Confidentially yours:

How secure will PKI make e-commerce?


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

(Page 1 of 3)

St. Joseph's Hospital needed an edge. The 524-bed teaching hospital based in Marshfield, Wisc., vies with major health care centers in four neighboring cities for patients.

While the fact that 70% of St. Joseph's patients drive more than 30 miles to reach the hospital was encouraging, it wasn't enough to guarantee continued success. So to make its facility more attractive to the doctors, the hospital decided a year ago to let physicians get information on their hospitalized patients through a standard Web interface, version 4.0 or higher of either Netscape or Internet Explorer. By providing such convenient access to data like test results, diagnoses, and treatment plans, St. Joseph's hoped that physicians would find it beneficial to direct patients to its facility.

AT A GLANCE: St. Joseph's Hospital Ministry Health Care
The company: Based in Marshfield, Wis., St. Joseph's Hospital is a 524-bed teaching hospital and the largest member of Ministry Health Care, a regional system in Wisconsin and Minnesota.

The problem: In order to attract referrals from physicians in its region, St. Joseph's developed a Web site for easy access to patient information. The hospital needed a way to safeguard that sensitive data.

The solution: St. Joseph's implemented a public key infrastructure solution from Arcot Systems Inc., of Palo Alto, Calif., in March 1999. Only a few physicians are currently using the system, but the potential number is over a thousand.

The IT infrastructure: Arcot's WebFort is a complete, drop-in PKI solution. Verisign Inc. provides certificate authentication, while GTE provides local telephone service and AT&T provides long distance. The hospital is part of the University of Wisconsin network (WiscNet), which provides the medical center's two T-1 lines to the Internet. St. Joseph's uses OutReach from IDX Systems Corp. of Burlington, Vt., which provides Web access and is also the vendor of its information system. OutReach makes the patient data available on the Web and integrates it with the rest of the system. The standard interface is version 4.0 or higher of either Netscape or Internet Explorer.

The only hitch was keeping patient data confidential. "We needed to go beyond a simple password approach," says CIO Steve Pelton. "The real fear was how would we ever be able to secure information."

Pelton's concern--common among IT professionals--was that while passwords and IDs are the linchpin of enterprise security, anyone who gets hold of a user name and password can access the hospital's system and its sensitive information. St. Joseph's answer has been to heighten security dramatically with a public key infrastructure (PKI).

PKI is an approach to achieving two security goals at the same time: user authentication and secure communications. The purpose of user authentication is to confirm that senders of messages are who they claim to be. Certification authorities (CAs), which issue digital certificates--electronic documents that include a user's digital signature--provide authentication. Secure communications uses encryption to render data indecipherable to anyone who illicitly intercepts it. To decode and read a message, both a public key (included in the digital certificate) and a private key (possessed only by the intended recipient) are required.

In March of this year, St. Joseph's went live with WebFort, a complete, drop-in PKI solution from Arcot Systems Inc., of Palo Alto, Calif. WebFort provides camouflaging technology that requires a PIN number to use the private key. If someone gives the wrong PIN number, the system provides a fake private key, so the digital signature will be invalid and the unauthorized user won't be able to read any messages. VeriSign Inc., in Mountain View, Calif., provides certificate authentication. While only a few physicians are using the PKI system now, the potential number is over a thousand.

PKI software sales are growing rapidly, from $58 million in 1997 to an expected $328 million in 1999, according to Giga Information Group Inc., of Norwell, Mass., estimates. Contributing to this growth are vendors of mission-critical applications. As they move to integrate Internet capabilities, they're considering PKI as a solution for secure communications. Whether their software is for ERP, supply chain planning, or human resources, security is an issue.

"As companies roll out these applications, PKI gets pulled along with them," says Abner Germanow, a senior analyst, Internet security at International Data Corp. in Framingham, Mass.

