Forwarded From: darek milewski <darekm@cmeasures.com>
http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/14/n03-14.47.htm
The year of PKI
The growing need for secure Web transactions will
boost PKI implementations at Entrust Technologies
By Matthew Nelson
Network security has become a necessity with the spread of Internet
commerce and the expansion of intranets to larger extranets. But with
differing network systems, secure connections that are constantly updated
can be a difficult proposition. One possible solution is the use of
public key infrastructure (PKI) systems and digital certificates. To
discuss PKI and what it means for the enterprise, InfoWorld Senior Writer
Matthew Nelson recently sat down with John Ryan, chief executive officer
of Entrust Technologies, one of the leading PKI system providers.
InfoWorld: Do you consider 1999 the year of PKI?
Ryan: There's no question that the recognition by companies that they will
all need a PKI is now upon us, and we're seeing incredible acceleration of
pilot activity and recognition across our customer base. So I think this
year will be the year where people recognize they will definitely have a
PKI in their enterprise and start the methodical planning to ensure they
pick the right one.
InfoWorld: Why is PKI seeing adoption now when it is a technology that has
been around for quite awhile?
Ryan: Not unlike the Internet [that] was around for almost 20 years before
all of a sudden it took off, there's been some fundamental things that
happened in the enterprise that have now driven the need, and made it a
lower risk decision for the enterprise. The first was certificates, or PKI
capabilities, which were embedded in the browsers. The next thing that
happened was the major 20 vendors in the networking world -- the whole
crew in networking and firewalls -- all standardized around a standard
called IP SET [Secure Electronic Transaction], which includes digital
certificates. So basically, each application in an enterprise now, or the
major applications of an enterprise backbone, are including security as a
fundamental element, which is forcing companies to consider a public key
infrastructure.
InfoWorld: What developments should IT managers expect to see during the
next year?
Ryan: I think you're going to see a much more wide-scale enablement of
applications, which really is going to make it much simpler for the
enterprise to install a PKI, because the applications will be ready to
accept it.
I also think you're going to see networks of trust being created. I think
one of the first ones we saw was the banking community with their global
trust organization, which is a high-value, high-trust network for
Web-based electronic transactions.
InfoWorld: Is there a problem with interoperability between different
companies' digital certificates?
Ryan: Fortunately, the industry standards that enable interoperability
have now passed. But actually, we now can support interworking with
VeriSign, GTE, Microsoft, Netscape, and others, today, in our product. So
we actually do have full interoperability in our product and we can create
webs of trust that include VeriSign or GTE certificate authorities, webbed
with an Entrust certificate authority, into a network of PKI networking.
And we really see that as an innovation that the market has not yet
anticipated. The evolution will then give customers choices and the
ability to scale their networks based on what they've bought to date.
InfoWorld: Has that interoperability created a different kind of
competition between Entrust and your competitors?
Ryan: We have always worked with large enterprises and basically delivered
a guaranteed security system that they could buy and integrate every
application into it, and have single sign-on and consistent policies and
practices.
Our competitors are more focused around the authentication market. They
don't provide encryption or digital signature, they really count on all
the various applications to embed that technology. So we really don't
compete that often, head-to-head. But I think you'll see, as we migrate
through this year, a much larger movement with our service provider
program.
We have partnerships with many service providers, which are more analogous
to the VeriSign model, but with the full Entrust product suite, combined
with our ability to implement Entrust Worldwide, a global network that
we've just created. We'll be able to create really hybrid PKI networks
where a piece of the PKI is on the customer's premises, and controlled by
them.
Another piece of the PKI might be controlled by a service provider, and we
can connect them together seamlessly to be able to enable PKI networking
and then extend that web of trust to other companies, so that you can
create a community of interest to conduct electronic commerce.
InfoWorld: If digital certificates are all going to interoperate, how are
companies going to differentiate themselves from their competitors?
Ryan: That part is going to be an exciting revolution because it will
evolve very similarly to the credit card business, and I believe that the
card or the certificate will become a brand position. I might have a
Citibank Certificate just like I have a Citibank MasterCard.
And I can see that there will be a battle for that identity, and I really
believe you're going to find there are credentials that you can use across
a number of services, and that credential may be issued by a bank, or a
telephone company, or a government. And then I think that most
organizations who really care about branding and positioning will issue
certificates to their customers. So a person will end up with probably the
same number of certificates as they have credit cards.
InfoWorld: Do you think the cessation of year-2000 projects is going to
have an effect on the adoption of security products and specifically PKI
systems?
Ryan: Certainly there's no doubt, it's a very critical element that's on
the mind of every CIO. I think it's helping accelerate PKI in the first
six months of the year because I think behind year 2000, many of our
corporate customers are telling us security is the next, No. 2 critical
item. And they have to get it fixed, but they want to get going right
away, before the latter part of the year comes when they're fearful that
they're going to be a little bit busy with year-2000 testing, if they
haven't got there yet.
In the second half of the year, we've pretty much said it could slow down
as far as implementation goes. But we actually think that people are going
to solve a lot more of the problem than they thought, and are actually
going to be in a position to have the ability to buy the technology for
implementation in the year 2000.
We're cautiously optimistic right now, but we actually see it as an
accelerator in the short term, and then we'll be waiting and seeing what
happens. We also have seen though -- without doubt -- once the year-2000
bug is done, everybody has said security will become the next No. 1
priority. So I think that that speaks well for the position that we see
emerging in the enterprises.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
Received on Wed Apr 7 21:16:20 1999