Confidentially yours:: Page 2

(Page 2 of 3)

"Being in agents' offices, seeing those yellow Post-it notes with passwords all over the place convinced us [PKI] was a better approach."
--John Almeida, assistant vice president of MIS, Safety Insurance
Safety is using AssureWeb, a product from Entegrity Solutions Corp. of San Jose, Calif., that adds PKI security to Web sites. New York City-based Bell Atlantic Corp. provides certification authenticity and telecommunications services for Safety. While relying on vendors to implement PKI saves the expense of putting security experts on payroll, Almeida does think it leaves Safety too dependent on those companies. He hopes that future standards will allow greater interoperability of PKI systems, indirectly making it easier for Safety to change vendors if necessary.

Securing international payments

For companies like Ruesch International Inc., e-commerce is the core of the business model. With U.S. headquarters in Washington, D.C., Ruesch expedites international trade for its 25,000 worldwide clients by providing currency exchange and international banking services. For example, the company enables its clients to check payment histories to existing vendors or to set up automatic payments to new vendors. Two-and-a-half years ago, Ruesch decided to develop online services for existing customers; in Feb. 1999, the company launched its Web site.

Authentication and privacy are important issues for Ruesch, and not just because clients expect sensitive data to be protected. The company falls under U.S. banking industry regulations, so any tampering with data could trigger legal action by the government. But Ruesch didn't want to go overboard with security, since a system that's a burden to customers could drive away business.

Ruesch considered a number of technologies, including biometrics, which employs specialized scanners to check unique physical characteristics such as users' fingerprints or retinal patterns. Unfortunately, while biometrics provides solid authentication, the technique requires intrusive scanners that fit on a finger or over an eye.

The company finally settled on a PKI system, building it with pieces from a number of different vendors. This choice provided an additional benefit: the ability to disprove any false claims by customers that they did not make specific transactions. The PKI system can refute false claims by producing evidence that the customer's unique digital certificate was indeed presented during the transaction.

Ruesch's first step in implementing PKI was to choose vendors. The company started working with GTE Internetworking Inc., a Cambridge, Mass., unit of GTE Corp., almost three years ago to set up VPNs among Ruesch's branch offices in the United States. Ruesch decided to continue using GTE Internetworking as its ISP and as host of its Web site.

In addition, another division of GTE had bought CyberTrust of Needham Heights, Mass., a certification authority. So Ruesch chose CyberTrust over competing CAs like VeriSign Inc. and Entrust Technologies Inc., in Plano, Texas. Outsourcing PKI services also was more appealing to Ruesch than buying software from a vendor like Baltimore Technologies PLC, with U.S. headquarters in Plano, Texas, and creating an in-house CA. "It seemed like a nice marriage," says Ronald Szoc, senior vice president of technology at Ruesch.

GTE hosts both the Web and PKI servers, with the former tied back to Ruesch's headquarters through a VPN. CyberTrust issues a certificate to a Ruesch customer, who then goes to Ruesch's Web server. This server passes the certificate to the PKI server, which authenticates the certificate with CyberTrust. If approved, the customer is allowed through the firewall to use Ruesch's services. Using GTE for certificates and Web hosting allows Ruesch to avoid the cost and trouble of building PKI expertise in-house.

The digital devil is in the details

Lessons learned about public key infrastructure

Hire expert help or partner with a PKI expert, because the PKI learning curve is steep.
Recognize that organizational and business process issues are as much a part of PKI as technology.
Plan on technical support for those using digital certificates on a PKI system.
Prepare a robust IT architecture, including full network directory services.
But picking PKI services is more than a question of convenience. The business practices of certification authorities vary greatly, and this can determine the level of security available to the CAs' customers. One pivotal practice is a CA's requirements for the issuance of a certificate to an end user. Will the CA take a telephone request? Does the CA demand a fax of paper forms of identification, like a birth certificate or driver's license? Must someone apply in person for a digital certificate?

There is no right or wrong answer--and there is no standard that all CAs must follow. What is adequate security for one is expensive overkill--or even impossible--for another. Imagine if Amazon.com required each customer to meet with a company representative.

Businesses also have to decide how long certificates will remain valid, matching the certificates' "lifetime" to the habits and profiles of its customers. "If you set your lifetime too long and you have a lot of turnover... you end up having a huge revocation list," says Michael Froh, chief scientific officer at CyberSafe Canada Corp., in Ottawa, Ont., a division of CyberSafe Corp., an Issaquah, Wash., a vendor of enterprise security software. The revocation list, which enumerates certificates that have been voided, must be checked each time a certificate is used. The longer the revocation list, the more overhead the PKI system incurs.

There is also the issue of how often revocation lists are updated. Immediate notification from the CA when a certificate is no longer valid means more bandwidth and infrastructure expense. "Not a lot of organizations will need that degree of revocation checking," adds Froh.

Is it safe?

Aside from operational issues, some people worry that PKI can lull companies into a false sense of security. For example, a public key infrastructure isn't self-sufficient; it depends on other IT resources, like the network directory, which is necessary for storing the certificates.

Page 2 of 3

Previous Page
1 2 3
Next Page

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.