Hey everyone read this "Information Week" article...
techweb.cmp.com
techweb.cmp.com
In Certificates We Trust
As digital certificates bring low-cost security to the Internet,
E-business takes off
By Beth Davis
Digital certificate technology is pushing the
envelope-literally. This month, United Parcel
Service launched two online services that will let
businesses send signed legal documents
instantly over the Net. Without digital certificates, the company couldn't have offered these services at all.
UPS isn't alone in turning to this electronic identification technology for an inexpensive, secure way to transact electronic business. ScotiaBank signed 32,000 customers since launching its digital certificate-based online banking service in September. During the past year, J.P. Morgan has replaced hardware encryptors with digital certificates, saving at least $1 million in the process. The bank also plans to use the technology to cut transaction time in its
commercial mortgage underwriting business from weeks to days.
Bell South Telecommunications expects to save $5.4 million a year when it goes live with a digital certificate-based expense-reporting system later this year.
The market is about to take off, analysts say. Revenue from digital
certificate software and services will more than double this year, to
$56 million, and will hit $92 million by 2000, predicts Dataquest.
Digital certificates verify the identity of
the sender, place a tamper-resistant
seal on a message, and provide proof
that a transaction has occurred (see
story, "How Digital Certificates Make
The Internet Safer"). Digital
certificates give the Internet a high
level of certainty, much the way a
passport or driver's license verifies a
person's identity. They also provide a
level of safety and reliability similar to
what certified mail provides for
document delivery.
Many companies are turning to digital certificates for a secure yet
inexpensive way of communicating with customers, but they're
also finding that the technology can provide a quick return on
investment. In addition, digital certificates have let some companies rapidly expand their online customer base. For other companies, digital certificates underlie new ways of communicating with employees and suppliers.
"Anybody who is doing anything with E-commerce or looking for a better way to control the difficulties of large, distributed environments has to be looking at digital certificates," says Bruce Murphy, national director of Coopers & Lybrand's IT Security Services.
At UPS, digital certificate technology
is key to new business opportunities. "The security that digital certificates offer has become a critical business enabler," says Mark Rhoney, UPS's VP of marketing for E-commerce. The shipping company plans to launch a digital certificate-based confidential document exchange service and a service to exchange documents among disparate
E-mail systems by midyear. Both services are expected to cost customers less than the price of shipping an overnight letter.
Security was also important to J.P. Morgan which started issuing
digital certificates last year to 700 customers in its fixed income
business unit who want financial statements over the Internet. But
the bank also benefited from significant cost savings. The
software-based certificates are less expensive and in some ways
more reliable than hardware-based encryption systems previously used, says Charles Blauner, VP of security and Internet architecture at J.P. Morgan, in New York.
Under the old system, custom hardware encryptors at client sites connected to J.P. Morgan via private lines and regular dial access. When a link went down, the user couldn't continue the transaction from another PC because those links were point-to-point. Using certificates, "it's easier for us to support these high-risk services at the client site," says Blauner. "You have more flexible choices about the networking."
Hardware encryption devices cost more than digital certificates, so J.P. Morgan was able to eliminate the $2,500 required to buy each hardware encryptor, saving at least $1 million in all, Blauner says. Software also doesn't have the maintenance costs of hardware, and it's inexpensive to distribute software over networks, he says.
J.P. Morgan plans to extend digital certificate technology to other
lines of its business. One possibility is commercial mortgage
underwriting business, where J.P. Morgan will E-mail documents
that previously were hand-delivered. That will cut the time it takes
to negotiate the terms of a transaction from three weeks to no
more than three days, Blauner says.
Besides hardware encryptors, other mechanisms designed to boost security include virtual private networks. A VPN establishes a secure tunnel over a public or private Internet Protocol-based network or over an extranet. But VPNs can't authenticate users unless they're used in conjunction with digital certificates.
Token Passing
Hardware or software tokens are another alternative. Most of these combine a password with a randomly generated access code.
The access codes are synchronized with a server on the
enterprise network that authenticates the user, granting or denying
access. Like VPNs, tokens don't let users digitally sign
documents. Nor do they ensure that data hasn't been tampered
with or confirm that a transaction occurred.
Tokens are often more expensive than digital certificates. A
software-based token from Security Dynamics can run as much
as $79 per user, according to the Bedford, Mass., company. By
comparison, a Web-based digital certificate from Entrust
Technologies Ltd. costs only $25 per user, according to Entrust, in
Richardson, Texas. However, an enterprise certificate system,
which lets users authenticate to a number of applications that
support Entrust, can carry a price tag as high as $148 per user, according to Entrust.
Low prices convinced financial services firm American Skandia to go with digital certificate technology. Had the company used technology other than digital certificates, it would have spent tens of dollars per customer to provide an authenticated, nonrepudiated session, says Christopher Luise, chief technologist at American Skandia, of the Shelton, Conn., company's effort to put many of its services on the Web. With digital certificates, the cost per customer is less than $5, he says.
Quick ROI
Setting up a certificate authority system isn't cheap, but it has a
high return on investment. It costs about $4.2 million to set up a
certificate authority system and issue digital certificates to 20,000
users, says Carl Howe, an analyst at Forrester Research. While
that's a big tab, the technology can cut help-desk costs by 40%,
savings $4.4 million a year in that same 20,000-user example,
Howe adds.
