Security Watch

Automation is the key

The launch of several new products last week could make it easier for federal and state agencies to manage the digital IDs needed for the secure exchange of information with citizens and trading partners across the Internet.

Managing digital certificates, which attach to electronic messages to verify the identities of the people making online transactions, involves many complex steps that are manually done by systems administrators. As a result, the tasks of issuing, installing and renewing digital certificates are prone to human error, which can result in costly system downtime.

Not having "the ability to manage certificates has limited lots of things states want to do with citizens and trading partners," said Phil Windley, a consultant and former chief information officer for Utah. Managing certificates issued to police officers in Utah and other states who need access to Utah's criminal justice computer system proved so unwieldy that the task had to be outsourced, he said.

"An automated solution would be an important step" in simplifying the management of certificates, Windley said.

To that end, IMCentric Inc., a software developer based in Provo, Utah, last week released AutoCert server, which automates the process of managing certificates. The AutoCert server resides behind a network firewall, transmitting and receiving data from internal and outsourced certificate authorities via a Secure Sockets Layer connection, said Russell Thornton, IMCentric's chief executive officer.

Using AutoCert, administrators can manage a variety of platforms — such as the Apace Software Foundation's Apache, Microsoft Corp. Windows and Unix — and multiple certificates through a single Web-based graphical user interface or through a command line interface. AutoCert Server has an autoinstallation feature that simplifies the process of issuing certificates. Certificates can be renewed automatically, or administrators can receive an alert and have the option of reviewing and renewing certificates by clicking on an icon.

Officials at PGP Corp. also want to make the secure exchange of information as seamless and easy as possible for users.

The heart of the architecture is the PGP Universal Server, which automatically generates and manages public keys, digital certificates and encryption and decryption techniques. It also provides policy enforcement. The server can operate in two modes: external, which secures all mail entering and leaving an agency, and internal, which secures all intra-agency messages.

With PGP Universal, the company is attempting to "take the burden [of managing security] off the end user," said Phillip Dunkelberger, PGP's president and CEO.

Automation is also an integral part of security auditing these days. Preventsys Inc. recently released a new module called Policy Lab for the latest version of its Preventsys network auditing software. Policy Lab enables corporations and government agencies to encode English language security and regulatory policies in a machine-readable form to every device that connects to the network.