[ISN] The Key to Unlocking Data Access

From: mea culpa (jerichoat_private)
Date: Fri Feb 19 1999 - 03:51:06 PST

  • Next message: mea culpa: "[ISN] REVIEW: "Top Secret Intranet", Fredrick Thomas Martin"

    Tuesday, February 16, 1999, 2:00 p.m. ET. 
    The Key To Unlocking Data Access
    By RUTRELL YASIN 
    
    Enterprises are finally doing something about their insecure intranets and
    extranets. Public-key infrastructure (PKI) technology--until now used
    mostly to secure Internet transactions in banking and other financial
    applications--is now reaching deep into corporate departments and everyday
    business applications. 
    
    Enterprises can no longer operate without a PKI safety net as they extend
    applications and data to partners and far-flung employees. 
    
    Companies are looking for their "return on investment with PKI to come
    from [securing] business-to-business and internal applications such as
    human resources systems," says John Pescatore, a senior consultant with
    PKI vendor Entrust Technologies Inc. 
    
    Leading the way are corporate titans such as Federal Express Corp.,
    NationsBank Corp. and Texas Instruments Inc., all of which are piloting
    projects that could set the stage for internal PKI deployment for
    authentication, privacy and data integrity. 
    
    Federal Express is out in front. Fedex hopes to reap the benefits of PKI
    this spring as it rolls out a digital signature-enabled human resources
    system that gives the company's 141,000 employees secure access to their
    personnel files. 
    
    Fedex, which is using Entrust encryption-key management, secure e-mail and
    application development tools, worked closely with Entrust to migrate the
    mainframe-based HR systems to an intranet. 
    
    "When we first started with PKI, we found all the PKI vendors were
    following an Internet model, not an intranet model," says James Candler,
    Fedex's vice president of personnel systems and support.  Changes were
    required to plug PKI into an intranet environment in which users might use
    multiple workstations, he says. 
    
    With Internet transactions, the model is much simpler: a home user
    conducting a transaction with a bank can download a digital
    certificate--electronic signatures that verify a user's identity--to a PC,
    and the information is specific to that computer. 
    
    However, in a corporate setting such as Fedex, departmental and field
    users need access to desktop PCs in conference rooms and at kiosks.
    Single-system digital certificates are not enough. 
    
    As a result, Fedex "had to create roaming certificates" that could be
    downloaded to a PC from an LDAP-based corporate directory, Candler says. 
    
    Using an Entrust digital certificate password and hardware ID tokens that
    resemble credit cards, Fedex wants its managers to transmit employee
    performance appraisals over the intranet, for example, eliminating a lot
    of paperwork. 
    
    But at $65 apiece, the company didn't want to give every employee a secure
    ID token. "We created a level of trust in the HR system," so employees who
    don't need access to a higher level of information can log on with just a
    passphrase, Candler says. 
    
    One benefit is that the implementation of PKI encryption and digital
    certificates is letting Fedex employees perform tasks on the Web that they
    couldn't before, Candler notes. For example, employee salary reviews are
    now sent to a supervisor via an e-mail message that includes a URL address
    linking directly to the appropriate HR site where the review is written.
    Then the supervisor can forward the information on to HR. 
    
    Candler thinks other companies will add Web extensions to their HR systems
    to give employees self-service access to benefit and retirement plans. 
    
    "I've talked to other CIOs, and they agree that this is exactly where
    their companies need to go,"  Candler says. "We're leading the market by
    about a year," he says. 
    
    But as organizations deploy PKI, product interoperability and certificate
    management have become problematic. 
    
    NationsBank, a unit of $6.5 billion Bank of America, has launched pilot
    projects to give employees access to personnel records, 401(k) and other
    benefits, says Sam Phillips, senior vice president of information security
    at the bank. 
    
    PKI is generating "a lot of excitement," Phillips says. However, "like
    most companies, we want to standardize on one e-mail package. We are a
    very large organization constantly in acquisition" mode, he says. If one
    division is using Lotus Notes and the other Microsoft Exchange, the
    question is how to make the packages work together so that an S/MIME
    security implementation works across both systems, he says. 
    
    Another obstacle is directory services, specifically ensuring
    interoperability between LDAP interfaces from Microsoft, Netscape and
    Novell, he says. 
    
