the database must be secure. As a result, many companies turn to third-party providers to establish an authentication and encryption system. This implies some loss of control. Therefore, network managers must carefully assess the risk to their networks and the ability of in-house personnel to support an on-going authentication system before they select an approach.
Gerald Williams serves as director of quality assurance for dolphin inc., a software development company. williams has extensive background in technology and testing, previously serving as editorial director with national software testing labs (nstl), executive editor with datapro research, and managing editor of datapro's pc communications reference service.