Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adoption of PKI Where are we, where should we be, what’s holding us back, and where do we want to go? And: what about authentication vs. authorization?

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Adoption of PKI Where are we, where should we be, what’s holding us back, and where do we want to go? And: what about authentication vs. authorization?"— Presentation transcript:

1 Adoption of PKI Where are we, where should we be, what’s holding us back, and where do we want to go? And: what about authentication vs. authorization? Rich Guida

2 What are the framing issues? What applications need authentication, e- signatures, or confidentiality? What applications need authentication, e- signatures, or confidentiality? What determines the degree of need? What determines the degree of need? What is the nature of the population of users an application services? What is the nature of the population of users an application services? What is the span of control of the PKI intended to service that application? What is the span of control of the PKI intended to service that application? Do you justify a PKI based on Return on Investment or something else? Do you justify a PKI based on Return on Investment or something else? Does the PKI handle user authorization or just authentication? Does the PKI handle user authorization or just authentication?

3 Where are we? PKI is being broadly used for SSL server-side authentication PKI is being broadly used for SSL server-side authentication –Whether it provides all of the security one might like or not PKI is seeing growing acceptance within enterprises as a tool for user authentication, e-signatures, and confidentiality PKI is seeing growing acceptance within enterprises as a tool for user authentication, e-signatures, and confidentiality –Many examples, government and private sector PKI is starting to be used between enterprises and in IPSEC PKI is starting to be used between enterprises and in IPSEC But PKI is NOT being used globally by consumers But PKI is NOT being used globally by consumers –With some notable exceptions (e.g., ScotiaBank) And PKI is also not being used broadly for user authorization And PKI is also not being used broadly for user authorization –Attribute certificates still a “work in progress”

4 Where should we be? Using PKI broadly for authentication, and ultimately authorization Using PKI broadly for authentication, and ultimately authorization Integrating PKI into the network and enterprise directory services, so it can benefit from them Integrating PKI into the network and enterprise directory services, so it can benefit from them Providing a common look and feel at the application layer for certificate use Providing a common look and feel at the application layer for certificate use Making the use of certificates seamless and “reasonably” invisible to the average user Making the use of certificates seamless and “reasonably” invisible to the average user

5 What’s really holding us back? Lack of applications that use certificates Lack of applications that use certificates The race to be “second” The race to be “second” Lack of common semantics (e.g., in certificate policies) Lack of common semantics (e.g., in certificate policies) Organizational politics (e.g., Intra-organizational and inter-organizational parochialism, NIH syndrome, namespace control, lawyers) Organizational politics (e.g., Intra-organizational and inter-organizational parochialism, NIH syndrome, namespace control, lawyers) Dealing with legacy application entanglements Dealing with legacy application entanglements Lack of an ability to show ROI (a chimera) Lack of an ability to show ROI (a chimera) And least of all – the technology And least of all – the technology

6 Where do we want to go? Depends a lot on your perspective Depends a lot on your perspective Some want to see identity-based PKI burgeon for intra-enterprise use first, then inter-enterprise Some want to see identity-based PKI burgeon for intra-enterprise use first, then inter-enterprise Others want to see identity-based PKI burgeon for dealing with consumers or the public Others want to see identity-based PKI burgeon for dealing with consumers or the public Others would like PKI to focus on authorization rather than authentication Others would like PKI to focus on authorization rather than authentication Still others think we should use some other technology entirely Still others think we should use some other technology entirely –But what? Passwords? Biometrics? Each has its own set of problems…

7 Authentication vs. Authorization If an application needs to do one, it probably also needs to do the other If an application needs to do one, it probably also needs to do the other –Or needs to trust another application (or the network operating system) which has done the other Can do both simultaneously, or separately Can do both simultaneously, or separately –“Should I separate variables before solving this PDE?” –(Normally – yes, especially if the PDE is Navier-Stokes!)

