Keying in on PKI
How to decide when, where or if you need public key infrastructure
By Jim Rapoza, eWEEK
Your company needs a PKIâ€"at least, that's what you've been told. After all, a public-key infrastructure provides important benefits such as data confidentiality, secure communications, and strong authentication. But where exactly will it be implemented? To which users? To how many users? Just within the company or to business partners as well? And just what the heck is a PKI, anyway?
Not surprisingly, many people don't know the answer to that last question, including some of the company executives who are telling your IT department to implement a PKI system. The pilot implementation of a PKI system often fails, mainly because the company implementing it is unclear on critical issues such as where to use the PKI, how to manage it and exactly what to use it for.
Vendors of PKI applications can't be trusted to make things easier. Often their systems are difficult to implement and manage, and deployments drain large quantities of buyers' time and money. And once a system is in place, it is not unusual for company officials to find themselves torn about bailing out, even though the implementation is clearly going wrong.
A technology that is as thorny and misunderstood as PKI is, of course, perfect fodder for an eWEEK Labs eValuation. And in this case, the technology is so complex that we're delivering the eVal in two parts. This first part will serve as a sort of PKI primer, providing explanations, advice and best practices that businesses should follow when considering a PKI implementation.
A recent survey of our readers showed clearly that PKI is a mystery to many IT administrators. Nearly 60 percent of the survey respondents said that their companies had no PKI. Another 40 percent didn't know whether a PKI was in place. Fewer than 3 percent were certain that their companies had implemented PKIs.
The readers raised questions and concerns having to do with complexity, implementation problems, lack of standards and the inability of a PKI to integrate with installed security and communications systems. Several readers indicated they need a basic understanding of the technology: One asked for a "PKI for Dummies" guide. That request sounds as difficult as writing "Nuclear Physics for Dummies," but in this installment we have tried to provide the information that managers need to get a handle on PKI tech nology.
The ABCs of PKI
As the name suggests, a PKI is an encryption system based on keys. Anyone who has used a personal encryption product such as Pretty Good Privacy probably has a basic understanding of how a PKI works. In a personal system, two keys that are linked but different are created when a user first generates his or her profile. The public key is made available, through either mail or accessible directories, to those who need to correspond securely with that person or business. Messages and data are encrypted using the public key and then sent to the original user, who uses the private key to decrypt the content.
A corporate PKI system uses the same principles but is vastly more complex. Rather than simply issue pairs of keys, a PKI system has to provide a variety of related capabilities: issuance of keys or certificates, security management, authentication controls, integration with external systems, and data recovery. Each of these issues is complex. For example, an ideal implementation will connect the PKI system completely to a user directory, and all changes in that directory will be reflected automatically in the PKI system. However, this is not the case with all PKI implementations, and companies often must maintain separate management interfaces. This means that an employee might be fired and removed from the main directory but still be listed in the PKI, leaving corporate data at risk.
Many of the obstacles to implementing a PKI system involve integration. A PKI system can integrate with all sorts of systems and applications: groupware and messaging applications; access control systems; user directories; VPNs (virtual private networks); diverse operating systems; security systems; Web applications; and a host of customised, high-end back-office systems. Integrating a PKI product with a particular array of applications is no easy task. PKI vendors often have third-party deals that enable them, for example, to provide simple integration with one vendor's VPN while offering no shortcuts for tying to rival VPN products.
Not surprisingly, the cost of implementing a PKI can be huge. The software itself is often priced at more than US$100,000, and rollout takes, at the very least, months. Costs escalate if a company seeks to integrate its PKI system with other companies' networks. Another layer of complexity is added, and there is no standard methodology for defining trusted authorities or handling cross-certification.
Setting realistic goals
Many PKI implementations fail because companies succumb to the temptation to integrate the system at too many points. Indeed, a PKI system can be comprehensive, and a list of its capabilities can resemble a tempting menu of goodies for secure corporate computing. It can safeguard all communication transmitted on networks, extranets and intranets. It can also provide single-sign-on authentication and even digital signatures. Companies often decide to overreach and, like the character viewing the menu in "Monty Python's The Meaning of Life," they want it allâ€"with disastrous results.
Any business interested in a PKI system must answer some crucial questions. The first and most important is, "What exactly do we need the PKI for?" A company might eventually want the entire tasty smorgasbord that the PKI vendor can serve up, but administrators must begin by identifying the one or two PKI features that their business cannot live without.
Thorough evaluation might convince some companies that they don't need a PKI. If they are considering one for use with a VPN, they might find that they can get all the security they need from the strong authentication built into most VPNs. If the goal is provide secure access to Web-based content, a simple certificate server might do the trick. For secure communications with business partners, many service providers offer business-to-business PKI capabilities.
If a PKI system looks like a possibility, the company should consider a pilot implementation with a narrow initial scale and focus. It's important to decide on the size of the initial pilot and identify which users will be included. As PKI expert Angelo Tosi states in his column, confining pilot usage to the IT department is a mistake. A PKI pilot should include employees who are likely to use the system most heavily after full implementation.
After setting the parameters, a business must address essential questions in a written policy. Who will use the system? Who will manage it? What will its scope and reach be? How will the company recover data? Where will the backdoors be that enable management to decrypt data?
The PKI vendor or integrator should be able to help formulate a policy, but the buyer must ensure that the final product reflects the company's needs and isn't simply a template copied from several other implementations.
A major investment such as a PKI implementation requires a strong commitment from a business. As a deployment proceeds, pressure from top executives can greatly affect the outcome, whether the executives are skeptical about the need for a PKI or supportive of the project. IT managers involved in an implementation can smooth the rollout process by providing realistic forecasts of the project schedule and the system's capabilities. Project managers also should remind other executives whenever necessary that the PKI will benefit important business units, such as legal departments, human resources and sales.
East Coast Technical Director Jim Rapoza can be contacted at jim_rapoza@ziffdavis.com.
|
Picking the right security tools
|
|
|
-Certificate server Well-suited to businesses that want to provide secure access to Web-based content, especially intranets, extranets and portals -Personal encryption software Good choice for individuals or small groups of users who need to protect documents and data on local systems -PKI system For large enterprises that need to provide controlled document and server security across a variety of applications and back-end systems -Service providers Offer much of the functionality of PKI without the implementation overhead—but also with less control. Good choice for use with business partners -VPN Mostly for businesses seeking nothing more than secure Internet access to company networks |
