Welcome Guest. | Log In| Register | Membership Benefits

InformationWeek Labs

June 14, 1999

Print this story
Print this story
In Keys We Trust

continued...page 3 of 3
Related links:
  • PDF file:Accompanying illustrations and tables

  • Enteprise Mangement/Security Resource Center
    To view a PDF file, you must first have the Adobe Acrobat Reader.
    • And from our sister publications:
  • Computer Reseller News Start-up's offering aims to simplify PKI

  • Network Computing Enterprise Security--Defending the Enterprise

  • InternetWeek Secure Messaging Moves Forward
    • One of Scotia's implementation benchmarks was to make PKI as transparent as possible to users, for which it relies on Entrust's Entrust/Direct public key client-management software. "Once users enter some personal information, the certificates get downloaded onto their PC and they're not even aware of it. The whole process takes 10 to 15 minutes, and it's easy to use," says Jamie MacDonald, a senior manager of Scotia's electronic-commerce group. To further protect users on the public Internet, Scotia makes use of anonymous certificates that contain no identification of the user other than special numbers recognizable only to the bank.

    Criminals who intercept the certificate won't be able to find any identity information, but Scotia Online can map the numbers in the certificate to a user's account. Anonymous certificates may become the most popular way for businesses to implement PKI on business-to-consumer E-commerce Web sites because they add an extra layer of security.

    Though secure E-mail is a priority for many large enterprises, the supply chain is where some businesses are expecting lower costs and increased interaction by moving to PKI. The Home Depot Inc., which uses Sterling Software Inc. as its value-added network for electronic data interchange and uses direct frame relay, ISDN, and ATM connections to its suppliers, sees the eventual need to add the public Internet to those connection options as inevitable.

    "As there are more small vendors we need to deal with to keep costs down, we'll need to use the public Internet. That's when the security issues arise," says Mike Anderson, VP of IS for the technology group at Home Depot.

    The Atlanta company, one of the first to implement Lightweight Di-rectory Access Protocol-capable directory services across its enterprise in 1997, is expecting to implement a PKI solution in 12 months, says Anderson. Internally, a focus of the Home Depot PKI will be its 850 synced directory servers running Netscape Directory Server containing the roles and authorization rights for the company's 183,000 employees.

    Though Home Depot is looking at various PKI technologies, it declined to indicate which ones it currently favors. On the client side, Home Depot is looking at several PKI toolkits to integrate into its applications to make them PKI-aware. One that it was particularly impressed with was Baltimore Technologies' PKI Plus toolkit, which does a good job of "hiding the muck" of PKI from developers. Home Depot also is interested in a PKI single sign-on product. It already uses a custom single sign-on application that uses LDAP to authenticate users on the Directory Server. "We'll probably go with whoever can work PKI into our single sign-on application," Anderson says.

    Virtual Networking Success
    Virtual private networks are saving businesses money by leveraging the public Internet as the transport mechanism for business transactions. But few VPNs come with both secure authentication of the user and encryption of the tunnel.

    At Chevron Canada Ltd., a pilot program is in place to use PKI with its virtual private network to provide both strong authentication and encrypted sessions. Previously, Chevron Canada had used dial-up connections with Windows NT authentication. Later, it used Security Dynamics' SecurID, token-based authentication utilizing a user ID and personal ID number. Although SecurID offers strong authentication, it doesn't encrypt the session data, and the oil company wanted data encryption that would work transparently with all its applications.

    The pilot program uses the IPSec security protocol for data encryption and digital certificates for user authentication. Chevron Canada uses a TimeStep Corp. VPN box that does hardware-based encryption and decryption. On the client, there is a virtual IPSec driver for the IP stack. For its certificate repository, Chevron Canada is using an X.500 directory server by Control Data Corp.

    Chevron Canada sees its PKI investment as paying off with future security implementations. "We put in the PKI for a certain task: the VPN," says James Eaton, a network specialist with Chevron Canada. "But later, if we add secure E-mail, secure desktops, and work with outside partners to allow them secure access to our Web servers, we can leverage the same infrastructure."

    Challenges Remain
    For most businesses, PKI presents a radical restructuring of security policies and fairly complex software architecture. Furthermore, key management introduces new problems in the area of data backup and restoration.

    For large companies that need strong user authentication and encryption of data, PKI is probably the only reasonable standards-based path to take, despite the heavy up-front costs. Ultimately, PKI will become a commodity item. Certificate services will be widely available and applications will use PKI right out of the box. For now, though, PKI is still a challenging implementation.

    return to page 1, 2


    Back to Labs

    Send Us Your Feedback

    Top of the Page