    To overcome some of these interoperability problems, NationsBank is using
    VeriSign Inc.'s Onsite integrated platform as a primary Certificate
    Authority. VeriSign "gives us flexibility," Phillips says. Instead of
    NationsBank setting up the PKI infrastructure internally, "VeriSign offers
    a complete set of services. We can leverage what they're doing" to
    communicate with GTE CyberTrust or Netscape if customers choose
    certificates from those vendors, he says. 
    
    Even electronics giant Texas Instruments opted for VeriSign, scrapping
    plans to launch a homegrown PKI framework. 
    
    "We actually built our own PKI, which was fairly robust, but we wanted to
    concentrate on our core competency," says John Fraser, IT security manager
    at the $8.4 billion manufacturer. "To deploy PKI, you had to pull together
    the servers, desktops, clients, the whole ball of wax," Fraser says. 
    
    "We wanted to be in the position as the market changes to move to the next
    new solution in PKI without changing" the whole infrastructure, Fraser
    says. Because VeriSign is based on an open platform, off-the-shelf
    security products can be integrated into the framework, reducing costs. 
    
    TI will deploy PKI both for intranets and Internet apps, Fraser says. "But
    our plan is not to use VeriSign digital certificates for
    customer-to-business transactions--not like the banking model." 
    
    TI has launched a program to forge tighter links with suppliers and to
    extend its intranet to accommodate more self-service apps, he says. 
    
    As the company deployed PKI technology and digital certificates, the
    biggest hurdles were managing a certificate revocation list and key escrow
    for employees who forgot passwords, Fraser says. 
    
    VeriSign is attempting to solve that problem with OnSite Key Manager,
    which provides encrypted backup and recovery of end-user keys and digital
    certificates used within a PKI. 
    
    For the past year, Entrust, VeriSign and other PKI vendors have been
    offering tools that make it easier to manage multiple certificates from
    different vendors as well as add, change and revoke certificates. 
    
    Securing access to enterprise resource planning apps such as SAP is the
    next step for TI's PKI efforts, Fraser says. TI plans to deploy digital
    certificates for SAP's Internet Transaction Server, he says. 
    
    ERP applications weren't offering links to PKI a year ago, Fraser says.
    Now SAP, PeopleSoft and Oracle realize their proprietary solutions have to
    be extended to acknowledge technologies such as Kerberos authentication
    and PKI. 
    
    Users are asking about PKI extensions to apps from PeopleSoft and SAP, as
    well as enterprise management platforms such as Computer Associates'
    Unicenter TNG and Tivoli Systems Inc.'s TME, Pescatore says. 
    
    Management platforms are the likely places to add hooks for security
    modules. "The same platform that is used for managing resources also can
    be used to manage people using digital certificates. This way, VPNs,
    switches and routers all can be tied in with PKI," he says. 
    
    The government of Ontario, Canada, has several pilot projects with Entrust
    that should bear fruit this year, says Scott Campbell, assistant deputy
    minister there. The government is issuing digital certificates to social
    workers at the 50 Children's Aide Societies across the province to ensure
    privacy. The certificates will let case workers securely access a central
    database to keep track of child abuse cases. 
    
    The database is updated regularly, so workers can keep better tabs on
    abused children if they move from Toronto, for example, to Ottawa,
    Campbell says. Prior to the pilot, it could take months for workers to
    track down the whereabouts of a child. 
    
    Ontario also uses PKI to secure e-mail for the 6,000-person Ontario
    Provincial Police force. A third pilot will help the 300-person IT group
    determine if there are any holes in the technology, he says. 
    
    As users deploy PKI pilots, they may find the real challenge is defining
    policies that link the technology with business processes, says Spiros
    Angelopoulos, a group manager with Raytheon at the NASA Ames Research
    Center. 
    
    "The tools are there, but [companies must define] policies on how to
    implement the tools," he says.  For example, with digital certificates,
    companies need to establish a policy for user eligibility and how users
    will receive their credentials, he says. 
    
    NASA Ames, which has 11 research centers across the nation, is using PKI
    for secure e-mail. The center is moving toward the day when "every person
    [at the center] will have a digital certificate,"  Angelopoulos says. 
    
    As PKI products continue to mature and pilots move into production this
    year, IT managers anticipate a surge in PKI deployments. Says TI's Fraser:
    "There's more than a [growing] interest in PKI; there's a lot of pent-up
    demand." 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:19:24 PDT