Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Keying in on PKI

    Written by

    Jim Rapoza
    Published December 4, 2000
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Your company needs a PKI—at least, thats what youve been told. After all, a public-key infrastructure provides important benefits such as data confidentiality, secure communications and strong authentication. But where exactly will it be implemented? To which users? To how many users? Just within the company or to business partners as well? And just what the heck is a PKI, anyway?

      Not surprisingly, lots of people dont know the answer to that last question, including some of the company executives who are telling your IT department to implement a PKI system. The pilot implementa- tion of a PKI system often fails, mainly because the company implementing it is unclear on critical issues such as where to use the PKI, how to manage it and exactly what to use it for.

      Vendors of PKI applications cant be trusted to make things easier. Often their systems are difficult to implement and manage, and deployments drain large quantities of buyers time and money. And once a system is in place, it is not unusual for company officials to find themselves torn about bailing out, even though the implementation is clearly going wrong.

      A technology that is as thorny and misunderstood as PKI is, of course, perfect fodder for an eWeek Labs eValuation. And in this case, the technology is so complex that were delivering the eVal in two parts. This first part will serve as a sort of PKI primer, providing explanations, advice and best practices that businesses should follow when considering a PKI implementation.

      Next week, in Part 2, eWeek Labs analysts will report on their visit to the offices of a large insurance and financial services company, where we worked with IT staff in a hands-on evaluation of leading PKI systems.

      Click here

      to read Part 2, “PKI: A Matter of Trust, Cost.”

      A recent survey of our readers showed clearly that PKI is a mystery to many IT administrators. Nearly 60 percent of the survey respondents said that their companies had no PKI. Another 40 percent didnt know whether a PKI was in place. Fewer than 3 percent were certain that their companies had implemented PKIs.

      The readers raised questions and concerns having to do with complexity, implementation problems, lack of standards and the inability of a PKI to integrate with installed security and communications systems. Several readers indicated they need a basic understanding of the technology: One asked for a “PKI for Dummies” guide. That request sounds as difficult as writing “Nuclear Physics for Dummies,” but in this installment we have tried to provide the information that managers need to get a handle on PKI technology.

      The ABCs of PKI

      as the name suggests, a pki is an encryption system based on keys. Anyone who has used a personal encryption product such as Pretty Good Privacy probably has a basic understanding of how a PKI works. In a personal system, two keys that are linked but different are created when a user first generates his or her profile. The public key is made available, through either mail or accessible directories, to those who need to correspond securely with that person or business. Messages and data are encrypted using the public key and then sent to the original user, who uses the private key to decrypt the content.

      A corporate PKI system uses the same principles but is vastly more complex. Rather than simply issue pairs of keys, a PKI system has to provide a variety of related capabilities: issuance of keys or certificates, security management, authentication controls, integration with external systems, and data recovery. Each of these issues is complex. For example, an ideal implementation will connect the PKI system completely to a user directory, and all changes in that directory will be reflected automatically in the PKI system. However, this is not the case with all PKI implementations, and companies often must maintain separate management interfaces. This means that an employee might be fired and removed from the main directory but still be listed in the PKI, leaving corporate data at risk.

      Many of the obstacles to implementing a PKI system involve integration. A PKI system can integrate with all sorts of systems and applications: groupware and messaging applications; access control systems; user directories; VPNs (virtual private networks); diverse operating systems; security systems; Web applications; and a host of customized, high-end back-office systems. Integrating a PKI product with a particular array of applications is no easy task. PKI vendors often have third-party deals that enable them, for example, to provide simple integration with one vendors VPN while offering no shortcuts for tying to rival VPN products.

      Not surprisingly, the cost of implementing a PKI can be huge. The software itself is often priced at more than $100,000, and rollout takes, at the very least, months. Costs escalate if a company seeks to integrate its PKI system with other companies networks. Another layer of complexity is added, and there is no standard methodology for defining trusted authorities or handling cross-certification.

      Setting realistic goals

      many pki implementations fail because companies succumb to the temptation to integrate the system at too many points. Indeed, a PKI system can be comprehensive, and a list of its capabilities can resemble a tempting menu of goodies for secure corporate computing. It can safeguard all communication transmitted on networks, extranets and intranets. It can also provide single-sign-on authentication and even digital signatures. Companies often decide to overreach and, like the character viewing the menu in “Monty Pythons The Meaning of Life,” they want it all—with disastrous results.

      Any business interested in a PKI system must answer some crucial questions. The first and most important is, “What exactly do we need the PKI for?” A company might eventually want the entire tasty smorgasbord that the PKI vendor can serve up, but administrators must begin by identifying the one or two PKI features that their business cannot live without.

      Thorough evaluation might convince some companies that they dont need a PKI. If they are considering one for use with a VPN, they might find that they can get all the security they need from the strong authentication built into most VPNs. If the goal is provide secure access to Web-based content, a simple certificate server might do the trick. For secure communications with business partners, many service providers offer business-to-business PKI capabilities.

      If a PKI system looks like a possibility, the company should consider a pilot implementation with a narrow initial scale and focus. Its important to decide on the size of the initial pilot and identify which users will be included. As PKI expert Angelo Tosi states in his column on Page 30, confining pilot usage to the IT department is a mistake. A PKI pilot should include employees who are likely to use the system most heavily after full implementation.

      After setting the parameters, a business must address essential questions in a written policy. Who will use the system? Who will manage it? What will its scope and reach be? How will the company recover data? Where will the backdoors be that enable management to decrypt data?

      The PKI vendor or integrator should be able to help formulate a policy, but the buyer must ensure that the final product reflects the companys needs and isnt simply a template copied from several other implementations.

      A major investment such as a PKI implementation requires a strong commitment from a business. As a deployment proceeds, pressure from top executives can greatly affect the outcome, whether the executives are skeptical about the need for a PKI or supportive of the project. IT managers involved in an implementation can smooth the rollout process by providing realistic forecasts of the project schedule and the systems capabilities. Project managers also should remind other executives whenever necessary that the PKI will benefit important business units, such as legal departments, human resources and sales.

      Details on specific PKI systems, such as how they handle systems integration, will be addressed next week in Part 2 of the PKI eVal. eWeek Labs will describe and evaluate how several PKI vendors tried to integrate their products with the insurance companys messaging and security systems.

      Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

      Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page

      Jim Rapoza
      Jim Rapoza
      Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr Rapoza's current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×