Digital Certificates Find New Uses Inside the Firewall

Originally, digital certificates seemed destined to be the end-all security mechanism for business-to-business and customer-to-business e-commerce transactions. Using 128-bit encryption technology, these Internet equivalents of passports, driver's licenses or signatures offer a secure means of authenticating that online users are who they say they are.

Digital certificates have not yet caught fire in the e-commerce world, but the technology is finding uses in other corners of the business world. Digital certificates are gaining prominence as security vehicles within intranets, extranets, VPNs and other internal or closed networks. "There's not a lot going on between companies and customers with digital certificates," says David Stewart, a director at Global Concepts (www.global-concepts.com), an e-commerce security consulting firm. "However, many companies, particularly financial institutions, are looking at digital certificates for identifying applications, machines, and servers, as well as individuals within the organization."

The certificates, which employ public key infrastructure (PKI) technology, are issued and processed by a certificate authority (CA) to create a pair of electronic keys that encrypt and sign digital information. A company could contract with a third party to act as a CA, or take on the role itself. Much of this technology is finding its way into Microsoft Windows NT environments. Entrust Technologies Inc. (www.entrust.com) recently integrated its software with Microsoft Site Server 3.0 Commerce Edition. Entrust/PKI 4.0 extends the security of applications such as secure e-mail or secure remote access to other critical business applications as required.

Microsoft Corp. also offers an extension to the SSL security protocol called Server Gated Crypto, which provides a server with the ability to switch on 128-bit encryption if a digital certificate is present. Digital certificate technology is incorporated into Microsoft's and Netscape Communications' browser offerings. Some leading certificate authority providers include CertCo (www.certco.com), GTE Internetworking (www.bbn.com), IBM Corp., VeriSign Inc. (www.verisign.com), and Xcert International (www.xcert.com).

Companies are discovering that the uses for the technology are boundless. "We're finding quite a number of ways to use the certificates," says Parker Foley, vice president of electronic commerce of First Union Corp. (www.firstunion.com/home-d.html), summing up the experiences of many of the technology's early adopters. First Union deploys digital certificate technology in data exchanges between applications and departments. First Union is working with VeriSign for software and outsourced services in digital certificates.

Although First Union is not yet ready to provide online retail customers with digital certificates, Foley reports that he is working with the company’s business units to develop secure transactions between departments and applications -- anything that involves the movement of data across an open network. In some cases, digital certificates are being employed "for applications to identify themselves to a database server, so the database server knows it's the right application, and what it has permission to access." First Union also has initiatives under way to enable inter-departmental exchanges of secure FTP documents and secure e-mail with digital certificate technology, says Foley.

Other companies are cautiously exploring the technology with internal applications, too. Southwest Securities Group Inc. (www.swst.com), a leading investment services company, plans to issue certificates to employees for use in securing e-mail, communications, and remote access. The company will then launch a limited pilot program in which it will issue certificates to customers for a simple enrollment and administration process. "More and more of our business is conducted over the Internet, and our security and privacy needs have increased," says Patrick Bouldin, telecommunications manager at Southwest Securities.

With more companies relying on Web applications, it makes sense to use some type of certificate technology, says Ted Julian, vice president at Forrester Research Inc. (www.forrester.com). "I don't see how anybody who's doing anything significant would have no plans to ever use digital certificates," he says. Experts warn, however, that the process of implementing digital certificates is complicated and potentially expensive, whether a company outsources the process or implements the technology internally. "This isn't an impulse-buy kind of technology, and not a trivial process," Julian says. Digital certificate rollouts can range up to $4.2 million for 20,000 users, according to estimates from Forrester Research.

The certificates need to be stored in directories or repositories along with policies that establish levels of access to online applications. Plus, if a company is acting as its own CA, the implementation and management of "the encryption algorithms that unwrap the certificates and check the public keys is a technical headache," Global Concept's Stewart notes.