The issue of security has gone from afterthought to top issue in the minds of most IT managers. In the age of Internet commerce, few people question the need to ensure secure transactions or doubt the havoc that security breaches can wreak. Security is, in fact, a top issue at IBM, where electronic business was born.
In particular, the company today is looking at how two complementary technologies - directories and public key infrastructure (PKI) - can work together to build safe havens for business. IDG's Matt Nelson recently spoke with Mark Greene, vice president of security at IBM's security business unit, about these two technologies as security enablers.
IDG: What is going on out there in the industry that is going to be the big issues?
Greene: I think there are two developments in the world of security that are making the Internet ready for e-business. And that's the maturation of directory technology and of PKI. So we're looking for LDAP [Lightweight Directory Access Protocol] directories to come into [their own] and for PKI certificate authority technology to come into its own.
What is IBM's stance on both? They are two separate technologies that are tied together closely. Is that going to continue?
Yes, in fact we believe that directories and PKI should be very closely coupled. We're working both in industry [forums] and within our products to make that true because a directory is an obvious place to store the public keys of the parties you certify. So we're really working through the Directory Interoperability Forum (DIF) and through the PKI with the IETF (Internet Engineering Task Force).
What are the biggest issues with directories specifically that IBMneeds to address?
We have seen from GartnerGroup and others that a typical Fortune 500 firm has as many as 170 directories, so the number one challenge is making sense of it all and connecting them. These are called meta directories. A directory of directories that you can [use to] get a single view; you can find a Matt Nelson wherever he may live throughout the organisation. We announced meta-directory services in July at IBM to help companies assemble their meta-directory technology.
Meta directories have been sort of controversial in the directory vendor space. Some people are feeling that what is not needed is a meta directory that can link a whole bunch of different directories, but the ability for those directories to interoperate themselves.
I think that's right. Interoperability is the key. We believe, as does most of the rest of the industry, that LDAP is the key to that interoperability, and that's really the technology that the newly formed DIF is focusing on. So you don't have to make everything run off a common directory. You don't even have to have the same vendor software in use everywhere so long as all of the directories are LDAP compliant.
Recently, along with the DIF forming, another group formed around the Directory Services Markup Language (DSML), which is using Extensible Markup Language (XML). What is IBM's stance on this, and how is this going to affect the work being done with the DIF?
They're not necessarily incompatible. LDAP talks about the way in which directory information is represented and stored. XML talks about the way it can be marked up. So DSML is an approach to representing information that could then be stored in an LDAP directory. So these are both new technologies. We have a fair amount of work to do to make sure they can coexist, but we view them as complementary, not competitive.
To step into the PKI area then, what is the biggest issue with the implementation of PKI systems?
Two sorts of challenges arise in PKI. One is ensuring interoperability between different vendors' certificate authorities, so that a certificate from IBM can be recognised and interoperate with one from another vendor. In this area, the work of the IETF around PKIX [Public Key Infrastructure Exchange] is very important.
The larger challenge is making sure that PKI actually can be used by business applications. It's very important that organisations be able to actually use PKI for productive purposes, and for this reason we have announced a service offering to help companies implement PKI and bring business applications up and running within three weeks.
Why is PKI important?
The first rule of doing business is you should always know your customer; know who you're doing business with. In some profound sense, the first rule of the Internet is you can't, because you don't see them. PKI is the preferred approach to managing that risk, to establishing trust in the world of e-business where you can't see the person on the other end of the wire.
What is required in a PKI system to make it operate?
PKI systems consist of a directory and a certificate-issuing technology that can place certificates for the public keys in the directory. And finally, a component that can manage those certificates over their life cycle so that a certificate can be renewed or revoked as business conditions require.
Has the installation of PKI systems or architectures been a quick and easy thing?
Until recently there have been a fair number of technical challenges in implementing PKI, which is why these up-and-running programs are so important to helping businesses grapple with them. Going forward, I suspect the main challenges will be in the area of business processes - thinking through the risk management practices and the liability issues that arise in this world of PKI.
When do you see the use of directories and PKI for security being so well entrenched in networks and corporations that it is no longer an issue?
The adoption rate of PKI and directories will vary. Some segments, such as the banking world and many government sectors, are well along and promise to accelerate their use in the next year, after year 2000 challenges are behind them.
Other industries will take longer, but we will see mainstream usage next year.
What is the first thing that companies should do to prepare themselves for deploying a directory system or a PKI system, if they haven't done so already, and why should they?
The first thing they should do is actually engage the part of their business that manages risk and is responsible for anything such as profit and loss and fraud. At the end of the day, these are technologies that help you to secure and manage e-business transactions and they need be addressed as business questions and not as technology.
With that in mind, what kind of ammunition would you put in a user's hands as he goes to a group and says, "Here is what we need to install; it is not going to be easy, but it is going to be necessary"?
There's long been a tradition in security that you should invest in proportion to the risk you are trying to protect against.
Understanding the risks of e-business transactions is essential in justifying investments in directory and PKI and especially in the world of business-to-business transactions.
Are we going to see security becoming a bigger and bigger issue in IBM's general overarching e-business?
Absolutely, we continue to see that about 80 per cent of customers remain concerned with security, both in their e-commerce transactions, buying and selling over the Internet, but even more so in their e-business transactions, which surround the commerce experience with customer service and support, supply chain management and electronic procurement.
Those types of activities really have a very strong need for security. In large part because they represent a very substantial financial risk.