Bridging The Business-to-Business Authentication Gap
By Christy Hudgins-Bonafield
It took an Internet revolution, but the stepchild of networking--authentication--is coming into its own. The once staid, stale and mostly military market for products that establish network rights and identities now represents a potential bonanza for businesses and vendors alike. Security firms are fairly tripping over one another to release products that may eventually prompt a high-tech economic shift--a wave of productivity gains and job displacem
ents akin to those associated with the birth of the PC.
Public key (PK) authentication and underlying encryption ultimately will determine whether businesses forsake private networks to derive the savings, collaborative and competitive benefits of the Internet. Similarly, authentication, access control and privile
ges may underlie efforts to streamline staffs previously needed for business-to-business transactions.
Ambitious players, like the auto industry, already are creating authentication infrastructures tailored to their business-to-business goals. Likewise, at MIT, older Kerberos-based authentication is in use on an Office Depot Web site. The system is used to authenticate MIT employee purchases, letting MIT pare down a prolific purchase-order bureaucracy to a single monthly bill. The system also curtails fraud because office supplies are shipped only to addresses on record. MIT is ready to move on to larger purchases--by using an internal Web page to obtain human approvals of $2,000
-plus purchases, the first step in MIT's planned big-ticket online order process.
Most businesses, however, are just entering a pilot period for testing and building in-house public-key certificate systems. Both businesses and vendors are discovering that the framework for this new child of the Internet has yet to be established and that there are many gaps and hurdles on the road ahead. Among them:
· Duplicative or competing standards for key management, directories and infrastructures that exist alongside significant holes in today's authentication constructs;
· The catch-22 that calls for an overarching application programming interface (API) to address multiple security standards, juxtaposed against arguments that such an approach will only introduce network vulnerabilities;
· API frameworks that continue to emerge--Intel Corp.'s Common Data Security Architecture (CDSA), Microsoft Corp.'s CryptoAPI, Xcert Software's Xcert Universal Database API (XUDA), an expected API set fr
om Sun Microsystems, a draft from the Internet Engineering Task Force (IETF) for Sun-supported PF-Key and the likelihood of yet another security/management API set from Novell--with no definitive answer as to which will prove most popular and how homegrown and legacy software will be supported;
· Pivotal issues surrounding cert
ificate revocation scaling, storage and audit that remain unaddressed, and standards that do not adequately spell out how the industry will move from merely identifying a person to actually authorizing use of accessible network resources;
· The need to establish a legal and financial framework for certificate authorities (CAs), in which user-vendor risks and liabilities are established contractually and insured against, and network identities and authorizations become legally binding internationally;
· A dearth of corporate security staffing coupled with issues of legal liability that will affect the way businesses rely on public certificate authorities or
build contractual relationships that share liability with product and service providers (see Business Trends on page 26);
|
REPORTS
ANALYTICS
Follow 
