Print
Discuss
Send to friend
RSS feedsYou could be transferring millions of pounds via the web, or you could be buying a few packets of Post-it notes. Whatever your transaction, you want to know that it - and all the data contained within it - is safe from prying eyes. You also want to know that you can trust the person at the other end of the 'submit' button.
As ebusiness grows and the web plays an increasing role in mission-critical business operations, security and trust have to be a given for end users.
All business transactions require end user accountability. In the days before the web, this was simple: everyone signed documents in triplicate, so the source of the data was clear and could be validated in a legally-binding way.
Companies now need to find a way to do this in an ecommerce environment. The medium of ecommerce is the public internet, which means that a significant proportion of a company's mission-critical resources are available over unsecured, open networks.
As a result, information exchanged over open networks is vulnerable to being intercepted and compromised. For companies to succeed on the web, it is imperative that they can identify themselves.
As well as the question of trust, there's the issue of information 'assurance'. While electronic information needs to be protected from damage and disclosure, it also needs to be available in a confidential environment for companies to capitalise on the value of ebusiness. The fundamental requirements are:
- validation of the data source
- certification of the sender
- a guarantee that the data has not been tampered with
- access for only authorised users.
Satisfying all these demands is an extremely tall order. Cue public key infrastructure (PKI), which has emerged as the de facto standard for securing digital content and processes as well as email and files. Although existing secure sockets layer encryption offers a modicum of protection for ecommerce transactions, it doesn't protect the data once it resides on the back-end server at its destination, and it's here that most credit card hacks have taken place.
How does it work?
PKI is a combination of software, encryption technologies and services, which helps companies protect the security of their communications and business transactions on the internet. It integrates three components - digital certificates, public key cryptography and certificate authorities into a company-wide network security architecture.
Public key encryption overcomes a major limitation of classical cryptosystems - the problem of insecure channels. Public key cryptosystems use irreversible algorithms, which means that knowledge of the algorithm does not have to be kept secret.
Public key encryption uses two mathematically related keys - a public key and a private key. One key is used to encrypt a message and the other to decrypt it. The sender of a message encrypts it using the recipient's public key. The message can then only be decrypted by the recipient using his private key. This also works in reverse: a message encrypted using a sender's private key can be decrypted by anyone with the corresponding public key. The public key is distributed to the world at large, while the private key is kept safe by its owner.
A typical business's public key infrastructure encompasses:
- the issuing of digital certificates to individual users and servers
- end user enrolment software
- integration with corporate certificate directories
- tools for managing, renewing and revoking certificates
- related services and support.
By using digital certificates, users, organisations and website operators can validate the identity of each party in an internet transaction. The certificates also ensure that the message or document hasn't been altered in any way in transit. Digital certificates can prove that a particular public key belongs to a particular user and make a very good substitute for the weak security offered by network logins.
"Traditional name/password security was inadequate for our needs," says Anthony Horner, manager of IT management consultancy DruidServe, which offers an online interactive problem-solving service. "We store client information on our site and confidentiality is essential, so we use PKI certificates to authenticate users. The certificate also tells us whether the person contacting us has the authority to raise the request and the authority to pay for it."
PKIs and digital certificates are most reliable when they are vouched for by a trusted certificate authority. Certification authorities issue public key certificates, and in doing so vouch for the ownership of the private/public key pairs. These organisations embed into each digital certificate a company's public key along with other identifying information, and then cryptographically 'sign' it as a tamper-proof seal, verifying the integrity of the data within it and validating its use.
Should I use it?
If you like a challenge, then dive in - the number of pilot projects greatly exceed the live rollouts, with Scandinavia leading the way. "These types of deployments are still far and few between," says Abner Germanow, senior analyst with researcher IDC's internet security research programme. "Fortunately, however, developers of internet-based applications are embracing PKI as a technology that allows for high degrees of authenticity, management, scale and real-time key exchange in the public domain."
"The fact that these developers have identified PKI as a way to fulfil many of the security needs of the next generation of internet applications is a testament to not only the technology's potential, but also to the ability of the technology to solve problems today," he adds.
If you do wish to adopt PKI and become a certificate authority, you will need to be able to issue certificates that contain company-specific identifying information and control who can receive a certificate.
