Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘PKI’

Friday, September 3rd, 2010

Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .

A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.

There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.

I will post my feedback on the official website, but a few of my suggestions are as follows:

  1. Build on top of existing standards. The feds should rally those working on things like Project Higgins, Shibboleth, Liberty, Web Services, Microsoft Geneva, OpenID, etc. Getting all these folks marching in the same direction early will be critical.
  2. Get the enterprise IAM vendors on board. No one has more to gain — or lose — than identity leaders like CA, IBM, Microsoft, Novell, and Oracle. Their participation will help rally the private sector.
  3. Encourage the development of PKI services. PKI is an enabling technology for an identity ecosystem but most organizations eschew PKI as too complex. The solution may be PKI as a cloud service that provides PKI trust without the on-site complexity. This is why Symantec bought the assets of Verisign. The Feds should push Symantec and others to embed certificates in more places, applications, and devices.

There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.

The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.

What Will Symantec Do Next With Verisign?

Wednesday, August 11th, 2010

Symantec’s acquisition of the Verisign security assets closed earlier this week. This frees Symantec to tell the world what it bought and the role the Verisign services play.

Good thing. Symantec caught a lot of flack for buying a legacy SSL certificates business. In truth, this deal could be much more–a SaaS authentication and PKI offering to broker trust relationships in B2C and B2B transactions.

I believe this could be a very good acquisition, but Symantec can’t assume that anyone other than PKI nerds understand this. To satisfy Wall Street and maximize the ROI on this deal, Symantec must:

  1. Pound home the vision. Symantec hinted at some potential use cases for Verisign when it announced the deal. From now on, it needs to do this more consistently, strongly, and frequently. PKI is a mystery to most people, so Symantec should think in terms of over communicating.
  2. Hint at a roadmap. Where does Verisign fit in the Symantec portfolio? Symantec needs to come out with a statement that details this soon. For example, will Symantec put a X.509 digital certificate in each copy of Symantec Endpoint Protection (SEP) to seed the market? If this is part of the plan, Symantec needs to tell the world when this will happen and why.
  3. Take the message to the channel. Corporate presentations and analytst briefings aren’t enough. Symantec needs to get its direct and indirect sales on board ASAP. This means sales training, corporate support, incentives, etc.

Symantec needs to prove to the market (and especially Wall Street) that it can back vision and money with execution. The Verisign deal was fairly significant, around $1.2 billion. Symantec needs to execute ASAP to demonstrate that this deal was well thought out and that the money was well spent.

Symantec Moving to Define an Encryption Architecture

Thursday, April 29th, 2010

Today, Symantec announced that it is acquiring two encryption companies: GuardianEdge and PGP. Some will see this as a late counter-punch to Check Point‘s acquisition of PointSec, McAfee‘s acquisition of SafeBoot, and Sophos‘s acquisition of Utimaco. In other words, Symantec is finally getting in the full-disk encryption game, primarily on laptops.

Wrong interpretation. Symantec does get endpoint encryption technology, but there is a lot more here than meets the eye. In my humble opinion, Symantec also gets:

  1. A killer install base. Between the two companies, Symantec gets a foothold in the enterprise and midmarket across the globe. Symantec also bolsters its federal government business, where encryption is a very big deal.
  2. Encryption beyond PCs. Check Point, McAfee, and Sophos bought good companies, but the focus in all cases is on endpoints–PCs, mobile devices, USB keys, etc. Symantec gets this, but also gains encryption technology for file systems, e-mail, mainframes, etc. This gives Symantec a leg up.
  3. A leading key management platform. A wise man once said, “encryption is easy, key management is hard.” PGP recognized this and built a great key management platform to manage encryption keys for mobile devices, PCs, e-mail, mainframes, etc. Symantec also gets a seat at the KMIP and IEEE encryption standards table.
  4. An encryption and key management play. In discussing these deals, I haven’t seen anyone mention the added value Symantec gets from PGP’s recent acquisitions of TC Trust Center and Chosen Security. Symantec gets a root CA capable of offering PKI as a service. This gives a tremendous opportunity. Symantec can become an identity broker in the cloud for enterprise authentication, B2B trust, consumer identity protection, etc. Imagine what Symantec can do if it ships every copy of endpoint security software with an X.509 certificate. In my mind, this opens up a whole host of possibilities.

In the next few years, large organizations will realize that encryption technologies have become ubiquitous across the enterprise with no central management. This could be a real problem for data restoration, especially in a disaster recovery situation. At that point, they will look for partners to bring order, processes, and central control to this chaos. As of today, Symantec is extremely well positioned for this burgeoning–and extremely critical–market opportunity.

