In Through Out Door

Security vendors set to roll out PKI managed services

PKI-based security is heading out the door—literally. If the early years of public-key infrastructure security have been stymied by complex deployments and little interest from corporate IT departments, then the future may belong to vendors such as Baltimore Technologies Inc. and ValiCert Inc.

The companies are each set to announce managed security offerings that promise to knock down many of the roadblocks that have prevented PKI security products from reaching the masses. The companies will announce their respective offerings at next weeks RSA Security Inc. conference in San Francisco.

Baltimores offering, which will expand on its UniCert PKI services, marks a shift from its traditional strategy of selling software outright to hosting it through the further integration of CyberTrust Solutions Inc., the certificate authority Baltimore acquired last year.

"Our customers need a managed PKI service, not just a certificate authority," said Fran Rooney, CEO of Baltimore, of Dublin, Ireland. "The technology is only part of the equation with PKI. You have to understand security as a whole and how PKI fits into that, and thats what we can do. The only question the customer has to answer is how they want us to deliver it."

ValiCert, of Mountain View, Calif., meanwhile, plans to roll out an offering in which it will host and manage a customers entire security infrastructure—from passwords to PKI—in addition to providing digital certificate services. Dubbed ValiCert Trust Services, the offering will include quick deployment of emerging applications, usage reporting, provisioning and delivery assurance and is meant to help companies get their security systems up and running as quickly as possible.

Users said that outsourcing some or all of their PKI deployments takes much of the worry out of working with the technology.

"We definitely thought about doing it ourselves, but we didnt have the experience, and PKI isnt something that you can take lightly," said Steve Karnis, manager of business development at Inc., a New York-based domain name registrar that outsources its certificates to Baltimore. "They know the security technology and have the experience to handle it. We didnt."

Baltimores push into the hosted PKI market comes at a critical juncture in the companys history. A profitable company until about two years ago, Baltimore launched a global expansion plan that saw it open offices in several countries but drained much of its available cash and pushed its earnings into the red.

Recently, two analysts downgraded Baltimores stock after company management said its short-term earnings would be hurt by the slowing U.S. economy. Rooney said, however, that the long-term health of the company was never in question and that he expects Baltimore to turn a profit in the first quarter of next year.

Despite the enthusiasm of many in the PKI community for hosted solutions, some vendors and users still say theres not much future in it.

"PKI is a complex thing, but if you cant handle it in-house, youre probably better off not using it," said one security administrator, who requested anonymity.

RSA, for one, has no plans to move into managed PKI services and intends to focus on more traditional areas such as user authentication via PKI-enabled smart cards and the emerging market for wireless digital certificates.

These types of applications, where PKI technology is transparent to the user, will help reduce PKIs inherent complexity and pull the market along in the coming years, said Scott Schnell, senior vice president for corporate development at RSA, in Bedford, Mass. Schnell concedes, however, that some potential users still arent sold on PKIs benefits.

"The majority of our customers are focused on deciding what applications to use PKI for," Schnell said. "Theres a certain percentage of customers out there who are evaluating [PKI] and dont know what theyre going to do with it."