Simplified deployment and more realistic expectations have led to a comeback for digital certificates. Ericka Chickowski reports.
In theory, using public key infrastructure (PKI) to securely exchangedata and money over an unsecure public network seemed like a great idea.Unfortunately, putting this into practice turned out to be not quite sosimple, and the crash and burn following many multi-million dollar PKIprojects in the late 1990s, left many security professionals with abitter taste that lingers on to this day.
But these infrastructures never went away, and in recent years it seemsthey are quietly making good on at least some of the promises madeduring the early stages of the hype. "It did go through a period whereit was almost like a four letter word," says Sharon Boeyen, principal ofadvanced security for Entrust Technologies. "I don't think we're hearinganywhere near as much of the negativity there was a couple of yearsago."
PKI works through digital certificates and cryptigraphic keys, and thecore technology for these hasn't changed much. So what has? Expertsbelieve that the renaissance in PKI stems from a better understanding ofhow to deploy and manage certificates and limit the scope ofprojects.
"I would say PKI is on sort of a second honeymoon with the industry,"says R. "Doc" Vaidhyanathan, vice-president of product management atArcot Systems. "It's a lot more muted, but it's certainly anotherhoneymoon. During the first one, about ten years ago, everyone spentmillions of punds building up a huge PKI infrastructure - and most ofthem never got deployed because of the complexity involved. I think thesecond time around people are coming at it a lot more cautiously, andare also trying to bring less grandiose approaches to PKI."
Others are slightly more guarded in their response. "I'm not sure Iwould call it a honeymoon," says Roger Sullivan, vice-president ofbusiness development for Oracle's identity management solutions."Perhaps a second date after the first one went horribly wrong."
The reason the industry is even able to give digital certificates asecond chance is that there was never anything wrong with the technologyin the first place, he argues. The problem was that people expected toomuch in the beginning.
"There was so little experience in what it actually meant to issue thesecertificates, and what business practices were required to have one.Expectations were set artificially high by many vendors," Sullivan says."Customers who purchased these things and tried to deploy them foundthey were not getting any value and were left wondering why they hadspent so much money on them. So that put the breaks on the industry veryquickly in the late 1990s."
He explains that these failed implementations did not undermine theinherent value of PKI, they just never fully addressed the challenges ofthe infrastructure. As he sees it, there are three major stumblingblocks to deployment: the cost of the certificates themselves, thecomplexity of administration and finding a business rationale fordeployment.
While the cost of the certificates remains about the same, much hasimproved with regards to the other two challenges, according toSullivan.
Simplicity is key
One of the problems PKI had the first time round was that too muchinteraction was required from the end-user throughout the certificatelifecycle. Over the past few years, certificate and key managementsolutions have created situations that require no user interaction oreven awareness that certificates are being used, and experts believethis has helped boost acceptance of PKI.
"People are deploying PKI and users don't really even know it ishappening," Boeyen says. "That's basically the difference."
Businesses have also been able to simplify deployment as those involvedrealised that they did not have to spend a lot of time buildingsophisticated infrastructures right away. "In terms of the way companiesroll them out, the process has been evolving," says Paul Kocher,president of San Francisco-based Cryptography Research. "Five years agopeople would decide there was an application that justified building aPKI and they would spend a lot of time building a really sophisticatedbleeding edge one right at the beginning. We're seeing a lot morecompanies now that start with something small and dirty and after thatother applications come along and they sort of evolve into it."
This has been made possible as specialised PKI vendors and even largersoftware vendors, such as Microsoft, have created software and servicesto make it easier to deploy infrastructures. In fact, Microsoft is justgetting ready to release Certificate Lifecycle Management later thisyear. Some believe that digital certificates will become even easier tohandle as certificate management becomes more embedded intohardware.
"PKI is getting embedded under the hood in just about every place youcan imagine," Kocher says. "The trend is to embed it as a feature intosomething that people don't necessarily pay for."
