Standardized authentication to ensure enterprise intranet security

Intranet SecurityIn the face of threats, firewall, anti-virus software, IPS, and other products are often ineffective. These products have been widely deployed in the enterprise network, but these products are mainly for Internet security protection.CAIt is a third-party trust institution that uses the PKI public key infrastructure technology to provide network identity authentication services, is responsible for issuing and managing digital certificates, and is authoritative and impartial, it acts like a company that issues certificates in real life, such as a passport handling agency.

Intranet security data-oriented

There are many factors related to Intranet security, and there are also a variety of product forms. It is very important to deploy them in what steps. In general, Intranet security focuses on Intranet users, application environments, application environment boundaries, and Intranet Communication Security that cause information security threats. Therefore, building a feasible and easy-to-use security protection system on the enterprise intranet is the key to implementing Intranet security deployment.

How can we effectively implement Intranet security? In addition to developing a sound Intranet security mechanism, data encryption is also an effective tool to protect valuable data of enterprises. The Data Encryption solution can protect the security of all files (including operating system files) on the hard disks of laptops, workstations, servers, and other devices. Even if the hard disk is stolen, enterprises can rest assured that the data will not be viewed and obtained by unauthorized users. Although hackers can intrude into the enterprise's servers, they cannot damage the data and information assets on the servers because these assets are protected by security encryption.

While effectively encrypting data, identity recognition can also help users achieve high security protection. With the promotion and implementation of the "China's cybanslaw"-"basic rules on internal control of enterprises", major companies are currently conducting a revolution in internal control of IT, identity recognition is a key issue in the industry. An effective identity recognition method can provide the most effective and powerful support for the trace behavior and responsibility system and audit evidence chain. The value of this process lies in its ability to: allow access by persons who need access for legitimate reasons; reduce risks by limiting the exposure of information assets; establish a monitoring mechanism to trace specific users of events; efficient management of similar user groups; internal control meets risk management requirements. Therefore, the establishment of identity identification methods that better comply with legal requirements and audit is a prerequisite for every excellent enterprise to improve internal control and enhance its core competitiveness.

Identity authentication can be performed through smart cards, one-time passwords, or tokens. Of course, the authentication method must be customizable. You can use a password or token as the authorization method. The real identity authentication technology does not bother users through tedious encryption steps. Enterprise users need to log on to various application systems every day. Therefore, simple operations and high-intensity protection without affecting users' use can provide users with a secure and convenient environment.

Digital certificate authentication identity

At present, the identity recognition technology used in enterprise networks is mainly divided into user and Host Authentication, and between host and Host Authentication. In the Unified Identity Authentication Framework of enterprises, the centralized identity authentication system must support existing identity authentication methods and possible identity authentication methods in the future, this allows the Administrator to select an instance as needed.

During the investigation, the reporter learned through a visit to senior people in the industry and Li Yanzhao, senior vice president of tianwei integrity, that at present, enterprises generally need to consider the following principles when selecting the identity authentication method: First, security is sufficient, that is, the authentication method is not easily imitated (including the copy of the authentication credential, the replay of the authentication process) or attacks (including DOS attacks). Second, the cost is appropriate, and the security and cost are often inversely proportional, however, enterprises cannot adopt insecure authentication methods to reduce costs, nor ignore costs in pursuit of one-sided security. Third, it is convenient to use, and all things are intended for users, if you are disgusted with the inconvenience caused by the use, all the security measures are ineffective. Fourth, open API interfaces are provided to integrate authentication methods into the current and future application frameworks.

The digital certificate-based authentication method can meet current and future Enterprise Intranet security application requirements. Digital Certificates are a series of data that mark the identity information of network users. They are used to identify the identities of all parties in network communication, so as to solve the problem of "who I am" on the network. Encryption technology with digital certificates as the core can encrypt and decrypt the information transmitted over the network, digital signatures and signature verification to ensure the confidentiality and integrity of information transmitted over the Internet, as well as the authenticity of the transaction entity identity and the non-repudiation of signature information, thus ensuring the security of various network applications of the enterprise.

