Would you feel comfortable wiring $10 million over the Internet? Are user name and password methods enough to secure global e-commerce? Given the open nature and vast scope of the Web, how can banks' electronic traffic be safeguarded from vandals, thieves and terrorists?
To assure that transactions remain safe from fraud, banks are gravitating toward the high-tech solution known as Public Key Infrastructure (PKI), a term that refers to various cryptographic digital systems that work in concert. When put into effect properly, PKI greatly improves the security of electronic transmissions of all types. Gartner Group's Dataquest research subsidiary has predicted that PKI product and service markets will reflect compound annual growth rates of about 80% through 2002.
To understand PKI, consider the traits of a decidedly low-tech vehicle for messages: a paper letter sealed in a paper envelope, addressed by someone with recognizable handwriting. A postmark and a 33-cent investment complete a picture analogous to a PKI framework.
To an extent, the handwriting authenticates the sender, and the sealed envelope assures confidentiality and evidence of tampering. The postmark time-stamps the communication. The condition and contents of the letter inside will reveal, again with limitations, whether the letter has been tampered with and if the message is intact.
Such a system is cost-effective for communications that are not especially time-sensitive or that don't require much security. For more money, the sender might opt for overnight services, where another trusted third party handles the transaction, and the letter's movement can be tracked.
An effective PKI should address, as a minimum, the following issues:
- Privacy: ensures that two parties send and receive data without any other party gaining access to it;
- Authentication: ensures that the communicating individuals or entities are who they claim to be;
- Non-repudiation: ensures that electronic events, such as signed contracts and wire transfers, cannot be disavowed;
- Access: 24-hour-a-day, 7-day-a-week availability to people with authorized access to particular services;
- Scalability: allows a secured network to expand as demand increases;
- Security: Beyond privacy, ensures confidentiality using physically and electronically impregnable links over private and public networks, such as intranets, extranets and the Internet.
Well-designed PKI-based security systems focus much more on process than product. Once a PKI system has been properly implemented and key people trained, the weak link in the security chain becomes the very personnel entrusted with the job of maintaining and managing the system.In fact, the algorithmic mathematics underlying modern PKI provides the strongest link in the security chain. Consider the four-digit password used to access ATMs. A criminal would have to try 10,000 combinations to try. Apply this method electronically to the strongest PKI encryption techniques: One could put a million PCs on the job for a million years and have less than a one-in-a-million chance of cracking the latest PKI coding.
With PKI, parties conduct transactions by attaching digital certificates to a message. These are authenticated by digital signatures comprised of coded ciphers--unique collections of digits. Since Oct. 1, digital signatures have carried the same contractual weight in the U.S. as traditional signatures.
Digital certificates are issued by certificate authorities (CA). These could be any PKI-equipped entity that garners a commercially broad base of trust. For a trading partner to be issued such certificates, it must authenticate itself through a vetting process.
Once certified, a person or company usually identifies itself in an initial communication, and the receiving party associates it with a given digital signature (as part of a digital certificate). Attaching an encrypted identifier to transmissions prevents hackers from reading or altering the content of the transmission.
While a digital signature represents a private key to unlock an encrypted message, the process also requires a "public key" to transmit the message through cyberspace. The appropriate public key is listed in a public directory. In stretching the sealed letter analogy, only a specific type of letter opener, the private key, would gain access to the message delivered through a public conveyance.
At PNC Financial Services Group, Carl Kriebel, technology manager, recalls how things worked as his institution before PKI. "From an authentication perspective, in the distributed environment we had passwords and secure token ID for high-risk systems," he reports. "PKI was viewed as a solution that removed some of the cumbersome nature of token ID for the customers."
PNC decided in early 1999 to invest in PKI as a way to streamline security operations. "The cost/benefit results were good, and PNC went ahead," Kriebel says. "With PKI, we provide payment facilitation over the Internet."
Citing the Pittsburgh-based bank's intention to become a certificate authority, he adds, "One question is: How do we manage the ramifications of becoming a CA?"
Kriebel chairs PNC's PKI infrastructure steering committee, which he describes as "kind of a think-tank for understanding what our opportunities might be. This evolved into sharing communications about leveraging technology." He and his colleagues have learned from their counterparts at other institutions, including Wachovia Corp. and Wells Fargo & Co., which Kriebel calls "pretty forthcoming." He says, "The next step was to run some pilots internally, and then expand to leverage CA capability."
For a bank seeking to establish a stand-alone CA, which may make sense for the largest banks, the attributes of the system must be determined. Who is to use the system? How many levels of security are needed? Where and how should communications be time-stamped? Which networked pathways will be used to send secured data? Should the bank establish a stand-alone PKI or a shared system? How should a trading partner certificate be revoked?
Given the complexity, banks may find the prospect of setting up PKI in house too daunting or too limiting. One solution is to have a specialist take care of virtually every aspect of set-up and day-to-day operations on an outsourced basis.
Whether creating an in-house PKI system or outsourcing it, skepticism is warranted, according to Bruce Schneier, a founder and chief technology officer of Counterpane Internet Security Inc. of San Jose, CA, which provides managed security monitoring services. He advocates careful consideration of the whole PKI process, and takes nothing in the security chain for granted.