8 Why do Separately? Intuitively consistent with processes we are all familiar with Intuitively consistent with processes we are all familiar with Required by some (perhaps most) regulations (e.g., FDA 21 CFR Part 11, e-records, and e- signatures) Required by some (perhaps most) regulations (e.g., FDA 21 CFR Part 11, e-records, and e- signatures) Allows PKI to do one while some other process does the other (thus, supports legacy applications that use ACLs) Allows PKI to do one while some other process does the other (thus, supports legacy applications that use ACLs) Sometimes identity is important separate from authorization (or identity is sufficient by itself – such as patient access to his/her records under HIPAA) Sometimes identity is important separate from authorization (or identity is sufficient by itself – such as patient access to his/her records under HIPAA)

9 Examples Passport Passport –To get one, have to prove who you are (don’t even have to indicate “why”) – but if you want to use it, may need a visa (authorization to visit foreign country) Driver’s license Driver’s license –To get one, had to prove who you are, not just that you can drive a car, and license provides evidence of identity as well as authorization to do something – drive a vehicle Getting a credit card Getting a credit card –To get the card, had to provide evidence of who you are and ability to pay your debts (former needed to establish latter) –Arguably you should be asked to provide stronger evidence than credit card companies require (to combat identity theft) Using a credit card Using a credit card –Some merchants accept card alone for purchase (so it is like an authorization token), but increasingly you have to produce separate identity ID because of problem with fraudulent purchases

10 Example: Johnson & Johnson PKI Directory-centric Directory-centric –Enterprise directory serves as authoritative source –Certificate contents come solely from directory Two identity certificates (signature, encryption), plus role/group certificates Two identity certificates (signature, encryption), plus role/group certificates Hardware token preference (USB iKey2032) but also support software tokens Hardware token preference (USB iKey2032) but also support software tokens In first phase of deployment (about 500 certificates issued), testing underway In first phase of deployment (about 500 certificates issued), testing underway Second phase (full production) later this year Second phase (full production) later this year –Goal is certs for almost all J&J employees plus, where necessary, customers and business partners –Expect total number ultimately to be >>100,000 –Willing to accept non J&J certs through cross-certification or trust list model

11 J&J PKI – Key Uses Remote authentication with hardware token only (VPN using Nortel Contivity client) Remote authentication with hardware token only (VPN using Nortel Contivity client) Authentication to enterprise software (e.g., SAP, Siebel, Oracle) Authentication to enterprise software (e.g., SAP, Siebel, Oracle) Digital signatures to comply with FDA 21 CFR Part 11 (authorization established separately) Digital signatures to comply with FDA 21 CFR Part 11 (authorization established separately) Encryption to comply with Healthcare Insurance Portability and Accountability Act Encryption to comply with Healthcare Insurance Portability and Accountability Act Secure (signed/encrypted) e-mail for clinical trials, financial data, mergers/acquisitions, law department activities Secure (signed/encrypted) e-mail for clinical trials, financial data, mergers/acquisitions, law department activities Automated Lab Instrumentation Management Systems (signatures and encryption) Automated Lab Instrumentation Management Systems (signatures and encryption)

Download ppt "Adoption of PKI Where are we, where should we be, what’s holding us back, and where do we want to go? And: what about authentication vs. authorization?"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
The World Internet Security Company ID Management in e-Health February 2007.

The World Internet Security Company ID Management in e-Health February 2007.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Basic Banking Services - Activity 1

Basic Banking Services - Activity 1
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Page 1 Issues in and perspectives on electronic authentication of health professionals Pascal POITEVIN Marketing and Communication manager GIP-CPS e-Health.

Page 1 Issues in and perspectives on electronic authentication of health professionals Pascal POITEVIN Marketing and Communication manager GIP-CPS e-Health.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Security Controls – What Works

Security Controls – What Works
1 Johnson & Johnson: Use of Public Key Technology Rich Guida Director, Information Security Rajesh Shah Sr. Consultant, Information Security.

1 Johnson & Johnson: Use of Public Key Technology Rich Guida Director, Information Security Rajesh Shah Sr. Consultant, Information Security.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Johnson & Johnson Use of Public Key Technology Brian G. Walsh Senior Analyst, WWIS.

Johnson & Johnson Use of Public Key Technology Brian G. Walsh Senior Analyst, WWIS.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
I DENTITY M ANAGEMENT Joe Braceland Mount Airey Group, Inc.

I DENTITY M ANAGEMENT Joe Braceland Mount Airey Group, Inc.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Public Key Infrastructure Ammar Hasayen 2013. ….

Public Key Infrastructure Ammar Hasayen ….

Similar presentations

Ads by Google