What a difference a year makes.
Hardly 12 months ago, public key infrastructure (PKI) seemed like one of those technologies that was on the way, but definitely not yet arrived. A joke widely circulated in the industry went that people didn’t know how to spell PKI, much less use it.
Now, hardly a year later, every company in the industry seems to claim the technology as its own. The RSA ’99 conference came to be called, albeit unofficially, PKI’s coming-out party. Companies offering PKI and certificate authority (CA) products were suddenly among the success stories of the industry: Baltimore and Cylink went from little known boutiques to being among the power-houses of the security industry. VeriSign emerged from relative obscurity to being able to challenge even the U.S. Postal Service and AT&T certificate services as a CA. Companies as diverse as Entrust Technologies and Entegrity Solutions are stalking the streets and winning market-share.
Meanwhile, Xcert is making a name for itself in what it calls the "trusted community" market, Bull Worldwide Information Systems is combining PKI with its long established authentication business, and Network Associates Inc. is everywhere. Rainbow Technologies and Vasco are linking PKI with tokens, and IBM links PKI with its own powerful base in commerce computing. And dozens of other vigorous firms and corporations are charging into the business.
Even users seem to know that there is a need for PKI. "People are beginning to understand that they’ve had a false sense of security when using systems such as email," explains Max Goldberg, vice-president of business development at Entegrity. Now, users are beginning to see that, "PKI offers some tools that allow them to address their problems." Specifically, he notes, it means things like sender and receiver authentication.
But if PKI is now an industry, is it also cast in stone? The answer, clearly, is no. PKI as a technology and a market is still very, very immature. A state-of-the-industry report for PKI reveals a promising, even gifted child, but one with many long years of school and development ahead.
What does that mean, then, for the security professional?
Swallowing the Elephant
Firstly, contrary to popular opinion, PKI is not even remotely fully-formed. It lacks even basic standards by which one vendor’s PKI implementation can speak to another’s. "People need to be educated about this," warns Philip Saunders, vice-president of marketing for Information Resources Engineering Inc. (IRE). "They think a certificate, for example, from one company will work with the infrastructure from any other. This isn’t the case. Many of the companies who are deploying PKI are deploying their own, propriety PKIs." Which means, he notes, that most public key infrastructures are in fact quite private. "And isn’t that a contradiction in terms?"
Some of the standards and interoperability issues are being addressed right now. For instance, the industry has more or less united behind the PKIX standard for certificate management - something for which IBM Corporation can take some credit, given Big Blue’s tireless support for the standard. But, even IBM admits that standards aren’t everything. PKI needs to have ease-of-use.
"PKI is still a bit too visible to end users," notes Mark Greene, Ph.D., vice-president of security, SecureWay Business Unit of IBM. "We are treating PKI as if it were a standalone. We need to move on from that. There is a growing awareness, in the industry, that it has to be built into applications" - where the user doesn’t see it and doesn’t have to deal with it.
Secondly, PKI needs a touch more modularity. Bob Davis, vice-president of marketing at SPYRUS Corp. says, "One of the pitfalls of PKI is that people think they have to buy it all at once." But, he notes, PKI is by definition an 'infrastructure’, like a road system, and you don’t normally install complete freeway systems in one fell swoop. "People have the notion that to do PKI you have to swallow an elephant whole. In fact, people need to be able to buy it a little at a time, and grow into PKI."
That’s particularly true, says Patrick Taylor, vice-president of security marketing at Internet Security Systems Inc. (ISS), since not every user nor every application needs to have the same level of security, and hence the same level of PKI implementation. "It is like investing," he says. "Not everything is a Treasury Bill. But that’s all right. Sometimes you just want a Junk Bond. People need to understand their levels of risk."
Finally, PKI, the infrastructure itself, needs infrastructure. That is, while the technology is well on its way to being complete, the foundations that make it possible to deploy are rare in all but the most pioneering end user sites. The market hype over PKI overlooks "how are people going to get their certificates? How are they going to get their smartcards? That isn’t in place yet," says Sondra Schneider, partner, executive vice-president of business development, at IFsec. Some parts of this problem are now being addressed. Recent announcements by Celo Communications addresses the dearth of solutions for validating digital certificates when implementing PKI; this is a critical component of e-commerce.
