2020 is turning into a memorable year for the world, but not for the right reasons. The COVID-19 pandemic has afflicted not only people, but the organisations they work for. Those of us lucky enough to work in jobs that can be done remotely can hopefully adapt to the situation, but we've already seen organisations struggling with the shift to a remote workforce.
This climate also presents new attack vectors for IT systems - new remote access systems are being stood up at lightning speed, perhaps leaving security as an afterthought. Simply adding Multi-Factor Authentication (MFA) to remote access is crucial for protecting systems, especially when so many users will now be coming in from untrusted networks (and likely using poor passwords that can be found in online databases).
To help address some of these risks, we've diverted our development efforts to releasing a product we had planned for release later down the track - Signata Enteprise: Standalone Edition.
Signata Enterprise: Standalone Edition
At a high level this new version of Signata does just one thing, and one thing well: it provisions certificates into enterprise user YubiKeys.
What are Enterprise Users?
If you're a large or small organisation, and you've got Active Directory installed for centralized user management, then Signata Standalone will connect easily to it. Simply search for the user you want to issue, and their details will be retrieved for mapping to any device you wish.
What are Enterprise Certificates?
Cryptographic certificates would likely be one of the most prevalent authentication systems for enterprise after kerberos, but they're a system most people don't see. In fact, if you're a large enough organisation with one or more Windows servers, we'd wager you've probably already got Microsoft Active Directory Certificate Services offering up a PKI somewhere internally.
Signata Standalone leverages these existing PKI services, letting you assign certificate templates to Device Policies, which then will map your AD users to the certificates issued onto their YubiKeys.
Simplified YubiKey Issuance
Incorrectly managed YubiKeys will leave them open to attack - if you forget to change the management key or PUK, anyone can then reset the user PIN and take full control of the device. Or, if you're setting up several at once and you re-use the same management keys, then a compromise of one device will compromise all of them.
Signata Standalone will set random keys for every device issued, and leave them locked inside of the application. All secrets created by the application are protected with a strong encryption key, which you can then focus all of your efforts in securing just that key, by simply writing it down and putting it into a safe, or storing it in a trusted password manager.
All you need to care about is picking a user, picking a device policy, and clicking Add Device - all the rest is taken care of automatically for you.
More than just Certificates
The beauty of YubiKeys is that provisioning them will unlock more than just remote access solutions. The certificates provisioned onto them can be used to authenticate to websites, authenticate to Windows Hello for Business, encrypt emails, access buildings (if you have a PIV-compatible physical access control system), and much more.
The fine print
You might've gathered by now that there are a few things you need in place to use Signata Standalone:
- You need Active Directory as a trusted source of users to issue devices to.
- You need a Microsoft PKI set up (we can offer advice if you need help with setting up yours) to issue the certificates for the devices.
- You need YubiKeys (they can be bought from Yubico directly, or any of their distributors).
- You need a Windows Server in your domain to install the server software on to, and a Windows Desktop to install the client software on to.
We will extend the product to support other back-end systems as we add features. If there's a particular integration you'd like to see, just let us know and we'll see if we can do it :)
Check it out now here: https://enterprise.signata.net/