The Y2K glitch - and the many potential vulnerabilities it introduced - convinced IT managers of the growing importance of security in the enterprise. And as more companies turn to e-commerce, they'll need a solid, large-scale security system. If you hope to foster a successful electronic-business climate in 2000, one in which business partners and customers will want to participate, you must create and ensure end-to-end trust across online transactions. With a public key infrastructure (PKI) solution, you can bolster your security efforts through data encryption, digital signatures, and authenticated transactions.
Entrust/PKI 5.0, the latest release of Entrust Technologies' flagship PKI management product, can easily integrate into your existing security model and lock down your entire electronic-business infrastructure from a business partner's desktop to your back-end legacy applications. Proficient at automating such tasks as certificate enrollment, renewal, and revocation, Entrust/PKI offers businesses a means of reducing the overhead associated with administering such a deployment.
Even though several improvements in Entrust/PKI 5.0 are made to catch up to the pack, it boasts some impressive features, including support for hierarchical and peer-to-peer certificate authorities, a facilitated way of migrating users between them, and a solid implementation for addressing backup and recovery.
It is now on par with competitors, most notably Baltimore Technologies UniCERT, and boasts one of the easiest-to-manage interfaces and key backup facilities I've seen. And its availability of add-ons for security hardware plus integrating back-end datasources and legacy applications surpasses VeriSign's offerings. But it's about twice the price.
And, unlike GTE CyberTrust and VeriSign certificates that will no longer work in Version 4.x or earlier browsers, Entrust certificates will work until 2003, thanks to a recent cosigning partnership with Thawte.
Because Entrust/PKI's start-up costs (around $US200,000) present a formidable hurdle and the learning period to tailor this system beyond a rudimentary setup is hefty, this application is best suited for large-scale enterprise deployments that require solid e-business security.
The Entrust solution bundles public directory services through a PeerLogic i500 directory store and sits on top of an Informix database to manage, authorise, and securely store certificates and key pair data. Entrust/PKI additionally supports any Lightweight Directory Access Protocol (LDAP)-compliant directory service for secure directory networking.
The straightforward interface allowed me to quickly set up my PKI, including easy integration of the LDAP store; to define traditional roles, such as Security Officer, Administrator, and Auditors; and to administer base keys - with little effort. I found the setup of the Certificate Authority (CA) to be one of the easiest I have implemented.
The Entrust/PKI CA provides for the actual creation of certificates and encrypted key pairs and transparently manages the database. It can also be extended to support many popular cryptographic hardware configurations. In my testing, I was able to easily construct multiple CAs and, from the straight- forward interface, build trusted relationships (cross-certifications) between them.
Entrust/PKI now supports hierarchical CAs (one root with multiple subordinates) as well as peer-to-peer certifications, which is ideal for the direct validation of business partners, for example. Improvements in key management provide for user-transparent updating of CA keys prior to expiry and auto-renewal of certificates. Entrust/PKI's capability of transferring users between different CAs, including the exporting and migration of keys, impressive.
The Entrust/RA's request authority is the hub for graphically defining the parameters of your PKI. From the interface, I was able to quickly log on, using my previously defined administrative profile, to access features such as audit logs, directory and user settings, issue keys and policy definitions, as well as build user groups and revocation lists stored in the LDAP directory. With the ability to set your administrative permissions with per-user granularity, you can delegate management responsibilities across the organization without compromising security.
Key backup and recovery capabilities were all transacted easily and reliably. With a well-integrated archiving mechanism, this is the easiest implementation that I have seen for seamless backup and recovery. Additional bulk-operation capabilities for key recovery and certificate revocation would make easy work of segueing entire departments or business partners into the fold.
A new component to the Entrust family is Desktop Solutions 5.0. This add-on starts at $43 per user and provides capabilities for Windows environments to sign and encrypt e-mail, files, and folders, as well as a single sign-on feature. I was also impressed with the Entelligence component. By integrating the Entrust and Windows logins, Entelligence supplies single sign-on access across all Entrust-readied applications, simplifying the user experience. I could customize user security at the desktop by letting this plug-in transparently manage and enforce policies and certificates and workstation security.
In addition, I previewed an add-on, AutoRA, that gives users the autonomy to self-enrol for certificate issuance and recover lost keys by using an automated Web-based form. It works with the Entrust Desktop and Web Connector solutions to automate these tasks without the need for administrative intervention and is indispensable for enterprise-scale PKI consideration. The reduced overhead on your security officers for adding new enrollees and recovering lost keys makes the feature worth the investment.
Although still in beta, I found AutoRA to be somewhat slow compared to comparable solutions from Baltimore Technologies, likely due in part to the former's Java-based construction. Additionally, with limited Web-server and browser support, many organisations may find themselves upgrading browser and server configurations in order to meet the minimum requirements of this add-on.
Entrust bundles many different solution-specific components, several of which overlap in functionality. And, although Entrust says its PKI solution supports new features such as Entrust/Roaming access, many supported features require an additional investment.
Combined with good reporting and auditing options, and one of the largest stables of partnered solution providers in the market, Entrust's solid, scalable solution to PKI will serve to reduce PKI administrative costs and improve security across a flexible breadth of e-commerce applications as we move into the next century.
PKI is short for pubic key infrastructure, a system of encrypting, authenticating, and validating network transactions through certificate authorities and digital certificates. Through this standardized system, you can verify and authenticate the legitimacy of all parties and applications engaged in a transaction.
A trusted certificate authority issues a user a unique digital identifier - a digital certificate. The encrypted certificate establishes the credentials of the holder, which can then be proffered to gain access to networked information and resources, as well as to encrypt communications.
Extended to the Internet, PKI supplies the required components for building end-to-end trust and privacy across e-business transactions. Partnered suppliers and end users outfitted with digital certificates are guaranteed tamper-proof communications across their transactions.
Over traditional security measures, PKI eliminates the need for multiple passwords or identification data, which can be lost, stolen, or compromised through network exposure.the bottom lineEntrust/PKI 5.0Summary: This solid solution's key backup and recovery is seamlessly transacted, and management features make easy work of administering public key infrastructure (PKI).
Business Case: Entrust/PKI 5.0's return on investment comes from speedy integration of new business partners and time and money saved through streamlined management.
Pros: ¥ Easy management interface ¥ Good audit and reporting capabilitiesCons: ¥ Expensive add-ons quickly escalate total cost ¥ No key splitting available ¥ No HP-UX or AIX version until second quarter of 2000Platforms: Windows NT 4.0; Solaris 2.7, 2.6.
Price: Available on application from the company Web site.
Interested resellers and distributors should contact Entrust Technologies at www.entrust.com