PKI: A Matter of Trust, Cost

 
 
By Cameron Sturdevant  |  Posted 2000-12-11 Email Print this article Print
 
 
 
 
 
 
 

eWeek Labs, Prudential IT pros test four PKI systems

Nothing rubs the gloss off marketing hype like field testing, and few technologies are more in need of de-glossing than PKI.

In Part 1 of this eValuation, eWeek Labs explained the technology and gave advice on best practices for implementing a public-key infrastructure system. Part 2 gets down to testing.

eWeek Labs went to work with The Prudential Insurance Co. of America to examine products from four PKI providers—Baltimore Technologies plc., Entrust Technologies Inc., RSA Security Inc. and VeriSign Inc.—at Prudentials campus in Roseland, N.J. The company, which uses more than 50,000 computers worldwide, has decided that PKI technology is the best way to secure a subset of its Lotus Development Corp. Notes e-mail system as well as its Nortel Networks Corp. virtual private network.

According to Ken Tyminski, vice president of Prudentials information security office, the company has been evaluating PKI and other secure computing technologies for quite some time. "Were hoping to increase overall security, allowing us to enhance our customer relationships using an e-commerce platform," Tyminski said.

One of Prudentials biggest concerns with PKI is cost. Ed Mann, vice president of network technology, summed it up this way: "The vendors Ive seen are charging per user, and that multiplier, in a big company, is a real stumbling block."

We worked closely with Tim Wrobel, Prudentials PKI project manager, to put together an on-site test that required vendors to demonstrate how their product would secure Notes e-mail while also demonstrating the ongoing management of PKI components. Each of the four vendors completed the test requirements, but their methods and success varied widely.

Based on hands-on tests in Prudentials technology demonstration center, we found several factors that organizations should consider when evaluating PKI products.

First, companies should determine if they even need a PKI solution. A great deal of commerce is already being conducted, apparently with some degree of success (if you ignore the stock market and just look at the technology), without PKI. Any browser will likely show that a host of digital certificates is already in place. Buy products from any number of e-commerce sites, and it is probable that a Secure Sockets Layer connection, which uses these certificates and a public key to set up and encrypt communication, can be constructed with no assistance from an integrated PKI product.

Securing e-commerce became even more of an issue earlier this year with the passage of the Electronic Signatures in Global and National Commerce Act. PKI systems are likely to receive more attention as companies strive to secure sensitive information and ensure that signatures are authentic, and that the document or transaction to which they are attached has not been corrupted.

If a company opts for a PKI system, the next decision to make is whether to build it in-house or outsource it. The standard rules apply: In-house developments come with greater control—specifically, certificates can be issued and revoked quickly, and security policies can be tailored to business needs. Outsourced solutions are usually up and running much more quickly—sometimes in a matter of weeks—but with less flexibility and greater long-term costs.

A successful implementation plan wont tolerate the typical budget and staff slashing often seen with other IT projects.

 
 
 
 
Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel