PKI: The Myth, the Magic and the Reality - Page 2
Part 2: Snapping in PKI
A major obstacle blocks PKIs path to mainstream acceptance: How do enterprise apps integrate with the various certificate formats and alternatives?
While PKI vendors offer developer toolkits that enable applications to work with their certificates, application vendors have been slow to do so, particularly in the absence of mass-market demand. Instead, theyve had to choose between either supporting all of the PKI vendors or one exclusively, neither of which seems like a good business decision.
Moreover, enterprise customers wanting to take advantage of PKI have been handcuffed by a lack of certificate interoperability. Standards have been slow in developing, and many of todays PKI deployments are forced to accept certificates from only one PKI vendor. This, in turn, places limitations on scalability and the enterprises ability to expand their hierarchical "circle of trust."
A number of security vendors are working on solutions to this dilemma. LockStar Inc., for example, offers a PKI-to-legacy integration technology, providing end-to-end digital certificate-based user authentication and data security. A similar solution comes from SHYM Technology, a Boston-based start-up that has rolled out a product appropriately named PKEnable. A PKI-neutral solution, PKEnable links applications to different brands of PKI products through an infrastructure that sits between the two.
"PKEnable software allows enterprises to integrate packaged and legacy applications with PKI services from a variety of vendors, allowing them to use digital certificates," says Burton Group president and analyst Jamie Lewis. "There is no question that this kind of application will help further the adoption of PKI."
SHYMs PKEnable infrastructure consists of a number of major components (see Figure). First and foremost are the "Shyms," which link prepackaged enterprise applications and leading security standards such as the GSS API to the rest of the infrastructure. The Shyms also support in-house, custom applications through the Shym toolkit, as well as network communications via PKEnables AutoShym capability.
Through a management facility called the Shym Integration Layer (SIL), all security-related requests are channeled from the various applications into a common area. Here the SIL interacts with the Shym server to determine which PKI that application is tied to, and if the users certificate is valid for that application. Once the server provides the SIL with that information, the request is then channeled into the Shym Provider Interface (SPI) for the appropriate PKI. The PKI does the processing and responds through the infrastructure back to the application.
SHYM currently supports digital certificates from VeriSign and Entrust Technologies, with support for GTE CyberTrust and Baltimore in the works. Shyms have been developed for commercial applications such as Lotus Notes, PeopleSoft, SAP and Documentum. In the future, the company plans to develop Shyms for enterprise resource management apps from the likes of J.D. Edwards, Oracle, Baan and Mapics; supply chain management apps from i2 Technologies, Manugistics and Logility; customer resource management and sales force automation solutions from Siebel, Vantive and Clarify; and database products from Oracle, Sybase and Informix.
Despite PKEnables potential, Burton Groups Lewis says that the technology has a downside that could slow market acceptance: It requires installation of client software. "Customers dont mind installing a server for a function, but when they have to go out and touch every client, that increases the complexity and cost," he says. "But there is really no way to get around that. The ability for customers to map existing applications to PKI is important and necessary to move towards PKI. It remains to be seen to some degree how well they implement it."
SHYMs application integration model