InformationWeek

These new E-security systems must provide flexibility, functionality, and scalability. In order to replace paper processes, such systems also need to provide accountability and trust in electronic processes. To accomplish that goal, a growing number of companies are deploying public key infrastructures so they can use digital certificates. Such certificates can ensure the confidentiality and integrity of data through encryption, control access through private keys, authenticate documents via digital signatures, and enforce nonrepudiation of business transactions.

PKI encompasses a broad spectrum of technologies and applications. In essence, PKI software uses a string of numbers or keys to encrypt documents to protect them from unauthorized access, then decrypts them for authorized users.

More companies are learning the benefits of PKI firsthand. A security survey of 2,700 executives, security professionals, and technology managers in 49 countries conducted last year by InformationWeek Research and PricewaterhouseCoopers showed that PKI use had more than doubled from 6% to 13% in a year.

But be warned: PKI can be challenging to implement. "A central services approach where the PKI provides keys and key management for multiple applications is expensive, complicated, and if not done well, career limiting," says Victor Wheatman, a Gartner Group VP and research director. "That's scary for managers who need to sign off on these projects."

Nevertheless, the growth in PKI deployment is expected to pick up speed. Windows 2000 has PKI built in, and analysts predict that more than half of business desktops will be running that operating system by 2003. In addition, prices are coming down. A Meta Group report says prices will drop in the next few years by 30% to 40% and PKI will be priced at $40 to $60 per seat. "To stay alive, PKI vendors will tie management functionality to Microsoft's PKI as a value-added service," the report predicts.

PKI will become widely used "because there's nothing else available that does what PKI does," says Bill McQuaide, VP of product management at RSA Security Inc., a security systems vendor. "Any company that's going to do business over the Internet has increased risk, and security becomes paramount. PKI is the most promising solution because you can control who does what by issuing digital certificates."

New York Life Insurance Co. is a PKI believer. It has implemented a PKI system from Entrust Technologies Inc., a 1996 spin-off of Nortel Networks, to automate internal processes and procedures. The insurance company has issued 12,000 digital certificates that are used daily to verify identities and ensure security.

"We selected Entrust because of its longstanding best-of-breed reputation and the fact that it could provide us with a shrink-wrapped solution," says David Klinkman, assistant VP of Internet/security infrastructure development at the New York insurer. "Out of the box, the software worked perfectly. But the customization process was challenging."

New York Life decided to layer other applications on top, and now uses Entrust Direct, which includes the PKI, to secure sessions between the Web browser and the Web server. The company also separated security from applications by using the Conclave Policy Server--which centralizes policy management, authentication, alerts, audit logging, and reporting for applications--and firewalls. "The Conclave Policy Server and the integrated Web server, where the Policy Server plug-in resides, handle forms of authentication, integration with directories, and access control for applications," Klinkman says.

PKI is gaining momentum as hundreds of vendors offer products or PKI-integrated products and services. Some companies have also created certificate authorities, third-party organizations that issue and authenticate digital certificates.

Scotiabank of Canada started to use PKI internally and then rolled it out for consumer banking applications. The popularity of applications that incorporated PKI surprised even the project's originators. "We felt electronic commerce services would become a critical part of the global economy and anticipated a user base of 40,000 in online banking," says Albert Wahbe, president of e-Scotia.com Inc. and Scotiabank's executive VP of electronic banking. "Instead, we got over 200,000 users. Security was extremely important to us, but it was transparent to the user."

The Toronto bank created e-Scotia .com, an open certification authority based on Entrust's PKI software. The online company issues and verifies digital certificates and provides other security services on an outsourced basis. "We learned so much through our own implementation of PKI that we feel comfortable offering it as a service to other companies," Wahbe says. "Frequently, companies can't cost-justify the funding of an internal PKI effort, in which case e-Scotia.com is a way for them to reap the benefits of PKI."

continued...page 2