Outsourcing doesn't necessarily mean going with only one PKI vendor. Different kinds of software can be layered on top of the basic infrastructure. And because the whole point of PKI is to facilitate secure communication among disparate systems, it's also crucial that trading partners use compatible technology.
One company working on this front is New York-based Identrus LLC, a consortium of financial institutions that was launched in 1999 by ABN AMRO, Bank of America, Bankers Trust (since acquired by Deutsche Bank), Barclays, Chase Manhattan, Citigroup, Deutsche Bank and Hypo Vereinsbank. Others, such as Wells Fargo & Co. and Sanwa Bank, have signed on since then.
Indentrus calls itself "a global interoperable system for identity trust in B2B e-commerce." The point of the system, says Laura Rime, vice president of marketing, is that "a business may be assured of the identity of a trading partner, whether it is a known partner or not."
Not surprisingly, Rime recommends that banks choose a third party to monitor their PKI activity to lessen the effect of a good employee gone bad (or just sloppy). "If there is a tech breach, we have an operations process to catch that," she says. "And similarly, there are policy and legal controls over operations. These elements balance each other so you shouldn't have too many concerns about any one piece."
Consider this plausible scenario: Jane, marketing chief, catches up on data mining problems by transferring proprietary data from an in-house server to her laptop computer. If she's doing this work at home, does she ask the CIO to have her laptop made secure with the bank's new PKI tools? Or does she keep quiet, risking her job while carrying unsecured customer information outside the bank's perimeter? If she does come forward, do bank policies even permit that she make the data transfers? Jane may just have to work late in the office.Banks that prefer to manage their own PKI, of course, still need products to generate, store and manage the keys that are at the heart of these systems. One such tech provider, Baltimore Technologies plc, based in Dublin, Ireland (with a U.S. headquarters in Needham, MA), is another firm believer in the process approach to PKI. Despite the fact that banks are notoriously conservative and slow adopters, "the bank market is ripe for the fine grain security of good PKI," intones Andy Morbitzer, vice president of marketing.
"The biggest barrier is still education. Tech standards will remain pretty much as they are, much like how the world adopted the internal combustion engine--you can tune it to make it go faster, do other things to it to make it more efficient, but it remains essentially the same thing. Secure trading partners first as a way to justify the expense," Morbitzer continues.
"Align the expense with securing the revenue stream. Don't make the mistake of putting a return-on-investment on PKI. PKI becomes part of your overall infrastructure but it does not depreciate like other assets might," he says.
As the Web extends to every commercial corner of the globe, so do the legal ramifications. Given the explosion of online commerce, every industrialized nation has had to scramble to institute laws covering e-commerce. A good PKI provider, whether a consultant or technology supplier, should have cogent answers to questions about indemnities, liability limits and sovereignty over digital signatures.
For instance, it was only in the past two years that the U.S. relaxed its rules on importation and exportation of cryptographic products. Other nations' rules may vary as widely as their cultures. How to tread carefully into foreign territories is yet another cog in the process machinery of effective PKI.
Policy should loom large on the agenda of any PKI-bound bank, says Rob Clyde, vice president of security for Rockville, Maryland-based Axent Technologies Inc. The e-security expert hopes that banks take a "holistic, life-cycle approach to security, all centered around policy. Policy hinges on how to balance the cost of security measures with the level of exposure you are ready to accept. We want to get the fraud level down to a fraction of a percent, so that such events can be worked into costs."
John Ryan, chief executive of Entrust, another leading PKI supplier, takes a different approach. Plano, TX-based Entrust's approach reverses Baltimore's implementation priorities. "Initially the goal is to secure internal operations, then trading partners, and then bill payments and presentment, plus mortgages online," Ryan asserts.
"Start with the cash management system, then secure internal e-mails and forms with two-way authentication. Authorization and signing with digital signatures and then notarize for non-repudiation," Ryan says. "Customers have the ability to use all or a portion of these processes for each transaction."
As an example of the new efficiency, Ryan cites a mortgage-backed security offering. "It typically takes 21 days of contracts back and forth by conventional means. Now it's down to two days using authentication and digital signatures," Ryan says. "The digital certificate replaces the password, so the customer doesn't have to remember a password, nor can one be guessed or hacked to gain entry. Each certificate can be tailored to reflect different levels of access."
It's not just direct competitors that put pressure on banks to get wired into PKI. Both non-bank competitors and customers are spurring the move as they do more and more business over the Internet.
Take Ruesch International Inc., which specializes in global payment services. Ronald Szoc, chief information officer, says, "In 1996, we perceived the Internet to be more than an entertainment medium. In 1997, we expanded that to embrace e-business, providing all employees with Internet access. Internal transactions over the Internet backbone came first, then we went to clients as another channel."
Szoc believes that once tested and de-bugged, PKI promotes "all stages of e-commerce to be conducted online, as opposed to taking some of a transaction--the legal part, for example--off-line," Rime says. "Our members must meet certain technical criteria. They must have a separate data center, a set of operating rules and technical specs."
As for the costs involved in PKI, most banks run pilot programs, which cost about $100,000 on average. Expect a typical enterprise-wide PKI to run into the low seven figures. More and more, there is a strong actuarial element to pricing PKI implementation. "Tables of risk are being devised to cover this sort of thing," Morbitzer says. "Five years from now the picture will be much clearer, but in the meantime, banks have to do something."
John C. Hallenborg is a freelance writer living in southern California.