Simplified deployment and more realistic expectations have led to a comeback for digital certificates. Ericka Chickowski reports.
In theory, using public key infrastructure (PKI) to securely exchange
data and money over an unsecure public network seemed like a great idea.
Unfortunately, putting this into practice turned out to be not quite so
simple, and the crash and burn following many multi-million dollar PKI
projects in the late 1990s, left many security professionals with a
bitter taste that lingers on to this day.
But these infrastructures never went away, and in recent years it seems
they are quietly making good on at least some of the promises made
during the early stages of the hype. "It did go through a period where
it was almost like a four letter word," says Sharon Boeyen, principal of
advanced security for Entrust Technologies. "I don't think we're hearing
anywhere near as much of the negativity there was a couple of years
ago."
PKI works through digital certificates and cryptigraphic keys, and the
core technology for these hasn't changed much. So what has? Experts
believe that the renaissance in PKI stems from a better understanding of
how to deploy and manage certificates and limit the scope of
projects.
"I would say PKI is on sort of a second honeymoon with the industry,"
says R. "Doc" Vaidhyanathan, vice-president of product management at
Arcot Systems. "It's a lot more muted, but it's certainly another
honeymoon. During the first one, about ten years ago, everyone spent
millions of punds building up a huge PKI infrastructure - and most of
them never got deployed because of the complexity involved. I think the
second time around people are coming at it a lot more cautiously, and
are also trying to bring less grandiose approaches to PKI."
Others are slightly more guarded in their response. "I'm not sure I
would call it a honeymoon," says Roger Sullivan, vice-president of
business development for Oracle's identity management solutions.
"Perhaps a second date after the first one went horribly wrong."
The reason the industry is even able to give digital certificates a
second chance is that there was never anything wrong with the technology
in the first place, he argues. The problem was that people expected too
much in the beginning.
"There was so little experience in what it actually meant to issue these
certificates, and what business practices were required to have one.
Expectations were set artificially high by many vendors," Sullivan says.
"Customers who purchased these things and tried to deploy them found
they were not getting any value and were left wondering why they had
spent so much money on them. So that put the breaks on the industry very
quickly in the late 1990s."
He explains that these failed implementations did not undermine the
inherent value of PKI, they just never fully addressed the challenges of
the infrastructure. As he sees it, there are three major stumbling
blocks to deployment: the cost of the certificates themselves, the
complexity of administration and finding a business rationale for
deployment.
While the cost of the certificates remains about the same, much has
improved with regards to the other two challenges, according to
Sullivan.
Simplicity is key
One of the problems PKI had the first time round was that too much
interaction was required from the end-user throughout the certificate
lifecycle. Over the past few years, certificate and key management
solutions have created situations that require no user interaction or
even awareness that certificates are being used, and experts believe
this has helped boost acceptance of PKI.
"People are deploying PKI and users don't really even know it is
happening," Boeyen says. "That's basically the difference."
Businesses have also been able to simplify deployment as those involved
realised that they did not have to spend a lot of time building
sophisticated infrastructures right away. "In terms of the way companies
roll them out, the process has been evolving," says Paul Kocher,
president of San Francisco-based Cryptography Research. "Five years ago
people would decide there was an application that justified building a
PKI and they would spend a lot of time building a really sophisticated
bleeding edge one right at the beginning. We're seeing a lot more
companies now that start with something small and dirty and after that
other applications come along and they sort of evolve into it."
This has been made possible as specialised PKI vendors and even larger
software vendors, such as Microsoft, have created software and services
to make it easier to deploy infrastructures. In fact, Microsoft is just
getting ready to release Certificate Lifecycle Management later this
year. Some believe that digital certificates will become even easier to
handle as certificate management becomes more embedded into
hardware.
"PKI is getting embedded under the hood in just about every place you
can imagine," Kocher says. "The trend is to embed it as a feature into
something that people don't necessarily pay for."
An example of this are the Trusted Platform Module chips that are
routinely built into almost all of today's motherboards, says Steven
Sprague, president and CEO of Wave Systems, a US-based IT services
company.
"Inside that Trusted Platform Module, I can contain hundreds of
certificates," he explains. "So I have a common component I can leverage
in my PC. The goal here is standards-based security in the machine that
provides a common framework for everybody to use."
While simplification of certificate management has been a critical
factor in the PKI renaissance, Oracle's Sullivan believes that limiting
the scope of projects has been another. "We have become much more clear
as business people as to which kinds of transactions require
certificates and which do not," he says. "And simply by making that
delineation we're able to deploy certificates more effectively."
Boeyen agrees that today's enterprises are letting the needs of the
business drive adoption. "People are not deploying PKI for the sake of
it," she says. "They're deploying it now to meet an existing business
need. So they start with a particular application and then it can grow
beyond that."
CASE STUDY - INFORMATION SECURITY FORUM
An independent security organisations dedicated to improving best
practices among global enterprises, the Information Security Forum (ISF)
gathers valuable information about the way businesses are securing their
infrastructures.
The challenge is how to safely disseminate all of this sensitive
information, according to Miles Clement, senior research consultant at
ISF. The forum set up an extranet to make its publications available to
members four years ago.
Access was initially controlled by a token-based system for two-factor
authentication. But even though that system was quite secure, it meant
users had to carry tokens around and remember a pin number. "We found
that we had a very high rate of support calls just to reset the pins, or
to resynchronize the devices because people weren't familiar with the
devices or didn't use them enough," Clement recalls.
On top of this, the cost of the tokens was high and the time it took to
deliver the devices to the users acted as a detriment to the whole
premise of providing immediate access to information on the extranet.
"So this was restricting the number of users who could use our website
because of the cost," he says. "And it was making our website not very
attractive because it was so painful to get through the authentication
process."
The ISF began looking for a simpler two-factor solution last year and
decided on Swivel Secure's PINsafe. "We wanted an authentication method
that gave us a similar level of protection without the disadvantages of
the token-based approach," he explains. "With this we can create a new
user instantaneously. It has reduced our set-up time and took away a lot
of our other barriers."
The solution works by creating a user pin that acts as a mask for the
actual code that is entered into the system, says Andy Cole,
vice-president of sales and business development at Swivel.
"We require no device," Cole adds, "Very simplistically, we issue the
user a four-digit pin, which is never entered into a public browser. We
generate a number string and take the four digit pin to manually extract
a one-time code from the string to authenticate."
Clement claims the number of users on the site since deploying the
Swivel method in April has nearly doubled. The amount of logins per user
has also increased dramatically.
Despite this rise in traffic, the amount of time ISF staff spend
supporting the authentication process has plummeted. Not only do they
not have to mail out tokens, but they have also been armed with a more
manageable password reset procedure through Swivel's technology, which
automates the process, Clement says. "Typically, we were experiencing 10
to 15 resets a day in the past," he says. "Now with twice as many users,
we only get around two manual resets a day." This allows both the
organisation and the site's users to focus on its main line of
business.
THREE GOLDEN RULES
There are three major considerations to think about when choosing
vendors and deploying digital certificate infrastructure and management
solutions
1. Managing the certificate lifecycle There should be an easy way to
maintain certificates and ensure a smooth rollover to new certificates
before the old ones expire. This is absolutely critical to maintain
transparency to the end-user.
2. Maintaining certificate history You should have a mechanism to keep a
history of old certificates and keys for any user who is encrypting
data. They need to keep old keys that have rolled over to be able to
decrypt information that was encrypted with the old keys.
3. Backing up certificates The enterprise needs to have access to
backed-up certificates and keys in the event that a user loses or
deletes the original. This is the only way to ensure the enterprise will
always be able to access the data, no matter what the user does.