Keying in on PKI

How to decide when, where or if you need public-key infrastructure.

Your company needs a PKI—at least, thats what youve been told. After all, a public-key infrastructure provides important benefits such as data confidentiality, secure communications and strong authentication. But where exactly will it be implemented? To which users? To how many users? Just within the company or to business partners as well? And just what the heck is a PKI, anyway?

Not surprisingly, lots of people dont know the answer to that last question, including some of the company executives who are telling your IT department to implement a PKI system. The pilot implementa- tion of a PKI system often fails, mainly because the company implementing it is unclear on critical issues such as where to use the PKI, how to manage it and exactly what to use it for.

Vendors of PKI applications cant be trusted to make things easier. Often their systems are difficult to implement and manage, and deployments drain large quantities of buyers time and money. And once a system is in place, it is not unusual for company officials to find themselves torn about bailing out, even though the implementation is clearly going wrong.

A technology that is as thorny and misunderstood as PKI is, of course, perfect fodder for an eWeek Labs eValuation. And in this case, the technology is so complex that were delivering the eVal in two parts. This first part will serve as a sort of PKI primer, providing explanations, advice and best practices that businesses should follow when considering a PKI implementation.

Next week, in Part 2, eWeek Labs analysts will report on their visit to the offices of a large insurance and financial services company, where we worked with IT staff in a hands-on evaluation of leading PKI systems.


Click here to read Part 2, "PKI: A Matter of Trust, Cost."

A recent survey of our readers showed clearly that PKI is a mystery to many IT administrators. Nearly 60 percent of the survey respondents said that their companies had no PKI. Another 40 percent didnt know whether a PKI was in place. Fewer than 3 percent were certain that their companies had implemented PKIs.

The readers raised questions and concerns having to do with complexity, implementation problems, lack of standards and the inability of a PKI to integrate with installed security and communications systems. Several readers indicated they need a basic understanding of the technology: One asked for a "PKI for Dummies" guide. That request sounds as difficult as writing "Nuclear Physics for Dummies," but in this installment we have tried to provide the information that managers need to get a handle on PKI technology.

The ABCs of PKI

as the name suggests, a pki is an encryption system based on keys. Anyone who has used a personal encryption product such as Pretty Good Privacy probably has a basic understanding of how a PKI works. In a personal system, two keys that are linked but different are created when a user first generates his or her profile. The public key is made available, through either mail or accessible directories, to those who need to correspond securely with that person or business. Messages and data are encrypted using the public key and then sent to the original user, who uses the private key to decrypt the content.

A corporate PKI system uses the same principles but is vastly more complex. Rather than simply issue pairs of keys, a PKI system has to provide a variety of related capabilities: issuance of keys or certificates, security management, authentication controls, integration with external systems, and data recovery. Each of these issues is complex. For example, an ideal implementation will connect the PKI system completely to a user directory, and all changes in that directory will be reflected automatically in the PKI system. However, this is not the case with all PKI implementations, and companies often must maintain separate management interfaces. This means that an employee might be fired and removed from the main directory but still be listed in the PKI, leaving corporate data at risk.

Many of the obstacles to implementing a PKI system involve integration. A PKI system can integrate with all sorts of systems and applications: groupware and messaging applications; access control systems; user directories; VPNs (virtual private networks); diverse operating systems; security systems; Web applications; and a host of customized, high-end back-office systems. Integrating a PKI product with a particular array of applications is no easy task. PKI vendors often have third-party deals that enable them, for example, to provide simple integration with one vendors VPN while offering no shortcuts for tying to rival VPN products.

Not surprisingly, the cost of implementing a PKI can be huge. The software itself is often priced at more than $100,000, and rollout takes, at the very least, months. Costs escalate if a company seeks to integrate its PKI system with other companies networks. Another layer of complexity is added, and there is no standard methodology for defining trusted authorities or handling cross-certification.

Setting realistic goals

many pki implementations fail because companies succumb to the temptation to integrate the system at too many points. Indeed, a PKI system can be comprehensive, and a list of its capabilities can resemble a tempting menu of goodies for secure corporate computing. It can safeguard all communication transmitted on networks, extranets and intranets. It can also provide single-sign-on authentication and even digital signatures. Companies often decide to overreach and, like the character viewing the menu in "Monty Pythons The Meaning of Life," they want it all—with disastrous results.

Any business interested in a PKI system must answer some crucial questions. The first and most important is, "What exactly do we need the PKI for?" A company might eventually want the entire tasty smorgasbord that the PKI vendor can serve up, but administrators must begin by identifying the one or two PKI features that their business cannot live without.

Thorough evaluation might convince some companies that they dont need a PKI. If they are considering one for use with a VPN, they might find that they can get all the security they need from the strong authentication built into most VPNs. If the goal is provide secure access to Web-based content, a simple certificate server might do the trick. For secure communications with business partners, many service providers offer business-to-business PKI capabilities.

If a PKI system looks like a possibility, the company should consider a pilot implementation with a narrow initial scale and focus. Its important to decide on the size of the initial pilot and identify which users will be included. As PKI expert Angelo Tosi states in his column on Page 30, confining pilot usage to the IT department is a mistake. A PKI pilot should include employees who are likely to use the system most heavily after full implementation.

After setting the parameters, a business must address essential questions in a written policy. Who will use the system? Who will manage it? What will its scope and reach be? How will the company recover data? Where will the backdoors be that enable management to decrypt data?

The PKI vendor or integrator should be able to help formulate a policy, but the buyer must ensure that the final product reflects the companys needs and isnt simply a template copied from several other implementations.

A major investment such as a PKI implementation requires a strong commitment from a business. As a deployment proceeds, pressure from top executives can greatly affect the outcome, whether the executives are skeptical about the need for a PKI or supportive of the project. IT managers involved in an implementation can smooth the rollout process by providing realistic forecasts of the project schedule and the systems capabilities. Project managers also should remind other executives whenever necessary that the PKI will benefit important business units, such as legal departments, human resources and sales.

Details on specific PKI systems, such as how they handle systems integration, will be addressed next week in Part 2 of the PKI eVal. eWeek Labs will describe and evaluate how several PKI vendors tried to integrate their products with the insurance companys messaging and security systems.


Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page