The PKI-ification of Applications
What may be most important for PKI, though, is a shift in how it is being perceived. "Customers are very, very confused about PKI," says IRE’s Saunders. "They’re asking about managing it, where to get it? . is there a need for it?" And part of that confusion is the fact that PKI is seen as being itself an application . something that you buy for its own sake.
But it isn’t, says Ann Marie Beasely, product manager for Cybertrust Hosting Services at GTE Cybertrust. "PKI is just an element to a business solution," she warns, in spite of the way it is frequently sold, "it isn’t a solution unto itself." Or, to put it another way, "PKI is a powerful enabler," says David Lynch, vice-president of sales and marketing for KyberPASS. "But PKI is an infrastructure. Not an application."
This would seem obvious, but strangely, it doesn’t appear to be. Vendors and even some of their customers continue to treat PKI as though it was something that security people and IT administrators should themselves purchase and install.
They are not the ones who should be concerned with PKI, says IBM’s Greene. "There is a growing awareness that PKI needs to be built into business applications." In other words, the real market for PKI products should be application developers and system integrators at least as much as it should be security people. The market is recognizing this with companies like Litronic providing the tools for developers for the integration cryptographic smartcards in C and C++ programming interfaces.
In fact, many businesses are now developing PKI-enabled applications. But, they’re new applications. This would seem to mean that in order to get PKI features corporations are being asked to buy completely new, PKI-enabled software. "PKI is the default security infrastructure today," says Chris O’Conner, vice-president of sales and marketing for E-Lock Technologies although "there is a major drawback. People can’t use their existing applications." They have to buy new ones.
This, of course, is expensive. And whenever something is expensive, there’s always an entrepreneur around to offer a low-cost alternative. "Many companies are, right now, trying to figure out how to bolt PKI security on top of their existing applications," says Gordon Twilegar, director of security strategy at Computer Associates Inc. This means an opportunity for tool and framework products (like CAI’s Unicenter) as well as for more specialized offerings that do nothing but allow companies to PKI-ify their existing investments in code. E-Lock is one. Another is Shym Technology Inc., which offers code ('shyms’) that you can insert between your applications and PKI. Still a third is KyberPASS, which offers a PKI framework into which applications can fit.
So what is the state of the market for PKI? It’s the classic teenager. Growing too fast. Its clothes don’t quite fit. Its hands and feet seem somehow not to be quite right. And it isn’t quite certain what it wants to be when it’s grown up. "It is a little better understood," notes Ted Barassi, vice-president of Certco LLC. "As a result, you can now talk about a PKI industry . but it is still very difficult to define."
However, he notes, it has enormous promise. The promise is to make e-commerce possible. "What you really want," says Mike Rothman, executive vice-president of Shym Technology, "is to provide a secure platform for e-commerce." That’s the real reason and only the real justification for PKI. "The only way to do it is to leverage public key infrastructure at the application layer."
Which means that PKI has much maturing to do although adulthood is in sight. And this maturity is promising indeed. "This stuff is great," sums up Mark Tuomenoksa, strategic marketing director of the WAN systems operation at Intel. "It has some soul to it."
PKI: Not for Everybody?
PKI is great, but has it been oversold? Some industry insiders say that hype aside, not every security application needs or wants them. "If you have an organization with 10,000 users, sure, a PKI makes sense there," notes Tony Rosati, vice-president of marketing for VPN and security product vendor, TimeStep. "But, yes, if you’re a small company, with only a few nodes, you can do quite well without PKI by using nothing more than a little encrypted email."
On the other end of the scale, though, where you need both security and heavy-duty manage-ment, PKI isn’t enough. For these kinds of applications, you need policy management tools along with PKI. "You need to be able to leverage your investment in PKI," says Jeffery Palmer, senior vice-president of world marketing for TriStrata. "You need to be able to define which application can attach to what, and which files each user can see."