There are two options: closed and open PKI. With the former, a company can issue digital certificates to a limited, controlled community of users. Applications will need a special software interface from the PKI vendor to work with the certificates. Closed PKI systems will also require additional training, hardware, software, and maintenance for the implementation to work successfully.
With open PKI, applications interface seamlessly with certificates issued under an open PKI, the roots of which are already embedded in them; for example, existing web browsers, such as Internet Explorer, support certification.
Anyone who has used Windows Update will know that before its ActiveX audit tool can be downloaded, you have to approve the 'authenticode' certificate which is downloaded first. Client software costs are negligible as a result, allowing businesses to become their own certificate authority, while taking advantage of their PKI vendor's service and support.
But don't expect this to come cheap. Several companies offer PKI products and services, which includes the management of digital certificates, while others provide software so that users can run their own PKIs, or services so they can run your PKI functionality for you.
A typical bundled certificate package can be obtained for about 25,000 euros (£16,000), and a hosted PKI solution may cost about 500,000 euros (£320,000). For an in-house implementation, you're looking at 10 times that figure or even more.
Bankgirocentralen, a service bureau which runs the Swedish clearing house system, is one company that has embraced PKI. As a result, its 30,000 customers - who transfer more than $1bn per day - enjoy a simpler and smoother payment routine.
"We looked at various security alternatives, such as tokens, but PKI was the only long-term solution. We also liked its open environment," says Gunnar Claesson, IT security manager of BgCom, the bureau's new service which combines the use of electronic ID, secure communications and bank authorisation. "We're presently experiencing transaction growth of around 20 per cent to 25 per cent per month, but the system copes well. We've had positive customer feedback, too. We plan to extend our services and offer managed PKI services for our customers."
A smartcard is used to create a digital signature for payments sent to Bankgirocentralen via the internet or any other connection, which eliminates the need for separate account reconciliation while improving process control.
"Transactions take the form of files which are sent between banks," says Claesson. "Previously, a system of faxed authorisation was used to confirm each transaction. It was slow and there was the chance of human error. Thanks to PKI certification we can authenticate down to the individual requesting the transaction, identifying them and the authority they possess."
Sweden and Finland have both set a national PKI standard, which eliminates the interoperability problems you are likely to face in the UK.
It is this interoperability that has been blamed for PKI's slow adoption rate. "Early private installations naturally had no interoperability problems, but as we move to a digital society, with multiple certification authorities, there can be problems," says Rain Eriksoo, director of marketing at security specialist Id2 Technologies. "The advent of Windows 2000 is really promising in this regard."
Windows 2000 supports an easy-to-manage public key infrastructure of 128bit encryption. Microsoft has set up alliances with other security vendors in the hope of promoting interoperability across various security systems.
Active Directory is another key enabler. Directory-based security, which allows security policy to be centrally defined and applied via a group policy management model, will eventually be reinforced with identification procedures associated with PKI security at the network level to establish a 'strong identity' component within internet traffic.
Is it just a fad?
Not if you listen to IDC. The researcher predicts great things for the technology when it grows up. It believes the market will increase dramatically, from a base of only $123m in 1998 to a worldwide revenue total of $1.3bn by 2003. The factor behind this won't be security risk management, but the proliferation of strategic ecommerce and ebusiness initiatives. "Business-to-business ecommerce activities require levels of authentication, non-repudiation and scale that only PKI products have the ability to provide," says Germanow.
Another convert is Mike Graves, Hewlett-Packard's European marketing director for the Internet security division. "End-to-end encryption is required, and PKI can deliver this," he enthuses. "There has to be a transaction audit trail, something that secure socket layer can't provide and PKI can."
It won't be an easy ride, however. PKI is still relatively new, and quite a complex concept for most people to grasp. It has been hyped too much - it won't cure all your ecommerce security problems, so cross that off your wish-list right now.
"The problem has been exacerbated by vendors which raise customer expectations too high. They've also underestimated how long wide-scale acceptance of PKI would take," says Phil Ryan, head of information security at Peapod, a security software and services supplier. "What's the point of encrypting emails if the majority of recipients can't handle a digitally signed email? To many people it will look like mangled text."
