Sorry for the delay in responding, gentlemen. A post-Thanksgiving holiday had me off-line. Now, with the turkey feast mere memory, I get to eat a bit of crow.
I was wrong. There is no Rocket Agent to support SecurID on VM at this time. I had read about the Rocket Agent for SecurID on mainframes, but I had apparently confused a reference to a Rocket Agent on z/OS, running as a VM emulation, with a Rocket Agent running natively on a VM machine. My "can do" Thanksgiving Day post was inadvertently misleading. Mea Culpa. (RSA's SecurIDs -- as regulars here doubtless know, but others might not -- are a family of personal authentication tokens, in a variety of hardware and software form-factors, which use AES to continuously generate and display a series of one-time passwords [OTPs]: 6-8 digit "token-codes" which change every 60 seconds, and are only valid for a minute or two. (Used in conjunction with a user-memorized password -- as Anne and Lynn Wheeler's encyclopaedic comments explain -- SecurIDs and similar OTP tokens provide two-factor authentication [2FA]. Some 2FA mechanisms, certainly including tokens, are predictably more robust than others in the face of various attacks, so threat and risk analysis are necessarily part of any choice among them.) I called Rocket Software yesterday and I was told that their Agent for support of SecurID 2FA on z/OS and OS/390 will not run natively on z/VM. VM is reportedly on Rocket's product development schedule, but how soon it will become available will depend upon the demand. (Rocket has just released version 3 of their SecurID Agent for z/OS, however, which offers integration with ACF2, as well as RACF -- something that may interest Tom and others with similar CA allegiances.) I would be surprised, however, if Tom can't already find groups within his Department which have already purchased the SecurID Rocket Agent for z/OS. RSA is doing a lot of business with federal agencies with big iron. First-hand reports of the user experience with SecurID tokens should not, in any case, be difficult to find. There are some 15 million SecurIDs now in use. I suspect that many current SecurID token-holders -- as the value and necessity of strong 2FA has become more widely accepted -- are more positive about their SecurIDs than Rick Troth was. Historically, and in recent reports, the SecurID has a gee-whiz factor that has made it quite popular among token-holders -- at least when compared to the alternatives. One of the first big mass market deployments of SecurIDs, at eTrade Financial, is touted as a great success, with widespread consumer acceptance. And customers of eTrade, the first online brokerage, were given a free choice of either staying with static passwords, or adopting SecurIDs for 2FA. Customer reports like that remove a lot of the gueswork about user acceptance. Of course, eTrade's brokerage customers apparently saw the additional security offered by a SecurID 2FA is an advantage for them, because it helps protect their assets and sensitive account information. Perhaps it's rash to presume that all system admins, or privileged programmers, will feel the same way about data or system security, or the minor hassle of 2FA -- which, I guess, is why decisions about risk management and risk mitigation are seldom left in the hands of the technical staff. If all privileged users could withstand all temptations, CIOs and auditors wouldn't be so obsessed with 2FA and accountability. ;-) Meanwhile, whoever runs numbers at RSA is irked that I low-balled my earlier estimate of the current number of RSA SecurID enterprise installations. Mea maxima culpa. RSA still has an estimated 70 percent of the OTP token market -- but with the rising demand, RSA now has over 19,000 corporate and government SecurID installations world-wide. I won't guess again at the numbers. According to the RSA-Secured Partner Solutions Directory, online at <http://tinyurl.com/b6jhx>, there are today 326 third-party software applications or networked devices which ship "SecurID Ready," most with an integrated RSA Authentication Agent, which proxies authentication calls to the RSA Authentication Manager (aka the ACE/Server.) RSA's success has been built on its vendor partnerships, even more than its expertise with crypto, or the patents that give it exclusive rights to develop and sell time-synched OTP tokens. The RSA Partners' Director also lists another 105 3rd party products which are adapted for integration with RSA's ClearTrust app for Identity and Access Management (I&AM) controls for privileged web access; 20 more are certified for SSO with RSA's SignOn Manager; 14 are certified for integration with RSA's Federated Identity Manager; and 151 ship with modules which allow integration with RSA's Digital Certificate Management solutions. A good portion of all of these also ship "SecurID-Ready." As I mentioned in my Thanksgiving post, I've been a consultant to RSA for many years, and my bias is self-evident. Hope this is helpful. I apologize again for providing inaccurate information earlier. Suerte, _Vin
