Feds secure access using PKI

HULL, Quebec — The Canadian government plans to give all federal employees and contractors secure access to IT systems next year using Entrust Inc.’s public key infrastructure (PKI), an official said earlier this week.


“PKI certification to employees is being rolled out as we speak,” said Jirka Danek, director general and chief technology officer at Public Works and Government Services Canada (PWGSC). “By next summer every employee will have an identity-based PKI certificate.”


Danek made his comments to an audience of about 70 public sector IT professionals at Government Symposium (GovSym), held last Tuesday at the Hilton Lac Leamy conference centre in Hull, Quebec, north of Ottawa.


PKI works by giving each user a device with a digital signature. The private key is used to sign and the public key is issued by the certificate authority so other authorized users can decrypt and verify the private keys.


Danek said it costs $36 per employee per year to administer PKI. The keys used by federal employees and contractors will have three certificates: one for encryption, one for authentication and one for signatures.


“One of the drivers was giving employees access to things like their own pension and payroll information,” he said.


Danek spoke on a panel discussion on end point security. His co-panelists were Michael Blackin, Oracle Corp.’s director of security and middleware solutions, and Valerie Turner, deputy chief information officer for the computing and communications services department at the University of Ottawa.


Turner said a major issue at her school is providing access to wireless users, such as students using Apple Inc.’s iPhone devices.


The University of Ottawa’s security concerns include students who want play pranks by hacking into systems, plus miscreants stealing personal information and selling it to spammer or fraudsters.

“One of our main areas of focus is ensuring we have a culture of security,” she said.


Turner had some advice for IT managers hiring younger workers accustomed to using their own devices at work and posting information on social networking sites.


“It takes a lot of patience and oversight and sometimes some pretty firm wording around what is acceptable and what is not acceptable,” Turner said. “Be very explicit that sharing information about the workplace and colleagues through social networking tools is not acceptable. Have them sign agreements to that effect. Have them take personal responsibility around any mobile devices that they have. Don’t allow them to integrate their personal mobile devices into the workplace.”


With sensitive information, companies should use software that lets managers create rules dictating who can view, copy, delete and print the files, Blackin said.


“If somebody loses a laptop or somebody loses an iPhone and that had a database full of sensitive information, people ask, ‘Why wasn’t that database encrypted?’” Blackin said. “That’s the wrong question to ask. The question to ask is, ‘Why was that database on a laptop in the first place?”

Other GovSym speakers included Enrique Salem, the new chief executive officer of Symantec Corp. of Cupertino, Calif.

During a keynote session, Salem gave examples of IT professionals going too far in improving security at the expense of

At a separate session, CANARIE Inc.’s chief research officer, Bill St. Arnaud, explained how government departments and universities will improve disaster recovery by placing backup data centres in remote locations with their own power plants.

GovSym was produced by IT World Canada Inc., publisher of Network World Canada.

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now