The most important thing to do is to assess why you need PKI. What can it deliver to your company?
"Businesses are still struggling to adapt to the demands of ecommerce. This is compounded by some of them failing to think it through," says Jenny Green Keon, business development manager at RSA Security. "Very often it's not optimal to bolt PKI onto an existing back office system, but companies pursue this tack when they ought to have considered a completely fresh business strategy. They have to get it absolutely clear what the business benefits are from deploying PKI."
And it's not just the business benefits that you must consider. How PKI will sit within your business culture and processes is a fundamental concern. The implementation of security procedures has to be a user-friendly experience - if it's time-consuming, users won't bother with it. They should be able to create profiles they can save with their preferred settings and be able to automate the tasks of signing and encryption.
Otherwise all that cash will have been wasted, and you'll be back to Post-it notes and passwords.
The big players: who's hot in PKI
Baltimore Technologies
One of the leading players in the PKI market in Europe, Baltimore has been fighting against several well-established vendors to gain a foothold in the US. Its recent acquisition of GTE CyberTrust gives the company an immediate footing, just as the PKI market appears to be about to enter a strong growth phase. Although revenue from software licences is now eight times that of a year ago, it still reported a loss, before deductions, of $8.5m, and is expected to continue to do so until the last quarter of 2001.
Products/services: Wide range of offerings including UniCERT Options, which provides a comprehensive set of PKI-based products, hosting services and professional services to MailSecure 2.4. Wap offerings in the pipeline.
Strengths: A strong management team, sound acquisition strategy and good product reviews.
Weaknesses: In common with many dotcoms, Baltimore's stock is wildly overpriced. The company is now moving into the business-to-consumer arena.
Entrust Technologies
Entrust is a long-established player in the PKI market. Its most recent PKI offering, Entrust/PKI 5.0, represents a major update over previous versions and is a good choice for large, security-conscious companies needing an effective PKI package now. To get the most out of the package, however, companies will also need to deploy Entrust's client software. Its acquisition trail is similar to its rivals. In April it paid $470m for enCommerce, which makes software for ebusiness applications.
The previous month it purchased CygnaCom Solutions, a company with a history of providing PKI-related services to US federal government departments, for $16m. Entrust, which enjoyed a record first quarter with revenues up from $16.8m to $29.1m, also has its own high-profile customers - Amazon has announced that it will use Entrust's products to protect internal communications.
Products/services: Wide range of products and managed services, including Entrust/PKI and Entrust.net.
Strengths: Strong product reviews, good choice of products, top client list.
Weaknesses: Nothing significant
RSA Security
Modestly billing itself as The Most Trusted Name in eSecurity, RSA Security has been in the business for almost 20 years and enjoys a powerful brand value. Its products aren't bad either, and the company recently collected a Well-Connected Network award in the US from Network Computing magazine.
It has a top-notch client base - just recently the Wireless Application Protocol Forum specified RSA Security's RC5 encryption algorithm for its wireless transport level security specification. Revenue for the first quarter of 2000 increased 30 per cent to $63.3m, from $48.7m for the first quarter of 1999.
Products/services: A range of security products, including RSA SecurID two-factor authentication.
Strengths: Experienced, good brand. Picks up plenty of awards.
Weaknesses: Narrow portfolio of products and services.
VeriSign
Its recent moves towards becoming a full-services ecommerce systems provider have had some analysts scratching their heads. Bought internet domain name registrar Network Solutions for $17bn in stock, in an attempt to get an immediate link with companies when they first establish their internet presence.
VeriSign intends to use this route to sell a wide range of security and ecommerce products and services. Ties in with two other acquisitions - Thawte Consulting, which will help improve VeriSign's consulting services and server certificates, while Signio provides online payment processing. VeriSign remains profitable - its net earnings for the last quarter were $14.7m, compared with $4.8m in the same quarter in 1999.
Products/services: GoSecure! for virtual private networks and business-to-business web applications. Email, training and web server certificates. Outsourced PKI offered via VeriSign OnSite.
Strengths: Long-established player in the digital ID business. Wide product portfolio.
Weaknesses: Questionable acquisition policy.
See also:
All Hacking
del.icio.us
Digg this
reddit!