E-commerce drives security boom

"We needed to go beyond a simple password approach. The real fear was how would we ever be able to secure information."
--Steve Pelton, CIO, St. Joseph's Hospital
But rapid growth can't mask PKI's pitfalls, such as incompatibility among the many available implementations. Still, a public key infrastructure can offer valuable security capabilities to a company migrating key data to the Web--as long as the promises of vendors and the technology itself are served with a grain of salt.

Although PKI was invented in the 1970s, until recently it was only used in niche areas where security was paramount, such as military communications. Most organizations conducting electronic business--like electronic data interchange (EDI) with vendors and large customers--did so over dial-up lines, leased lines, or virtual private networks (VPNs). Such lines often offer a high level of physical security, making it difficult for hackers to intercept data.

Today, the business drivers for widespread adoption of PKI are explosive growth of the Internet and e-commerce. Companies suddenly find themselves doing business on public networks rather than via secure private lines. As e-commerce expands, so do the risks companies face. As the risks increase, so has the interest in PKI.

Boston-based Safety Insurance was one company that faced increased online security risks. With 2,500 independent agents working from 600 offices throughout Massachusetts, the 20-year-old insurer needed better interoffice communication links, so officials turned to PKI, creating a Web portal in Oct. 1998 to bolster secure communications.

Before the portal was implemented, when agents had questions for Safety, they had to play telephone tag with the customer service department. Web access provided agents instant information--and opened the door for potential security breaches. After visiting a few agents, the company decided that password protection was insufficient security.

"Being in agents' offices, seeing those yellow Post-it notes with passwords all over the place convinced us [PKI] was a better approach," says John Almeida, assistant vice president of MIS at Safety. The company decided to use a PKI system since digital certificates do not require the user to remember, let alone enter, IDs or passwords.

Standards, anyone?

Electronic business places a premium on systems that work across the entire Internet. Unfortunately, although PKI is meant to enable e-commerce, it ends up creating isolated islands of security in the vast World Wide Web. While PKI uses standards in some areas, public key infrastructure implementations are so diverse that individual systems are often incompatible.

True, digital certificates are governed by a standard, ITU X.509, which defines basic, mandatory data like the digital signature and private key. But X.509 also allows for vendor-defined data that varies by PKI system, such as someone's business title or a driver's license number. If two PKI implementations make different uses of this optional data, they won't be 100% compatible.

Even cryptography algorithms vary among PKI implementations. Some systems use RSA (Rivest, Shamir, and Adleman, inventors of the technique); others depend on DSS (Digital Signature Standard) encryption; still others employ DES (Data Encryption Standard). These methods do not interoperate.

A further complication is that PKI implementations involve business practices as well as technology. For two PKI systems to interoperate, their certification authorities (CAs) must be able to vouch for each other. But if two CAs have different business practices--such as initial identification requirements for users or the frequency of updates to revocation lists--they might not honor each other's certificates.

Efforts are underway to create some interoperability among CAs and PKI software. PKI Exchange (PKIX) is an emerging standard for PKI interoperability on the Internet. The National Institute of Standards and Testing (NIST) has also been developing federal government standards that are a subset of PKIX, as well as tests for PKI software interoperability under its standards. While the NIST standards would be compatible with PKIX, some PKIX implementations might not be compatible with NIST.

But some question whether PKI vendors are actually striving for compatibility. Michael Rothman, executive vice president of SHYM Technology Inc. of Needham, Mass., says that at least to some extent, cooperation on standards is for show. "None of the PKI vendors or certification authority service providers want real interoperability," says Rothman, whose company sells PKI interoperability software. The greater the interoperability, the harder it is for certification authority providers to differentiate themselves, he believes.

Kathy Lyons-Burke, lead on PKI applications for the NIST, has a similar perspective. "When the people who buy the PKIs start demanding the interoperability, it will appear. If [vendors] can sell more of their product by not being interoperable, then they will not be interoperable," she says. Similarly, they will become interoperable if they can sell more of their product that way, Lyons-Burke says.

If vendors don't hammer out interoperability issues, users could find it necessary to manage multiple digital certificates on their machines, a task they shouldn't relish. --E.S.

Page 1 of 3

1 2 3
Next Page

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.