Microsoft Strengthens Authentication for ISA Server and Pocket PC

Redmond signs deal with RSA to use SecurID component and token technology.

• By Matt Migliore
• 10/30/2002

Microsoft has licensed the ACE/Agent component of RSA's SecurID two-factor authentication software for ISA Server. The component architecture will allow Microsoft to integrate SecurID into ISA Server as well as other Microsoft applications.

Designed to provide secure, fast and manageable Internet connectivity in enterprise environments, ISA Server is based on Microsoft's Windows 2000 security and directory policy-based security architecture. With SecurID, Microsoft bolsters the product's support for Internet authentication.

"ISA Server can act as a firewall, VPN server, SSL accelerator or proxy/cache," says John Girard, a vice president and research director focusing on security for IT analyst firm Gartner. "Since it is connected directly to the Internet, it is exposed to attacks. RSA is one vendor of strong authentication tools that can be used [to protect ISA Server from those threats]."

The first SecurID-enabled version of ISA Server is slated for inclusion with an upcoming set of product enhancements.

On the Pocket PC side of the agreement, RSA has developed a SecurID Software Token for Microsoft's portable computing device. Pocket PCs will be able to function as their own authentication tokens and will not require separate hardware tokens for strong authentication. Furthermore, the inherent support for SecurID will allow a Pocket PC to be used as a token for laptop and desktop systems.

Tokens, which are typically used for remote and virtual private network access, offer a high level of authentication. With SecurID Token, for example, each user is assigned a unique number that is run through the token software to generate a pass code. Each time a user wants to access a system protected by RSA's software-based token, the pass code is used to get a pin number. The pin number is only valid for 60 seconds and changes every time a token-protected system is accessed.

Girard believes the addition of SecurID token software to Pocket PC may be a coup for both Microsoft and RSA. "RSA is a security vendor with a long track record and good reputation, and considered by [Gartner] to be the most recognized name in time-based token authentication," he says. "So RSA's announcement may encourage enterprises to see use of the new token as a means to justify more use of strong authentication, while at the same time helping to justify the use of PDAs, as well as reducing the number of devices a user needs to carry, since the PDA is taking the place of a hard token or a soft token on a laptop or desktop."

Ted Kamionek, a senior product manager for RSA, feels the agreement will help proliferate Pocket PC among the enterprise. "We see Pocket PC being adopted on a more and more widespread scale in the enterprise because of its ubiquity and the variety of applications you can use on it," he says.

According to Kamionek, Pocket PC is a good fit for token authentication because it has a lot more functionality than other leading handheld devices such as Palm, with which RSA also has an agreement to provide token-based technology.

Girard isn't sure the RSA agreement will do much to help heal the wounds Microsoft's reputation has suffered in the wake of exposed security holes throughout its product line. "It could abstractedly cast a favorable light on Microsoft, although RSA's product has no direct relationship to many of the specific security issues that Microsoft is dealing with," he says. "All that's really been done here is to put the RSA token software onto a PDA for the convenience of the user."

To read Gartner's research comment on RSA SecurID for Pocket PC, visit www3.gartner.com/DisplayDocument?id=373989&ref=g_search.