With the promise of secure Internet-based services, companies
are using digital certificates to rapidly move customers to the
Internet. ScotiaBank, in Toronto, opened its online banking service
last fall and quickly signed 32,000 customers. They use the service to check accounts, transfer funds, pay bills, update financial portfolios, and buy and sell stocks. "We have exceeded by far the first year marketing estimates for our group," says Paul Wing VP of systems security and controls at ScotiaBank.
Getting all customers online is Liberty Financial Cos.' goal. The
Boston asset-management conglomerate has nearly 10% of its
customers using a digital-certificate-based service launched last year. "We just started rolling it out, and it's doing well," says Jeremy Jaffe, VP of electronic commerce at Liberty Financial.
Liberty Financial's Stein Roe subsidiary uses digital certificates to
let mutual fund shareholders view their accounts, transfer money
between Stein Roe funds, and transfer money between their Stein
Roe accounts and linked bank accounts. This month, Liberty's
Colonial Mutual Funds subsidiary will open its intranet to sales
reps armed with digital certificates, letting them access key product and account information. By year's end, another subsidiary, Keyport Life, will let its sales force use digital certificates to update accounts.
Companies also use digital certificates to facilitate internal
business operations and communicate with suppliers and
partners. Bell South Telecommunications lets employees
electronically file and sign off on expense reports. In a pilot started
last year, Bell South cut the time to approve an expense report
from three weeks to two days. When the full system is in place,
Bell South estimates that the new process will save as much as $5.4 million a year.
The potential for savings in other areas is huge, says Bob Rust,
portfolio manager for IT network and procurement at BellSouth, in
Atlanta. The company has already turned some 800 paper forms
into electronic documents, and any of those that require signatures will benefit from the system, he adds.
Healthy Exchange
United HealthCare Inc. wants to be able to exchange information
over the Internet with the health care insurers and providers it
serves. By law, United HealthCare must provide complete privacy
for medical data, so it plans to test digital certificates. "For the first
time, digital certificates are going to allow security to be a business
enabler rather than a roadblock," says Karl Kendall, VP of
computer operations and services at United HealthCare, in
Minneapolis. "Digital certificates are the only viable choice we have
to provide security to these 'new horizon' access methodologies,"
Kendall says.
Still, there are hurdles to overcome. For one, understanding of digital certificate technology still isn't widespread enough. "Understanding and acceptance has to be at the senior-management level, and right now the people that understand are in the middle," says Coopers & Lybrand's Murphy.
Also, an infrastructure must be developed to support digital
certificates in the same way the financial services industry
supports credit cards. This includes development of standards
that ensure interoperability of products, a common criteria for
identification and background checks that constitute a valid certificate, and agreement on factors that determine the credibility and trust of third-party certificate authorities.
Along these lines, ValiCert Inc. in Palo Alto, Calif., is testing a digital certificate clearinghouse service that will track certificates that have been revoked similar to credit-card validation services. This should help companies identify invalid digital certificates before they transact business with their owners.
To be sure, digital certificate technology is about providing security online. But the ramifications of the technology are much greater. "Our vision is anytime, anywhere access," says American Skandia's Luise. "And security is the enabler."
See a list of sites related to digital certificates or see related story, "Should Certificate Authority Be An Inside Job?"
Should Certificate Authority Be An
Inside Job?
By Beth Davis
Companies opting to launch online services secured with
digital-certificate technology face a major decision: Should
they outsource the digital-certificate system to a service provider or run it themselves?
Some companies turn to certificate-authority providers because running a certificate authority system internally is complicated.
Others choose to run their own system largely because of the liability issues involved in high-dollar transactions. When J.P.
Morgan was looking for an outsourcer, "None of the commercial
CAs accepted any liability at all for a bad transaction resulting from a mishandled certificate," says Charles Blauner, VP of security and internet architecture at J.P. Morgan.
J.P. Morgan went with Entrust Technologies Inc.'s
certificate-authority software. Several vendors offer competing
public key-based certificate-authority software, including GTE
Cybertrust, IBM-and even Microsoft and Netscape
Communications offer basic certificate-authority software. GTE,
IBM, and VeriSign Inc. offer CA services.
Companies may find more outsourcing options today than J.P.
Morgan found last year. VeriSign has added liability insurance to
its digital-certificate services. Financial institutions are also offering CA services-a trend that could ease the liability issue, because banks are considered trusted third parties, analysts say.
Zions Bancorp in Salt Lake City became the first bank to offer
CA services in January when it launched its Digital Signature
Trust Co. The new group will offer three services: a commercial
CA service issuing certificates under the Digital Signature Trust
name; a Service Bureau CA that will let companies put
certificates under their own name with Digital Signature Trust
still issuing and maintaining them; and a repository service in
which customers can check at any time the validity of certificates.
Earlier this month, the American Bankers Association revealed plans to partner with Digital Signature Trust to serve as a trusted third party, backing the digital certificates various financial-service providers issue to their clients. The ABA has historically served as a trusted third party for a number of financial services, including the securities numbering system, card identification numbers, and standards. |
