Stories by Matthew Nelson

Warnings go out about cholera worm/virus threat

A new combined worm and virus threat, called Cholera, has been posted to a hacker's Web site and has anti-virus vendors scrambling to provide protection before an epidemic spreads akin to Melissa and Worm.ExploreZip.

Alerts issued for new virus -- toadie.exe

Antivirus software vendors are warning their users of a new virus, toadie.exe, which is spreading across Internet chat sites and e-mail in the form of an executable program.

Java security bug found, patched

A security flaw within Java 2 has been identified and a patch is now available from Sun Microsystems, according to the company.

Interview: The Year of PKI

Network security has become a necessity with the spread of Internet commerce and the expansion of intranets to larger extranets. But with differing network systems, secure connections that are constantly updated can be a difficult proposition. One possible solution is the use of public key infrastructure (PKI) systems and digital certificates. To discuss PKI and what it means for the enterprise, InfoWorld Senior Writer Matthew Nelson recently sat down with John Ryan, chief executive officer of Entrust Technologies, one of the leading PKI system providers.
Do you consider 1999 the year of PKI?
There's no question that the recognition by companies that they will all need a PKI is now upon us, and we're seeing incredible acceleration of pilot activity and recognition across our customer base. So I think this year will be the year where people recognise they will definitely have a PKI in their enterprise and start the methodical planning to ensure they pick the right one.
Why is PKI seeing adoption now when it is a technology that has been around for quite awhile?
Not unlike the Internet [that] was around for almost 20 years before all of a sudden it took off, there's been some fundamental things that happened in the enterprise that have now driven the need, and made it a lower risk decision for the enterprise. The first was certificates, or PKI capabilities, which were embedded in the browsers. The next thing that happened was the major 20 vendors in the networking world -- the whole crew in networking and firewalls -- all standardised around a standard called IP SET [Secure Electronic Transaction], which includes digital certificates. So basically, each application in an enterprise now, or the major applications of an enterprise backbone, are including security as a fundamental element, which is forcing companies to consider a public key infrastructure.
What developments should IT managers expect to see during the next year?
I think you're going to see a much more wide-scale enablement of applications, which really is going to make it much simpler for the enterprise to install a PKI, because the applications will be ready to accept it.
I also think you're going to see networks of trust being created. I think one of the first ones we saw was the banking community with their global trust organisation, which is a high-value, high-trust network for Web-based electronic transactions.
Is there a problem with interoperability between different companies' digital certificates?
Fortunately, the industry standards that enable interoperability have now passed. But actually, we now can support interworking with VeriSign, GTE, Microsoft, Netscape, and others, today, in our product. So we actually do have full interoperability in our product and we can create webs of trust that include VeriSign or GTE certificate authorities, webbed with an Entrust certificate authority, into a network of PKI networking. And we really see that as an innovation that the market has not yet anticipated. The evolution will then give customers choices and the ability to scale their networks based on what they've bought to date.
Has that interoperability created a different kind of competition between Entrust and your competitors?
We have always worked with large enterprises and basically delivered a guaranteed security system that they could buy and integrate every application into it, and have single sign-on and consistent policies and practices.
Our competitors are more focused around the authentication market. They don't provide encryption or digital signature, they really count on all the various applications to embed that technology. So we really don't compete that often, head-to-head. But I think you'll see, as we migrate through this year, a much larger movement with our service provider program.
We have partnerships with many service providers, which are more analogous to the VeriSign model, but with the full Entrust product suite, combined with our ability to implement Entrust Worldwide, a global network that we've just created. We'll be able to create really hybrid PKI networks where a piece of the PKI is on the customer's premises, and controlled by them.
Another piece of the PKI might be controlled by a service provider, and we can connect them together seamlessly to be able to enable PKI networking and then extend that web of trust to other companies, so that you can create a community of interest to conduct electronic commerce.
If digital certificates are all going to interoperate, how are companies going to differentiate themselves from their competitors?
That part is going to be an exciting revolution because it will evolve very similarly to the credit card business, and I believe that the card or the certificate will become a brand position. I might have a Citibank Certificate just like I have a Citibank MasterCard.
And I can see that there will be a battle for that identity, and I really believe you're going to find there are credentials that you can use across a number of services, and that credential may be issued by a bank, or a telephone company, or a government. And then I think that most organisations who really care about branding and positioning will issue certificates to their customers. So a person will end up with probably the same number of certificates as they have credit cards.
Do you think the cessation of year-2000 projects is going to have an effect on the adoption of security products and specifically PKI systems?
Certainly there's no doubt, it's a very critical element that's on the mind of every CIO. I think it's helping accelerate PKI in the first six months of the year because I think behind year 2000, many of our corporate customers are telling us security is the next, No. 2 critical item. And they have to get it fixed, but they want to get going right away, before the latter part of the year comes when they're fearful that they're going to be a little bit busy with year-2000 testing, if they haven't got there yet.
In the second half of the year, we've pretty much said it could slow down as far as implementation goes. But we actually think that people are going to solve a lot more of the problem than they thought, and are actually going to be in a position to have the ability to buy the technology for implementation in the year 2000.
We're cautiously optimistic right now, but we actually see it as an accelerator in the short term, and then we'll be waiting and seeing what happens. We also have seen though -- without doubt -- once the year-2000 bug is done, everybody has said security will become the next No. 1 priority. So I think that that speaks well for the position that we see emerging in the enterprises.

RSA goes Down Under to dodge export laws

In a move indicative of how some American encryption companies feel disadvantaged by government encryption export regulations, RSA Data Security has opened a development centre in Brisbane, Australia, thus sidestepping export law.