It took radio 38 years to reach 50 million
people, television 13 years, and the Internet a mere
-- United States Commerce Department
What information is worth protecting? It might be a
private opinion, business-critical data such as a
customer list or a negotiating strategy; all of it is
sensitive, and all of it has value to you and your
messaging partners. The need to ensure totally secure
electronic communications is highlighted by the
explosive growth of e-commerce. The biggest challenge
to the continued growth of the e-commerce market is
the competitive necessity for instant information
contrasted with the equal necessity for privacy and
Companies will continue to make significant capital
expenditures on technology to ensure their future
viability in the modern world. Until recently,
companies that require security solutions have been
forced to build in-house security systems or purchase
expensive "turnkey" solutions. As either option
is a tremendously costly endeavor that requires
skilled staff, hardware and software, more and more
companies are choosing to outsource their security
needs to trusted third parties.
What Are The Solutions?
Revenues from PKI products and services are
predicted to reach a total of $8.56bn by 2004.
-- International Data Corporation
Most vendors of online security solutions, if they're
at all credible, offer PKI-based solutions. PKI or
Public Key Infrastructure is a significant departure
from less sophisticated forms of coded communication
available prior to its emergence in the 1970s. In a
PKI cryptosystem, each individual is issued with a
pair of keys. These keys are used both to encrypt and
decrypt electronic information. The compelling feature
of PKI is that whichever key out of the pair is used
to encrypt a piece of information, the other key is
required to decrypt it. This is in complete contrast
to conventional cryptography, where the encryption and
decryption process require the same key.
The roster of companies that offer either consumer
or business security solutions is constantly growing.
Out of the PKI family, two encryption methods have
distinguished themselves: the X.509 and the OpenPGP,
or PGP, standard. X.509 is generally associated with
SMIME (Secure Multipurpose Internet Mail Extensions)
and certificate-based products. Most SMIME vendors
require that the end user install software, remember a
password and manage both the public and private keys.
The other system that has enjoyed success in the
marketplace is the PGP standard. PGP requires the end
user to manage a password and the public and private
keys. Further, users of this system must exchange keys
with other users of the system so that they may
encrypt and decrypt messages.
Both systems have their champions. Neither system
has ever fully penetrated the consumer or corporate
markets. Generally, either cryptosystem is only
available at a particular computer terminal, making
roaming use impossible. Further, regardless of the
level of security offered by either system, people and
companies will not purchase, deploy or use products
that are hard to use.
If the security industry is to adequately address
the ongoing market need for security solutions, it
must provide solutions that are easy to use and enable
users to protect messages from any computer terminal
on the planet with an Internet connection.
The Importance Of Interoperability
OpenPGP is set to become global standard.
-- James Middleton, VNUnet.com
The other more technical step the security industry
must make to fulfill the market's need for reliable,
sophisticated security solutions is to create products
that support more than one encryption standard. As
time and technology progress, the number of available
standards will surely increase. If a company sells a
product that is built to operate using only one
standard (remember PGP and X.509), then the product's
ability to work with the widest range of customers is
Security products must be designed to be platform
independent, allowing for further development or
interoperability when appropriate and possible.
The Way Forward: Managed Key Security Technology
PKI services will make up the
most significant part of ongoing costs incurred by
any institution implementing a PKI solution.
The only way for aspiring vendors to provide online
security solutions to the mass market is to avoid
ibuprofen versus aspirin debates over which standard
is better. The real challenge is to create and
maintain technology that allows users to enjoy the
best available standards as well as being extremely
easy to use. To create true global access to secure
communications, a system of key server networks could
act as repositories for users' public and private
keys. Companies and end users will be able to create
key pairs using their chosen programs, leaving third
parties to manage the keys. Whenever possible, the
network would allow key pair holders of any standard,
whether it be X.509 or PGP, to exchange electronic
communications with each other in a completely secure
environment. The key server network will manage the
cryptosystem standard as well as key pairs. The
expansion of key serving networks can be assured only
if the network works toward the greatest level of
communications between standards.
Why Outsource Security?
The best reasons to outsource the online security
function of a business or organization is to keep
internal resources focused on the core competencies of
the group and to eliminate the cost of acquiring,
operating and maintaining an internal solution.
Further, companies should look for outsourcing
solutions with a low cost of entry with enough
infrastructure to allow for rapid scalability.
Companies that choose to outsource their security
requirements to PKI-based managed security vendors
will benefit from the latest security standards in the
industry as well as provide instant access to a secure
platform for all electronic communications.
Jon Matonis is the president and chief executive
officer for Hush
Communications. He has over 15 years' managerial
experience in the areas of security and encryption
technology, embedded software systems, international
payment systems and foreign exchange.
To The June 2001 Table Of Contents ]