PKI: A Matter of Trust, Cost

eWeek Labs, Prudential IT pros test four PKI systems

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Nothing rubs the gloss off marketing hype like field testing, and few technologies are more in need of de-glossing than PKI.

In Part 1 of this eValuation, eWeek Labs explained the technology and gave advice on best practices for implementing a public-key infrastructure system. Part 2 gets down to testing.

eWeek Labs went to work with The Prudential Insurance Co. of America to examine products from four PKI providers—Baltimore Technologies plc., Entrust Technologies Inc., RSA Security Inc. and VeriSign Inc.—at Prudentials campus in Roseland, N.J. The company, which uses more than 50,000 computers worldwide, has decided that PKI technology is the best way to secure a subset of its Lotus Development Corp. Notes e-mail system as well as its Nortel Networks Corp. virtual private network.

According to Ken Tyminski, vice president of Prudentials information security office, the company has been evaluating PKI and other secure computing technologies for quite some time. "Were hoping to increase overall security, allowing us to enhance our customer relationships using an e-commerce platform," Tyminski said.

One of Prudentials biggest concerns with PKI is cost. Ed Mann, vice president of network technology, summed it up this way: "The vendors Ive seen are charging per user, and that multiplier, in a big company, is a real stumbling block."

We worked closely with Tim Wrobel, Prudentials PKI project manager, to put together an on-site test that required vendors to demonstrate how their product would secure Notes e-mail while also demonstrating the ongoing management of PKI components. Each of the four vendors completed the test requirements, but their methods and success varied widely.

Based on hands-on tests in Prudentials technology demonstration center, we found several factors that organizations should consider when evaluating PKI products.

First, companies should determine if they even need a PKI solution. A great deal of commerce is already being conducted, apparently with some degree of success (if you ignore the stock market and just look at the technology), without PKI. Any browser will likely show that a host of digital certificates is already in place. Buy products from any number of e-commerce sites, and it is probable that a Secure Sockets Layer connection, which uses these certificates and a public key to set up and encrypt communication, can be constructed with no assistance from an integrated PKI product.

Securing e-commerce became even more of an issue earlier this year with the passage of the Electronic Signatures in Global and National Commerce Act. PKI systems are likely to receive more attention as companies strive to secure sensitive information and ensure that signatures are authentic, and that the document or transaction to which they are attached has not been corrupted.

If a company opts for a PKI system, the next decision to make is whether to build it in-house or outsource it. The standard rules apply: In-house developments come with greater control—specifically, certificates can be issued and revoked quickly, and security policies can be tailored to business needs. Outsourced solutions are usually up and running much more quickly—sometimes in a matter of weeks—but with less flexibility and greater long-term costs.

A successful implementation plan wont tolerate the typical budget and staff slashing often seen with other IT projects.