For your eyes only

E-commerce is like the proverbial tracks that run through town, dividing the seamy from the respectable. On one side, where the picket fences and tree-lined streets are found, live today’s savvy consumers who want to conduct business on-line, and the thousands of companies scrambling to provide it to them.

On the other side, the cheap motel and run-down tenement side, live the hackers, economic spies and rouge employees. They’re also eager – eager to hijack the growing number of on-line transactions for more nefarious purposes.

Despite their efforts, e-commerce generally works, thanks largely to the security vendors. And experts are saying that 1999 is the year that a new IT security weapon, perhaps even the ultimate weapon, will begin making its way into the enterprise arsenal: a technology known as public key infrastructure (PKI).

PKI is a loose term applied to the underlying structure – the hardware, software and knowledge – needed before companies can send sensitive information securely over the intranets, extranets and the Internet. PKI lets them encrypt and, even more importantly, authenticate messages, so management knows with 100 per cent certainty who’s doing the sending and receiving. As experts like to say, PKI really boils down to one word: trust. PKI lets companies build “trust” hierarchies, a complex Web of permissions to sensitive information. “You’re managing trust here, but the trust is only as good as the policies, due diligence and practices that go behind it,” said Jamie MacDonald, senior manager of commercial corporate electronic banking with Scotiabank in Toronto.

Here’s how PKI works. Every authorized user owns two sets of keys, one public, one private. The public key encrypts the data, and when the data arrives at the point of destination, it is unlocked with a users’ private key, or vice versa. But before someone can even send encrypted data, he or she must hold what’s known as a certificate.

A certificate is the electronic equivalent of a passport that contains an individual’s credentials, and is signed by a certification authority that verifies those credentials. This last part is particularly important, as unlike other security measures, PKI factors in non-repudiation; in other words, if someone sends a message with a certificate, it guarantees to the recipient that the sender is who he or she says they are. The certificates are granted and managed by certificate authorities (CA), which may or may not be the PKI user. The largest CAs and PKI product and service providers in North America are Entrust Technologies, a spin-off of Nortel Networks, based in Ottawa. and Mountain View, Calif.-based VeriSign.

“In today’s market, those who want a PKI infrastructure are very large companies like banks, telecommunications and government,” said Maureen McConnell, business development manager with BCE Emergis Inc. in Montreal.

“But in the past few years, we’ve also seen a change.” The change, according to McConnell, is the trickling down of PKI from the very high end, to companies involved in health care, manufacturing, or ISPs. “But for them, it’s still a ‘nice to have’. They’re looking at it, but it will be another year before they break out of the pilot stage,” she said.

Experts agree that PKI is finally hitting its stride. Some predict that within two years, PKI will emerge from its current high-end niche and enter the mainstream. But they say several things will have to change first.

One issue is cost. “When a company decides to get into PKI, it has to get into a secure environment, hire the individuals to manage it, understand PKI, and for that alone…the company will have to hire and train,” McConnell said.

Even by IT standards, PKI is a relative newcomer, a pioneer technology. That factor, combined with the sophisticated level of integration PKI requires, means the initial outlay alone can range from $400,000 to $1 million. That makes doing PKI strictly in-house nearly impossible for most companies. Consultants, armed with hard to find security skills, will almost have to be called in. But once the infrastructure is in place, advocates say rolling out high security applications in the future is easy and substantially less expensive. It also solves the problem of securing access to a variety of applications, since PKI allows for single sign-on.

Scotiabank’s MacDonald points to that as a big benefit of PKI. In Canada, any discussion of PKI inevitably drifts to Scotiabank, one of the earliest and certainly the most enthusiastic adopters of PKI technology in the country. Scotiabank has two distinct PKI programs in place, one for Web banking customers – 100,000 of who now hold certificates – and one for use by employees. Echoing a common sentiment among PKI users, MacDonald said when it comes to implementation, the server and network technology underlying PKI is easy compared to the organizational change that comes with it.

“It definitely wasn’t the technology, it has been more putting the policies and practices in place, and the people skills. [PKI] isn’t new, but it’s more in the way it’s being deployed now,” he said. He also points to cost savings PKI has given Scotiabank. “The big problem is each application has its own native flavour of security, so your operational costs get quite high. But with PKI, with a single set of credentials, it provides for a common means of authentication.”

User acceptance is key to PKI success. Someone has to explain to users what a certificate is, how it’s used. Then procedures about how to send encrypted e-mail have to be discussed, and new passwords and sign-on methods will be thrust upon them.

