If there is a market still looking for a raison d'ętre, it's PKI. PKI is expensive and complicated to deploy, and its weak client support and even weaker end-user security make it a tough sell. Many analysts point out that e-commerce, the first "big problem" that PKI could solve, doesn't in fact need it. Well, not client PKI anyway--obviously, online shopping with SSL/TLS does leverage the components of a PKI, but users are still authenticated by user name-password over SSL.

The server side of PKI is well implemented, and work to make PKI more manageable is ongoing. But the model falls apart on the client side. Unless you deploy the entire vendor solution, like Entrust's Authority and desktop solutions, certificate life-cycle management is a nightmare. At best, users can renew and revoke their own certificates, but other processes, like certificate-revocation checking, are not well-supported.

Netscape and Microsoft simply couldn't put their differences aside and agree to support CDP (CRL distribution points) or OCSP (Online Certificate Status Protocol). So you standardize on a single browser or develop for both.

		Survivor Intro Security Network & Systems Management Mobile & Wireless Technology Digital Convergence Service Providers & Outsourcing Business Applications Infrastructure Data Management & Storage Corporate Profiles Letters Full Nelson The Inside Story

So where is PKI heading? Microsoft's betting that tight integration of digital certificates in Windows 2000 and XP will provide an entry point for corporations to deploy PKIs. Microsoft's Certificate Server, using a default installation, is simple to deploy and manage. In fact, setting a group policy for computer auto-enrollment distributes certificates to computers in the domain automatically. Third-party vendor developers leveraging Microsoft's CAPI (Crypto API) and CSP (Cryptographic Service Provider) can build PKI-enabled applications with very little development.

Of course, PKI is a technology in need of an application, and development has largely followed a model where specific vendors join partner programs and subsequently receive application certification when integration APIs are developed and deployed. If your application is homegrown or not one of the few certified, be prepared to spend a lot of money in custom development.

Intrusion Detection and Vulnerability Assessment

Of course, access control without monitoring is like leaving kids in a candy store. Sure, you know they're in there, but you don't know what they are doing. Like virus scanning, IDSes (intrusion detection systems) are only as current as their last update. The time lag between when an exploit hits the public to when IDS vendors develop signatures to detect them can be weeks or months. Even then, IDS systems are dubious at best.

Companies To Watch Standards

Why? First, IDSes are largely signature-based. Change the footprint of the attack, and chances are it will sneak by. IDS systems will always be behind the curve. The second limitation is false positives caused by normal network traffic triggering signatures. Take an IDS and stick it onto a network, and you'll be buried in alerts in no time. Key to a successful deployment are tuning of the IDS and intimate knowledge of the network applications that are running.

There are a few anomaly IDS systems, which monitor traffic, user and program activity and analyze logs to create a baseline, or normal network behavior. Deviations from the baseline, as well as known attack signatures, are combined to provide a broader view of the network and to highlight abnormal activity. How well procedural IDS works depends largely on how normalized the traffic patterns on your network are. We will be seeing more anomaly IDSes in the future, but unless you have the staff to install, monitor and maintain the anomaly IDS system, they may not provide much ROI (return on investment).

Online Special Security still keeping you up at night? Read our "Rational Responses to Irrational Events" to help you get a grip.

An alternative to anomaly IDSes is security event aggregation and correlation applications, such as netForensics, which monitors data from log sources and provides event correlation and analysis. No baseline is taken; events are processed live on the network as well as stored for historical trending. The driver for security event correlation is no different from that of network event correlation; raise the signal-to-noise ratio and present significant events to administrators. A tall task, and one not unlike procedural IDS.