June 2001

Is There A Better Solution To Online Security?

BY JON MATONIS, HUSH COMMUNICATIONS

It took radio 38 years to reach 50 million people, television 13 years, and the Internet a mere 4.
-- United States Commerce Department

What information is worth protecting? It might be a private opinion, business-critical data such as a customer list or a negotiating strategy; all of it is sensitive, and all of it has value to you and your messaging partners. The need to ensure totally secure electronic communications is highlighted by the explosive growth of e-commerce. The biggest challenge to the continued growth of the e-commerce market is the competitive necessity for instant information contrasted with the equal necessity for privacy and confidentiality.

Companies will continue to make significant capital expenditures on technology to ensure their future viability in the modern world. Until recently, companies that require security solutions have been forced to build in-house security systems or purchase expensive "turnkey" solutions. As either option is a tremendously costly endeavor that requires skilled staff, hardware and software, more and more companies are choosing to outsource their security needs to trusted third parties.

What Are The Solutions?

Revenues from PKI products and services are predicted to reach a total of $8.56bn by 2004.
-- International Data Corporation

Most vendors of online security solutions, if they're at all credible, offer PKI-based solutions. PKI or Public Key Infrastructure is a significant departure from less sophisticated forms of coded communication available prior to its emergence in the 1970s. In a PKI cryptosystem, each individual is issued with a pair of keys. These keys are used both to encrypt and decrypt electronic information. The compelling feature of PKI is that whichever key out of the pair is used to encrypt a piece of information, the other key is required to decrypt it. This is in complete contrast to conventional cryptography, where the encryption and decryption process require the same key.

The roster of companies that offer either consumer or business security solutions is constantly growing. Out of the PKI family, two encryption methods have distinguished themselves: the X.509 and the OpenPGP, or PGP, standard. X.509 is generally associated with SMIME (Secure Multipurpose Internet Mail Extensions) and certificate-based products. Most SMIME vendors require that the end user install software, remember a password and manage both the public and private keys. The other system that has enjoyed success in the marketplace is the PGP standard. PGP requires the end user to manage a password and the public and private keys. Further, users of this system must exchange keys with other users of the system so that they may encrypt and decrypt messages.

Both systems have their champions. Neither system has ever fully penetrated the consumer or corporate markets. Generally, either cryptosystem is only available at a particular computer terminal, making roaming use impossible. Further, regardless of the level of security offered by either system, people and companies will not purchase, deploy or use products that are hard to use.

If the security industry is to adequately address the ongoing market need for security solutions, it must provide solutions that are easy to use and enable users to protect messages from any computer terminal on the planet with an Internet connection.

The Importance Of Interoperability

OpenPGP is set to become global standard.
-- James Middleton, VNUnet.com

The other more technical step the security industry must make to fulfill the market's need for reliable, sophisticated security solutions is to create products that support more than one encryption standard. As time and technology progress, the number of available standards will surely increase. If a company sells a product that is built to operate using only one standard (remember PGP and X.509), then the product's ability to work with the widest range of customers is greatly diminished.

Security products must be designed to be platform independent, allowing for further development or interoperability when appropriate and possible.

The Way Forward: Managed Key Security Technology

PKI services will make up the most significant part of ongoing costs incurred by any institution implementing a PKI solution.
-- Datamonitor

The only way for aspiring vendors to provide online security solutions to the mass market is to avoid ibuprofen versus aspirin debates over which standard is better. The real challenge is to create and maintain technology that allows users to enjoy the best available standards as well as being extremely easy to use. To create true global access to secure communications, a system of key server networks could act as repositories for users' public and private keys. Companies and end users will be able to create key pairs using their chosen programs, leaving third parties to manage the keys. Whenever possible, the network would allow key pair holders of any standard, whether it be X.509 or PGP, to exchange electronic communications with each other in a completely secure environment. The key server network will manage the cryptosystem standard as well as key pairs. The expansion of key serving networks can be assured only if the network works toward the greatest level of communications between standards.

Why Outsource Security?
The best reasons to outsource the online security function of a business or organization is to keep internal resources focused on the core competencies of the group and to eliminate the cost of acquiring, operating and maintaining an internal solution. Further, companies should look for outsourcing solutions with a low cost of entry with enough infrastructure to allow for rapid scalability. Companies that choose to outsource their security requirements to PKI-based managed security vendors will benefit from the latest security standards in the industry as well as provide instant access to a secure platform for all electronic communications.

Jon Matonis is the president and chief executive officer for Hush Communications. He has over 15 years' managerial experience in the areas of security and encryption technology, embedded software systems, international payment systems and foreign exchange.

[ Return To The June 2001 Table Of Contents ]