As intranets become extranets, digital certificates tighten security.
All around the world, thousands of organisations, both public and private, have opened their networks to give suppliers, customers and partners access to such applications as technical support, order history review, applications sharing, catalog maintenance, and design and marketing collaborations. According to Tom Collins, Rochester, N.Y.-based Eastman Kodak Co.'s intranet analyst, his company maintains over 200 distinct extranet relationships, aggregating to a million hits a day, and is adding more regularly.
From a management perspective, the networking of extranets is more complex than intranets. The CIO must consider which-if any-applications should require custom-built clients (allowing the conservation of legacy systems at the expense of ease of use) and which should be accessible with off-the-shelf browsers. In addition, it's important to determine whose responsibility it is to clean up networking and format incompatibilities between extranet partners.
And perhaps thorniest of all is the issue of how security is handled for all these constituencies and applications.
"Suppose you are deploying HR data to a payroll outsourcer, supplying marketing data to independent resellers, and sharing product news and pricing with high-value customers, all simultaneously," says Jude O'Reilley, product marketing manager at Seattle-based Aventail Corp., a developer of extranet management and security software. "The first application deserves the strongest protection, even if there are performance costs," he says. "It might be appropriate to impose precise rules for determining who can connect to whom and from where, when to use strong encryption and when to authenticate the accesses with hardware-based tokens." Marketing data is a little less sensitive, so digital certificates-the authentication technique built around public key encryption-might be used because it is cheaper than hardware tokens, according to O'Reilley. "And the rules governing accessing might be relaxed," he adds.
With information sharing, ease of use, performance and accessibility are all priorities, while the information is semipublic. "You might authenticate with passwords or PINs and allow connections from anywhere," says O'Reilley. "In short, extranet security is inherently resource-centric." All this requires as much creativity from security management as from the technical staff. For instance, Quantum Corp., the Milpitas, Calif., manufacturer of storage products, has blurred the distinction between intranets and extranets by creating a single online security infrastructure.
Quantum.com's architecture separates user administration from access administration. By doing so, user administration can be distributed to those inside or outside the company who know who a given user is and what roles should be assigned to him. Access administration is also distributed, thereby allowing content publishers and application owners to select which roles should have access to their information. For example, a sales rep can add a new customer to the system and assign the role "distributor." Then, when publishing new distributor materials, the marketing manager simply indicates that content should be visible to all distributors.
Managers do not have to code their way through these problems unaided. Over the past year, a number of powerful new security management tools designed for extranet applications have emerged. In general, they allow managers to build a profile of security procedures from a pool of possibilities and then tie that profile to specific data resources, applications, user groups and network components (such as ports) over a wide range of scales. Quantum built the system described above with enCommerce Inc.'s getAccess; Kodak uses Aventail's ExtraNet Center to manage its busy system. Another example might be Differential Inc.'s Extranet Creator, which features a system of nonrepudiatable eReceipts that confirm whether specific downloads have or have not taken place.
Perhaps the most notable indication that more powerful security management tools are needed is a rising interest in digital certificates (often called digital signatures because they are analogous to a signature). But in the extranet context, they work more like private label passports: they are issued by an authority (usually representing the data owner or owners) and given to a user or class of users, who then present them to certify their right to a given access.
Digital certificates are relatively cheap, transparent to the end user (once the initial qualification and software download have been completed) and easy to manage. They can be issued or revoked to whole classes of users or applications with a mouse click, and they scale readily. Any organization, team or individual can issue its own certificates, and any group can agree to share a common certificate authority, mutually authenticating each other's users.
For all these virtues, digital certificates never quite took off before.
Certificate management was difficult on the wide-open Internet, and intranets are so tightly controlled that many alternatives are available. However, over the last year, a number of innovative extranet implementations of the technology have been announced, suggesting that certificates are a workable solution for the problems raised by this networking medium.
For instance, GTE Corp. recently finished a large network upgrade for about 35,000 members-its agents and companies in the North American insurance industry. Since the members of this network can be both competitors and partners, they need to be able to draw secure perimeters around any group. The network establishes a single networkwide certification authority that any member can use to authenticate data requests from any other member. At the same time, any company can issue its own private certificates, allowing it to raise security barriers against the other members.
Digital certificates are also flexible. The New Zealand Ministry of Health is completing a system in which all the country's health care providers, from rural clinics to urban hospitals, will use digital certificates to authenticate requests for patient information. Ensuring the privacy of this information is important. In order to qualify for one of these certificates, an applicant must present himself physically at an office, show a real passport and fill out 30 pages of forms, according to Yogesh Anand, information systems manager at the New Zealand Health Information Service, a group within the Ministry. The systems management software for the Ministry network is Enterprise Application Server, supplied by Emeryville, Calif.-based Sybase Inc. The digital certificate technology uses Entrust/PKI by Entrust Technologies in Plano, Texas.
Probably the largest implementation of the technology to date is by Scotiabank of Toronto, which is using digital certificates to authenticate one-stop access by 100,000 of its customers to all the bank's services from balance checking to funds purchases. This service is also built on Entrust/PKI, which is in turn secured by Hewlett-Packard Co.'s Virtual Vault. Scotiabank developed its own tweak of the technology, which it called "anonymous certificates." These certificates will not reveal the user's name and address even if the codes protecting their contents are broken. The bank plans to use this system as the security foundation for all its own online offerings and those designed with business partners.
One disadvantage of certificates is that, since they are typically client-based, all that is really being authenticated is a computer, not a user.
In theory, anybody could be using that machine. This problem can be addressed by including a password request in the process or by using data taken from objects that are carried on the person of the user. An example of the latter is the token card, a special calculator that displays a constantly changing code that can be entered from any keyboard. Smart cards are another solution, though they require swipe readers. Neither technology is perfect for a wide range of extranet applications, since both are fairly expensive. Still, prices in this sector should come down over time, and it is worth noting that Security Dynamics Technologies Inc., the leading manufacturer of token cards, has recently announced both a smart card (the SecureID 1100 Smart Card) and a suite of public key products (Keon) that are integrated with their token cards.
A number of manufacturers suspect that extranet authentication will, at least in part, rest on biological attributes of the user such as voice, face, handwriting or fingerprint recognition. The advantage of such biometric measures is that, because all users have such attributes, they can be employed over large populations and in situations where keyboards and even PCs are not available. A representative vendor is Quintet Inc. in Cupertino, Calif., which sells a signature recognition package that works with PDA-type pads.
One downside of biometric authenticators is their sensitivity to circumstances.
Voice recognition fails in noisy environments; face recognition degrades quickly in dim light; fingerprint recognizers are stymied by dry hands and so on. Keyware Technologies of Woburn, Mass., offers LBV, or Layered Biometric Verification that integrates management of several biometric technologies and other authentication techniques, allowing each to be used in their optimum environment.
Security managers welcome the transition from intranets to extranets.
Historically most employees saw security procedures as a burden and conformed grudgingly if at all. Extranets change security from a burden imposed on employees to a service demanded by extranet partners concerned about protecting their privacy. It changes the role of the manager from the person who takes away the punch bowl to the person who makes the party possible.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.