Establishing Digital Trust: Don't Sacrifice Security for Convenience
Reprinted from Software Magazine
Potentially, the biggest e-security challenge going forward will revolve around public key infrastructure (PKI). Essentially, PKI refers to the various pieces involved in creating a trust network built around digital certificates. Issues include integrating PKI components with existing applications, managing digital certificates, ensuring interoperability among different PKI systems. and getting users to buy in to PKI.
PKI systems use digital certificates that act as a digital ID card to identify a user. The certificate can be tied to authorization systems that spell out what a user is allowed to do, such as which applications they can access or which Web pages they are allowed to see.
Streamlining the Process
Lina Liberti, director of product management for RSA Keon PKI systems at RSA Security, Bedford, Mass., points out that PKI isn't solely about security. "A lot of times it's about streamlining processes, reducing costs, getting rid of paper by keeping documents electronic, while ensuring it's a real, trusted document," she says. "It's not just about locking out the bad people; it's about enabling something."
Vendors including Shym Technologies, Needham, Mass., and TrustWorks Systems, Palo Alto, Calif., offer tool kits that use an agent technology for PKI-enabling applications.
TrustWorks provides various types of open-source security code in an effort to foster interoperability in the security space. The company offers code for creating IETF-compliant IP Security (IPSec) tunnels, the OpenCrypto API for incorporating various encryption algorithms, and an implementation of the IKE management protocol.
TrustWorks offers an agent on top of which you can plug in various security services, including an IPSec-based virtual private network, a firewall, encryption, and PKI. Gail James, TrustWorks' vice president of worldwide marketing, says many users get hung up with PKI when it comes time to integrate the infrastructure with applications.
"We eliminate that [integration] process because we interoperate and integrate with PKI systems from seven different vendors," James says. "In addition, we automate many of the steps that are still manual steps with PKI solutions, saving on the order of an hour per user on configuring the system."
Essentially, agents act as a proxy, authorizing users on behalf of attached applications; as a result, the application itself needs no changes.
Rainbow Technologies, Irvine, Calif., which sells the iKey security token and other security-related products, uses Shym's agent technology to PKI-enable an internal ERP system, says David Giesel, Rainbow's director of worldwide technical services. Shym's agent front-ends the PeopleSoft application and reads the digital certificate installed on the Rainbow iKey; the agent then validates the certificate using the certificate server inherent in Microsoft's Windows 2000. Shym's agent can integrate with any CryptoAPI-compliant PKI package.
The alternative to such an agent setup would be to replace the user-name/password-policy database in the PeopleSoft application and build in a hook to the PKI system, a much more time-consuming effort.
"We had iKey up and running within a day," says Paul Blomgren, Rainbow's group manager for iKey product management.
While Rainbow's ERP application is used only internally at this point, Blomgren says the long-term plan is to use PKI to enable customers to order online and to access an end-user support area. Resellers will likewise have access to their areas of interest.
RSA also makes PKI tool kits. RSA offers agents similar to those from Shym and TrustWorks, along with its BSAFE family, which allows developers to build applications that will work with any RSA-certified PKI system, including those from Verisign, Baltimore, Netscape, IBM, and RSA's own Keon.
BSAFE varies from agent technology, however, because it puts PKI support inside an application, not just as a front end to authorize access to the application, RSA Security's Liberti says. The difference is that BSAFE would enable you to give users different levels of access to the content inside an application. For example, in a spreadsheet application you could enable department managers to access budget data for their own department, but not other departments.
The ability to work with a variety of PKI systems is crucial, Liberti says, because it offers investment protection. If a company gets acquired, for example, it may be required to convert its PKI system to the one used by the new owner. "You could lose your investment in the PKI system while you still owe money," she says. BSAFE allows you to swap in another vendor's PKI system without a wholesale overhaul.
Keeping It SimpleA tougher problem may be getting users, be they internal or external, to bite. If users have to jump through hoops to enable PKI, it will make it that much tougher to get them to do it
Corporate users, of course, can dictate that end users play along, but companies dealing with consumers will have to find a way to gain their cooperation. Banks, for example, will need to show their users that the added security is worth theextra effort.
One way to do that is to position PKI components such as smart cards as an added value reserved for high-end customers. Additionally, Liberti says, customers are used to the idea of having to sign a document to complete high-value transactions and will be willing to do the same in the online world, using digital signatures or similar technology. "Banks aren't going to say 'PKI.' They're going to say 'digital identity' or something like that," she says.
For PKI to work in B2B transactions, multiple players will have to be involved.
Layers of Players Take, for example, e-Original Inc., a Baltimore-based company founded in 1996 with the idea of taking paper out of the mortgage process. It completed the first all-digital mortgage closing this past July. Digital signatures were used to sign the mortgage documents, which were sent via secure Internet connections to the various banks and government agencies involved in the transaction, says Jack Moskowitz, e-Original's vice president of R&D and security.
Key to the transaction was that the mortgage was sold on the secondary market within three hours, he says. Normally, mortgages are collected into a group that is then traded on the secondary market as a whole, typically about three months after the closing date. During that three-month period, the original lender is at risk that interest rates will change such that any profit made by selling the mortgage on the secondary market evaporates. Overall, the various parties involved in the e-Original online mortgage transaction saved a total of about $750 vs. conducting the same deal on paper.
That shows how PKI can enable new types of business transactions, but it also points to the complexity inherent in such a multitiered transaction. Aside from the original lending bank, many other parties had to have compatible PKI technology to complete the transaction. One of them, Fannie Mae, bought the mortgage and has an agreement with e-Original to buy 99 more online mortgages. Another, the Broward County (Fla.) Recorder's office, performed an electronic validation of the transaction. Also involved was a trusted custodial utility, which validated the integrity of the documents and the identity of all participants in the transaction.
"The reality is many companies will have to reengineer their operational processes to take advantage of the electronic leverage that is potentially available with electronic signatures," says Dr. Martin Goslar, principal analyst and managing partner of E-PHD.COM, an e-security research and analysis firm in Phoenix.
Desmond is editor of the ecomSecurity.com Web site and vice president of King Content, a strategic publishing company in Framingham, Mass. E-mail him at firstname.lastname@example.org.