Tuesday, February 16, 1999, 2:00 p.m. ET. The Key To Unlocking Data Access By RUTRELL YASIN Enterprises are finally doing something about their insecure intranets and extranets. Public-key infrastructure (PKI) technology--until now used mostly to secure Internet transactions in banking and other financial applications--is now reaching deep into corporate departments and everyday business applications. Enterprises can no longer operate without a PKI safety net as they extend applications and data to partners and far-flung employees. Companies are looking for their "return on investment with PKI to come from [securing] business-to-business and internal applications such as human resources systems," says John Pescatore, a senior consultant with PKI vendor Entrust Technologies Inc. Leading the way are corporate titans such as Federal Express Corp., NationsBank Corp. and Texas Instruments Inc., all of which are piloting projects that could set the stage for internal PKI deployment for authentication, privacy and data integrity. Federal Express is out in front. Fedex hopes to reap the benefits of PKI this spring as it rolls out a digital signature-enabled human resources system that gives the company's 141,000 employees secure access to their personnel files. Fedex, which is using Entrust encryption-key management, secure e-mail and application development tools, worked closely with Entrust to migrate the mainframe-based HR systems to an intranet. "When we first started with PKI, we found all the PKI vendors were following an Internet model, not an intranet model," says James Candler, Fedex's vice president of personnel systems and support. Changes were required to plug PKI into an intranet environment in which users might use multiple workstations, he says. With Internet transactions, the model is much simpler: a home user conducting a transaction with a bank can download a digital certificate--electronic signatures that verify a user's identity--to a PC, and the information is specific to that computer. However, in a corporate setting such as Fedex, departmental and field users need access to desktop PCs in conference rooms and at kiosks. Single-system digital certificates are not enough. As a result, Fedex "had to create roaming certificates" that could be downloaded to a PC from an LDAP-based corporate directory, Candler says. Using an Entrust digital certificate password and hardware ID tokens that resemble credit cards, Fedex wants its managers to transmit employee performance appraisals over the intranet, for example, eliminating a lot of paperwork. But at $65 apiece, the company didn't want to give every employee a secure ID token. "We created a level of trust in the HR system," so employees who don't need access to a higher level of information can log on with just a passphrase, Candler says. One benefit is that the implementation of PKI encryption and digital certificates is letting Fedex employees perform tasks on the Web that they couldn't before, Candler notes. For example, employee salary reviews are now sent to a supervisor via an e-mail message that includes a URL address linking directly to the appropriate HR site where the review is written. Then the supervisor can forward the information on to HR. Candler thinks other companies will add Web extensions to their HR systems to give employees self-service access to benefit and retirement plans. "I've talked to other CIOs, and they agree that this is exactly where their companies need to go," Candler says. "We're leading the market by about a year," he says. But as organizations deploy PKI, product interoperability and certificate management have become problematic. NationsBank, a unit of $6.5 billion Bank of America, has launched pilot projects to give employees access to personnel records, 401(k) and other benefits, says Sam Phillips, senior vice president of information security at the bank. PKI is generating "a lot of excitement," Phillips says. However, "like most companies, we want to standardize on one e-mail package. We are a very large organization constantly in acquisition" mode, he says. If one division is using Lotus Notes and the other Microsoft Exchange, the question is how to make the packages work together so that an S/MIME security implementation works across both systems, he says. Another obstacle is directory services, specifically ensuring interoperability between LDAP interfaces from Microsoft, Netscape and Novell, he says. To overcome some of these interoperability problems, NationsBank is using VeriSign Inc.'s Onsite integrated platform as a primary Certificate Authority. VeriSign "gives us flexibility," Phillips says. Instead of NationsBank setting up the PKI infrastructure internally, "VeriSign offers a complete set of services. We can leverage what they're doing" to communicate with GTE CyberTrust or Netscape if customers choose certificates from those vendors, he says. Even electronics giant Texas Instruments opted for VeriSign, scrapping plans to launch a homegrown PKI framework. "We actually built our own PKI, which was fairly robust, but we wanted to concentrate on our core competency," says John Fraser, IT security manager at the $8.4 billion manufacturer. "To deploy PKI, you had to pull together the servers, desktops, clients, the whole ball of wax," Fraser says. "We wanted to be in the position as the market changes to move to the next new solution in PKI without changing" the whole infrastructure, Fraser says. Because VeriSign is based on an open platform, off-the-shelf security products can be integrated into the framework, reducing costs. TI will deploy PKI both for intranets and Internet apps, Fraser says. "But our plan is not to use VeriSign digital certificates for customer-to-business transactions--not like the banking model." TI has launched a program to forge tighter links with suppliers and to extend its intranet to accommodate more self-service apps, he says. As the company deployed PKI technology and digital certificates, the biggest hurdles were managing a certificate revocation list and key escrow for employees who forgot passwords, Fraser says. VeriSign is attempting to solve that problem with OnSite Key Manager, which provides encrypted backup and recovery of end-user keys and digital certificates used within a PKI. For the past year, Entrust, VeriSign and other PKI vendors have been offering tools that make it easier to manage multiple certificates from different vendors as well as add, change and revoke certificates. Securing access to enterprise resource planning apps such as SAP is the next step for TI's PKI efforts, Fraser says. TI plans to deploy digital certificates for SAP's Internet Transaction Server, he says. ERP applications weren't offering links to PKI a year ago, Fraser says. Now SAP, PeopleSoft and Oracle realize their proprietary solutions have to be extended to acknowledge technologies such as Kerberos authentication and PKI. Users are asking about PKI extensions to apps from PeopleSoft and SAP, as well as enterprise management platforms such as Computer Associates' Unicenter TNG and Tivoli Systems Inc.'s TME, Pescatore says. Management platforms are the likely places to add hooks for security modules. "The same platform that is used for managing resources also can be used to manage people using digital certificates. This way, VPNs, switches and routers all can be tied in with PKI," he says. The government of Ontario, Canada, has several pilot projects with Entrust that should bear fruit this year, says Scott Campbell, assistant deputy minister there. The government is issuing digital certificates to social workers at the 50 Children's Aide Societies across the province to ensure privacy. The certificates will let case workers securely access a central database to keep track of child abuse cases. The database is updated regularly, so workers can keep better tabs on abused children if they move from Toronto, for example, to Ottawa, Campbell says. Prior to the pilot, it could take months for workers to track down the whereabouts of a child. Ontario also uses PKI to secure e-mail for the 6,000-person Ontario Provincial Police force. A third pilot will help the 300-person IT group determine if there are any holes in the technology, he says. As users deploy PKI pilots, they may find the real challenge is defining policies that link the technology with business processes, says Spiros Angelopoulos, a group manager with Raytheon at the NASA Ames Research Center. "The tools are there, but [companies must define] policies on how to implement the tools," he says. For example, with digital certificates, companies need to establish a policy for user eligibility and how users will receive their credentials, he says. NASA Ames, which has 11 research centers across the nation, is using PKI for secure e-mail. The center is moving toward the day when "every person [at the center] will have a digital certificate," Angelopoulos says. As PKI products continue to mature and pilots move into production this year, IT managers anticipate a surge in PKI deployments. Says TI's Fraser: "There's more than a [growing] interest in PKI; there's a lot of pent-up demand." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:24 PDT