For enterprise users, there are two methods to build an Identity Authentication System Based on Digital Certificates. One is the self-built mode of enterprises. enterprises purchase a complete set of PKI/CA software, then establish a complete set of related service systems. In this mode, enterprises participate in the establishment, maintenance, training and operation of the entire PKI process and are fully responsible for all the events of the PKI software, this includes systems, communications, databases, physical security, network security configuration, high-reliability Redundancy Design, and disaster recovery, it also includes PKI experts, laws, and funds required by the operating system.

The second method is service-oriented, and the construction mode for purchasing third-party authentication services. By using the Integrated PKI platform of a third-party CA Service Provider, enterprises can combine the front-end of the enterprise with the third-party PKI backend with high reliability and security to provide certificate services externally. In this mode, the enterprise's CA is hosted in a trusted third party. The complex and professional PKI core services and maintenance will be handed over to the professional Third-Party CA, the complex equipment, PKI experts, and legal experts of an enterprise do not need to bear all the investment and risks independently. The digital certificate-based electronic signature technology fully complies with the requirements of relevant laws in China, and implements high-end applications such as electronic contracts and online bidding.

Product-oriented self-built CA and service-oriented managed CA represent two different construction modes, but they are not in conflict, because they have their own strengths. For the construction of the digital certificate system, enterprises need to carefully study and select the appropriate mode based on their own needs. When self-built mode is needed, when a third-party transaction is involved in the purchase of a service model to resolve risks, enterprises can find their own authentication system construction model.

Simplicity and reliability are the key

According to Li Yanzhao, according to tianwei integrity and years of practical experience from mainstream manufacturers in the industry, most large enterprises emphasize autonomous control of the system when constructing the CA Certification Platform. At this time, the self-built CA model is more suitable. For self-built PKI/CA systems, the customer needs to consider the subsequent operation and maintenance of the system, establish a complete operation management system, and be responsible for the daily maintenance and upgrade of the system. At this time, the customer should use the operation management experience of the third-party certification center and the operation management consulting service provided to build their own operation management system, some people can use the maintenance and upgrade services provided by the PKI/CA software provider to perform routine maintenance and upgrade of the system.

Li Yanzhao also stressed that self-built CA platforms usually take a long period of time, and enterprises need to implement them in steps according to their own situations, because self-built PKI systems require approval from competent authorities, fund raising, PKI product authentication, physical environment preparation, system installation and debugging, operation procedure formation, system authentication, and registration and operation. For some small-sized or only core businesses, such as financial systems and contract approval systems that require CA certification support, the service model can be fully implemented. In the third-party service mode, the construction of the PKI/CA core backend (including the construction of security, reliability and stability) third-party PKI/CA service providers are responsible for operation management and system maintenance. Enterprises only need to purchase the PKI/CA Service provided by third-party PKI service providers, complete the construction, operation management, and maintenance of some local systems.

With the development of PKI/CA, the features of products in self-built and service modes are very different, and technologies are no longer the main factor for users to choose, the most important is the application mode with technical support. In China, self-built PKI and service-based PKI coexist for a long time. Today, there is still a considerable market for self-built cas. From the perspective of industry development, the CA certification service that operates in the market mode has more markets in some e-commerce application fields.

Due to the diversity of customer requirements, this poses a huge challenge to the service capabilities of CA Service Providers. Currently, there are not many CA service providers that can provide both construction modes on the market. However, from the perspective of market development, according to the actual application needs of enterprises, the CA certification service tailored to a variety of service modes will become the mainstream. Taking iTrusChina, which is currently in the field of electronic certification service, as an example, the company can currently provide enterprises with PKI/CA services in various modes, meet the actual application requirements of various types of enterprises. At the same time, tianwei integrity still spends a lot of energy on how to make users easily and conveniently use CA.

It is understood that tianwei integrity is the top partner of VeriSign in China. by drawing on a lot of VeriSign technology and operation management experience, at present, the company is able to provide highly reliable PKI/CA services to enterprises with the fastest speed, the latest technology, the easiest way, and the most appropriate investment, it helps enterprise users solve various security problems of network applications.

After years of development, the CA certification service is not a simple security concept, but is applied more practically to the actual business of the enterprise. In this context, stable and reliable multi-service capabilities and third-party electronic certification service operation qualifications will become the key for service providers to win the market.