PGP’s “Under the Radar” Acquisition

Tuesday, February 2nd, 2010

Today, PGP announced that it plans to acquire TC Trust Center and ChosenSecurity. Never heard of them? You are not alone. Basically, TC TrustCenter and ChosenSecurity provide Software-as-a-Service (SaaS) for Internet-based trust relationships.

Okay, some of you may think that this is simply a way to spin PKI (public key infrastructure) into marketing-speak and you are right to some extent. Why bury the PKI lead? Unfortunately, there is stigma around PKI that has lingered for years. In the past, few applications supported PKI and enterprise PKI servers were simply too difficult to install and manage. Yes, security professionals understand the benefits of PKI, but they were scared to death of it thanks to implementation, customization, and administration horror stories.

TC TrustCenter and ChosenSecurity didn’t change PKI, they simply mastered it and made it virtually transparent to customers. As a result, PKI can be embedded into applications, identities, and systems as a service.

To me, this acquisition has upside potential for PGP far beyond existing business growth because:

  1. PKI may be the perfect SaaS offering: It offers tremendous value without the resource commitment in skills, product acquisition, administration, etc.
  2. What’s one of the things that is broken on the Internet? The element of trust. If I don’t know if a site is trustworthy, how can I be sure if downloaded software will perform as advertised or turn my system into a zombie? The same holds true for systems, individuals, transactions, etc. PKI, if implemented and managed correctly by a trusted third-party, can help address this problem.
  3. In my humble opinion, PKI as a service will be baked into a lot of things in the future (like cloud computing, for example).
  4. I don’t know how much business PGP does with the U.S. federal government or other national governments now, but it just put itself in a position to do a heck of a lot more.
  5. Finally, when we encrypt most of our data in the future, someone will have to manage millions of net new encryption keys. PGP is now in a position to act as a key management or key escrow service.

I could go on and on, but I won’t. I’ve always been one of few fans of PKI, so PKI as a service brings out the excitable geek in me. Obviously, some of the folks at PGP share this enthusiasm.

Education Will Take A Leadership Role in Cloud Computing

Friday, December 18th, 2009

While the technology industry is ga-ga over Cloud Computing, corporate CIOs seem less enthused. Early indications from ESG’s 2010 IT Spending survey indicate that cloud computing initiatives and priorities are near the bottom of the list. Why? Security and compliance concerns, lack of control, and technology immaturity top the list of issues.

So does this mean that cloud computing will be a no-show in 2010? Not at all. Cloud computing won’t gain widespread deployment, but we will see pockets of interest from bleeding edge companies and vertical industries. After doing some preliminary primary research, I believe that education will be one industry where cloud computing is poised to take off. Why?

  1. Universities are already onboard. According to Educause, about 20% of universities have already moved to a SaaS model for e-mail. This isn’t limited to small schools; Clemson University, which has nearly 20,000 students, switched from webmail to Gmail several years ago. Many schools are also embracing or considering Google Apps.
  2. Universities have a long history of academic cooperation. Whether through regional consortiums or technology, colleges and universities have long built cooperative relationships with other institutions. For example, the first Internet node was installed at UCLA and the first packets traveled between UCLA and Stanford (SRI). Faced with tax revenue deficits and budget issues, university systems have a tremendous financial incentive to build shared cloud computing facilities. Alternatively, leading institutions could recoup investment in HPC research computers by selling excess cloud capacity to smaller institutions.
  3. Universities have the right identity infrastructure in place. Many schools have already built strong central identity management platforms using open standards around Web Services, Liberty, SAML, and XACML. Additionally, universities have been strong adopters of Federated Identity technologies like PKI, and InCommon. This identity infrastructure is necessary for central cloud services authentication, which is absolutely crucial for privacy, compliance, governance, and chargeback billing.

In addition to these factors, universities are notoriously lean when it comes to IT, therefore provisioning a service/application makes a lot more sense than provisioning IT technology infrastructure and then provisioning a service/application.

Finally, cloud computing will not be limited to higher education alone — actually, it is a perfect fit for K-12 as well. States could establish and run central cloud computing services for schools, eliminate the need for local IT and tech support, and level the playing computing field between rich and poor school districts.

In summary, cloud computing infrastructure, platforms, and applications fit education like a glove. Universities are already on board, so expect some of the most aggressive and creative cloud implementations to be based on campus. State and local governments that can overcome the political and compliance boundaries around cloud computing will also become leaders in cloud computing deployment and likely progressive educational programs as well.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site