Still, the technical issues can be daunting. The biggest headache is making sure the client/server and especially legacy applications are equipped to handle PKI in the first place. Experts say you should make sure you can run PKI over several of your applications. If you can’t, you may want to hold off until the vendor makes them ready, or find alternative solutions.

When it comes to the question of whether most applications are ready, according to Adel Melek, partner in Deloitte & Touche Canada’s e-business security and technology practice in Toronto, “the answer today is no. In terms of Entrust, there are a number of applications that are, and a number of legacy applications that aren’t (PKI-ready).”

Also, IS shops should make sure the level of security that already exists in an enterprise is ready for a PKI solution. Like all matters pertaining to security, companies first have to understand that the danger is real.

“People don’t realize the threat to their data. People will send e-mail back and forth, and they don’t appreciate that it may have been intercepted by a third party,” said Mark Dennison, director of consulting services with Montreal-based management consulting firm CGI Group Inc. He compares e-mail to postcards, and worries that lax or poorly implemented security policies may already be undermining IT security.

“We always tell companies to use threat assessment…to determine the level of risk,” he said. In an environment like this, adding PKI will accomplish little.

The level of preparation is causing some to move cautiously – and it is one reason why Robert Garigue, chief technology and information officer with Manitoba’s Office of Technology in Winnipeg, is leery of rushing into a PKI solution. Where Ontario, British Columbia and New Brunswick are taking an aggressive approach to the technology, re-tooling applications to handle PKI so they can quickly deliver services to citizens, Garigue, a long-time security expert, is taking a different approach.

“Building PKI into the applications seems ideal, but what about the other stuff that’s vulnerable…PKI doesn’t deal with these issues. It expects them to be there,” he said. “We want the infrastructure, and the components of the infrastructure, as we move up the stack from the wires to the applications.”

Before he rolls PKI out over his 29 departments, he wants to deal with issues like network vulnerability to trojans and viruses, including the much-publicized Back Orifice, which can still let hackers lift private keys. Garigue has already put in place a dedicated security team that can update enterprise virus scans in about nine hours.

Garigue is also studying the legal issues surrounding the validity of digital signatures and contracts, and watching for changes in the technology – that includes waiting for open standards to evolve among the vendors which will let users of competing PKI packages talk to one another, or “cross-certify.” The latter, he said, may free him from having to go with a single vendor.

“It’s where we want to go,” Garigue insists. “I know it works, but it works in a very specific, well-controlled environment with a lot of technical support. It trickles back down to the network, no matter how you look at it.”

But where Garigue is cautious, Bruce Schneier is critical. Schneier, author, security expert and president of Coutnerpane Systems in Minneapolis said a lot of the hype surrounding CAs is pure marketing. CAs are still stored on PCs, he said, and thus still subject to attack. Even if they are protected by a password or smart card, Schneier said those methods still have their flaws. This is important, given that CAs are supposed to guarantee to recipients that the sender is who he or she says they are.

“I’d like organizations to understand what they are doing and what the risks are. Unfortunately, there aren’t many alternatives (to CAs) right now.”

He points to as an example of a large, successful Internet company that does not use, or plan to use, certificates. It relies on the much more conventional Secure Sockets Layer (SSL) technology. SSL sends data securely, and is used widely by on-line businesses to do credit card transactions over the Internet. But SSL does not authenticate users. Tyson Macaulay, chief technology officer at General Network Services Inc., a PKI systems integrator in Ottawa, said the difference between SSL and PKI comes down to how much risk an organization is willing to take. “If you have personal information like medical records, it’s way more important that you know where it came from. There’s more at stake than a book or magazine,” he said.

Credit card companies and vendors may be willing to take the odd loss due to fraud on items like books, but few would be willing to foot the bill for a car, or pony up for a fraudulent bid for an expensive item at an on-line auction, Macaulay added. He said the network nitty-gritty is one of the main stumbling blocks for his clients looking for PKI.

“There has to be a lot of default security inside organizations to accommodate the plumbing of PKI,’ he said. “Status checks that take place in PKI require that the LDAP (Lightweight Directory Access Protocol) ports be opened up…(and) often the systems are set up right out of the box, and often they mess up the adjustments.”

But despite the immaturity of the technology, and the cost and headaches associated with implementations, the use of PKI will be widespread and cannot and should not be disputed, said Charles Breed, vice-president of Kroll-Ogara, a security consultancy in Palo Alto, Calif.

“It’s inevitable. There are technology issues and human issues and social issues, but PKI is inevitable, because it provides fundamental elements for doing transactions in a digital world,” he said.