An example of this are the Trusted Platform Module chips that areroutinely built into almost all of today's motherboards, says StevenSprague, president and CEO of Wave Systems, a US-based IT servicescompany.
"Inside that Trusted Platform Module, I can contain hundreds ofcertificates," he explains. "So I have a common component I can leveragein my PC. The goal here is standards-based security in the machine thatprovides a common framework for everybody to use."
While simplification of certificate management has been a criticalfactor in the PKI renaissance, Oracle's Sullivan believes that limitingthe scope of projects has been another. "We have become much more clearas business people as to which kinds of transactions requirecertificates and which do not," he says. "And simply by making thatdelineation we're able to deploy certificates more effectively."
Boeyen agrees that today's enterprises are letting the needs of thebusiness drive adoption. "People are not deploying PKI for the sake ofit," she says. "They're deploying it now to meet an existing businessneed. So they start with a particular application and then it can growbeyond that."
CASE STUDY - INFORMATION SECURITY FORUM
An independent security organisations dedicated to improving bestpractices among global enterprises, the Information Security Forum (ISF)gathers valuable information about the way businesses are securing theirinfrastructures.
The challenge is how to safely disseminate all of this sensitiveinformation, according to Miles Clement, senior research consultant atISF. The forum set up an extranet to make its publications available tomembers four years ago.
Access was initially controlled by a token-based system for two-factorauthentication. But even though that system was quite secure, it meantusers had to carry tokens around and remember a pin number. "We foundthat we had a very high rate of support calls just to reset the pins, orto resynchronize the devices because people weren't familiar with thedevices or didn't use them enough," Clement recalls.
On top of this, the cost of the tokens was high and the time it took todeliver the devices to the users acted as a detriment to the wholepremise of providing immediate access to information on the extranet."So this was restricting the number of users who could use our websitebecause of the cost," he says. "And it was making our website not veryattractive because it was so painful to get through the authenticationprocess."
The ISF began looking for a simpler two-factor solution last year anddecided on Swivel Secure's PINsafe. "We wanted an authentication methodthat gave us a similar level of protection without the disadvantages ofthe token-based approach," he explains. "With this we can create a newuser instantaneously. It has reduced our set-up time and took away a lotof our other barriers."
The solution works by creating a user pin that acts as a mask for theactual code that is entered into the system, says Andy Cole,vice-president of sales and business development at Swivel.
"We require no device," Cole adds, "Very simplistically, we issue theuser a four-digit pin, which is never entered into a public browser. Wegenerate a number string and take the four digit pin to manually extracta one-time code from the string to authenticate."
Clement claims the number of users on the site since deploying theSwivel method in April has nearly doubled. The amount of logins per userhas also increased dramatically.
Despite this rise in traffic, the amount of time ISF staff spendsupporting the authentication process has plummeted. Not only do theynot have to mail out tokens, but they have also been armed with a moremanageable password reset procedure through Swivel's technology, whichautomates the process, Clement says. "Typically, we were experiencing 10to 15 resets a day in the past," he says. "Now with twice as many users,we only get around two manual resets a day." This allows both theorganisation and the site's users to focus on its main line ofbusiness.
THREE GOLDEN RULES
There are three major considerations to think about when choosingvendors and deploying digital certificate infrastructure and managementsolutions
1. Managing the certificate lifecycle There should be an easy way tomaintain certificates and ensure a smooth rollover to new certificatesbefore the old ones expire. This is absolutely critical to maintaintransparency to the end-user.
2. Maintaining certificate history You should have a mechanism to keep ahistory of old certificates and keys for any user who is encryptingdata. They need to keep old keys that have rolled over to be able todecrypt information that was encrypted with the old keys.
3. Backing up certificates The enterprise needs to have access tobacked-up certificates and keys in the event that a user loses ordeletes the original. This is the only way to ensure the enterprise willalways be able to access the data, no matter what the user does.