Tuesday, February 16, 1999, 2:00 p.m. ET.
The Key To Unlocking Data Access
By RUTRELL YASIN
Enterprises are finally doing something about their insecure intranets and
extranets. Public-key infrastructure (PKI) technology--until now used
mostly to secure Internet transactions in banking and other financial
applications--is now reaching deep into corporate departments and everyday
business applications.
Enterprises can no longer operate without a PKI safety net as they extend
applications and data to partners and far-flung employees.
Companies are looking for their "return on investment with PKI to come
from [securing] business-to-business and internal applications such as
human resources systems," says John Pescatore, a senior consultant with
PKI vendor Entrust Technologies Inc.
Leading the way are corporate titans such as Federal Express Corp.,
NationsBank Corp. and Texas Instruments Inc., all of which are piloting
projects that could set the stage for internal PKI deployment for
authentication, privacy and data integrity.
Federal Express is out in front. Fedex hopes to reap the benefits of PKI
this spring as it rolls out a digital signature-enabled human resources
system that gives the company's 141,000 employees secure access to their
personnel files.
Fedex, which is using Entrust encryption-key management, secure e-mail and
application development tools, worked closely with Entrust to migrate the
mainframe-based HR systems to an intranet.
"When we first started with PKI, we found all the PKI vendors were
following an Internet model, not an intranet model," says James Candler,
Fedex's vice president of personnel systems and support. Changes were
required to plug PKI into an intranet environment in which users might use
multiple workstations, he says.
With Internet transactions, the model is much simpler: a home user
conducting a transaction with a bank can download a digital
certificate--electronic signatures that verify a user's identity--to a PC,
and the information is specific to that computer.
However, in a corporate setting such as Fedex, departmental and field
users need access to desktop PCs in conference rooms and at kiosks.
Single-system digital certificates are not enough.
As a result, Fedex "had to create roaming certificates" that could be
downloaded to a PC from an LDAP-based corporate directory, Candler says.
Using an Entrust digital certificate password and hardware ID tokens that
resemble credit cards, Fedex wants its managers to transmit employee
performance appraisals over the intranet, for example, eliminating a lot
of paperwork.
But at $65 apiece, the company didn't want to give every employee a secure
ID token. "We created a level of trust in the HR system," so employees who
don't need access to a higher level of information can log on with just a
passphrase, Candler says.
One benefit is that the implementation of PKI encryption and digital
certificates is letting Fedex employees perform tasks on the Web that they
couldn't before, Candler notes. For example, employee salary reviews are
now sent to a supervisor via an e-mail message that includes a URL address
linking directly to the appropriate HR site where the review is written.
Then the supervisor can forward the information on to HR.
Candler thinks other companies will add Web extensions to their HR systems
to give employees self-service access to benefit and retirement plans.
"I've talked to other CIOs, and they agree that this is exactly where
their companies need to go," Candler says. "We're leading the market by
about a year," he says.
But as organizations deploy PKI, product interoperability and certificate
management have become problematic.
NationsBank, a unit of $6.5 billion Bank of America, has launched pilot
projects to give employees access to personnel records, 401(k) and other
benefits, says Sam Phillips, senior vice president of information security
at the bank.
PKI is generating "a lot of excitement," Phillips says. However, "like
most companies, we want to standardize on one e-mail package. We are a
very large organization constantly in acquisition" mode, he says. If one
division is using Lotus Notes and the other Microsoft Exchange, the
question is how to make the packages work together so that an S/MIME
security implementation works across both systems, he says.
Another obstacle is directory services, specifically ensuring
interoperability between LDAP interfaces from Microsoft, Netscape and
Novell, he says.
To overcome some of these interoperability problems, NationsBank is using
VeriSign Inc.'s Onsite integrated platform as a primary Certificate
Authority. VeriSign "gives us flexibility," Phillips says. Instead of
NationsBank setting up the PKI infrastructure internally, "VeriSign offers
a complete set of services. We can leverage what they're doing" to
communicate with GTE CyberTrust or Netscape if customers choose
certificates from those vendors, he says.
Even electronics giant Texas Instruments opted for VeriSign, scrapping
plans to launch a homegrown PKI framework.
"We actually built our own PKI, which was fairly robust, but we wanted to
concentrate on our core competency," says John Fraser, IT security manager
at the $8.4 billion manufacturer. "To deploy PKI, you had to pull together
the servers, desktops, clients, the whole ball of wax," Fraser says.
"We wanted to be in the position as the market changes to move to the next
new solution in PKI without changing" the whole infrastructure, Fraser
says. Because VeriSign is based on an open platform, off-the-shelf
security products can be integrated into the framework, reducing costs.
TI will deploy PKI both for intranets and Internet apps, Fraser says. "But
our plan is not to use VeriSign digital certificates for
customer-to-business transactions--not like the banking model."
TI has launched a program to forge tighter links with suppliers and to
extend its intranet to accommodate more self-service apps, he says.
As the company deployed PKI technology and digital certificates, the
biggest hurdles were managing a certificate revocation list and key escrow
for employees who forgot passwords, Fraser says.
VeriSign is attempting to solve that problem with OnSite Key Manager,
which provides encrypted backup and recovery of end-user keys and digital
certificates used within a PKI.
For the past year, Entrust, VeriSign and other PKI vendors have been
offering tools that make it easier to manage multiple certificates from
different vendors as well as add, change and revoke certificates.
Securing access to enterprise resource planning apps such as SAP is the
next step for TI's PKI efforts, Fraser says. TI plans to deploy digital
certificates for SAP's Internet Transaction Server, he says.
ERP applications weren't offering links to PKI a year ago, Fraser says.
Now SAP, PeopleSoft and Oracle realize their proprietary solutions have to
be extended to acknowledge technologies such as Kerberos authentication
and PKI.
Users are asking about PKI extensions to apps from PeopleSoft and SAP, as
well as enterprise management platforms such as Computer Associates'
Unicenter TNG and Tivoli Systems Inc.'s TME, Pescatore says.
Management platforms are the likely places to add hooks for security
modules. "The same platform that is used for managing resources also can
be used to manage people using digital certificates. This way, VPNs,
switches and routers all can be tied in with PKI," he says.
The government of Ontario, Canada, has several pilot projects with Entrust
that should bear fruit this year, says Scott Campbell, assistant deputy
minister there. The government is issuing digital certificates to social
workers at the 50 Children's Aide Societies across the province to ensure
privacy. The certificates will let case workers securely access a central
database to keep track of child abuse cases.
The database is updated regularly, so workers can keep better tabs on
abused children if they move from Toronto, for example, to Ottawa,
Campbell says. Prior to the pilot, it could take months for workers to
track down the whereabouts of a child.
Ontario also uses PKI to secure e-mail for the 6,000-person Ontario
Provincial Police force. A third pilot will help the 300-person IT group
determine if there are any holes in the technology, he says.
As users deploy PKI pilots, they may find the real challenge is defining
policies that link the technology with business processes, says Spiros
Angelopoulos, a group manager with Raytheon at the NASA Ames Research
Center.
"The tools are there, but [companies must define] policies on how to
implement the tools," he says. For example, with digital certificates,
companies need to establish a policy for user eligibility and how users
will receive their credentials, he says.
NASA Ames, which has 11 research centers across the nation, is using PKI
for secure e-mail. The center is moving toward the day when "every person
[at the center] will have a digital certificate," Angelopoulos says.
As PKI products continue to mature and pilots move into production this
year, IT managers anticipate a surge in PKI deployments. Says TI's Fraser:
"There's more than a [growing] interest in PKI; there's a lot of pent-up
demand."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:26:34 1999