The PKI Payoff

Public-key infrastructure is a double-edged sword for most agencies.It is a complex technology that is a burden to implement, and it is a tool that powers a wide array of agency applications and services.With PKI, a third-party entity vouches for the bona fides of two interacting parties. Those parties might be a bank and its card-carrying customer or an agency and its smart card-carrying employees. The vouching is in the form of digital certificates ? actually large numbers ? issued by a certificate authority to the trusted parties.Although PKI certificates from different vendors are generally equivalent, agencies have many options to consider before choosing a provider.Agencies might be looking for a supplier of smart cards. They may need hardware such as card readers, or software such as personnel tracking systems.Consulting services can help integrate PKI with existing systems. Indeed, combinations of consultants with different expertise could be necessary to implement various agency applications and services. Technical support and maintenance services are always important considerations.As with any new implementation, there will be resistance to change, so "management has to organize itself and lead," said Dr. Peter Alterman, assistant chief information officer for electronic authentication at the National Institutes of Health. Alterman is chairman of the Organization for the Advancement of Structured Information Standards' Federal PKI Policy Authority and a member of the OASIS IDtrust Steering Committee.In addition, although a PKI digital certificate might just be numbers, the infrastructure itself ? hardware, software, services ? is not cheap. "The actual PKI technology is trivial compared to the budget and management issues," Alterman said.A key decision for agencies is determining whether the agency or a contractor will administer the PKI system. "IT needs to ask whether they really want to take on the physical security responsibility," Alterman said. This could involve coordinating information technology with human resources and building security to a greater extent than usual."PKI is like an electrical outlet," said Vijay Takanti, vice president of security services at Exostar LLC, of Herndon, Va. "Once you have it, you can plug all kinds of apps into it."For example, federal agencies work with many state and local agencies on an ongoing basis or in emergencies. The Homeland Security Department might partner with state and local law enforcement; federal health agencies could exchange information with hospitals or public health authorities; money might flow among federal, state and local agencies. It would be convenient to identify trusted people, exchange confidential information and allow secure transactions.Unfortunately, state and local agencies can't use shared-services providers. So even though these groups have to work together, they can't use the same PKI system.They can, however, still use PKI to solve their problems. Providers such as CertiPath LLC, of Herndon, Va., offer bridge services for just this purpose.CertiPath is a joint venture of Exostar, Arinc Inc., of Annapolis, Md., and SITA, of Geneva. CertiPath cross-certifies entities to a common standard, and CertiPath is directly cross-certified with the Federal Bridge Certificate Authority.Agencies need to think about ways to re-engineer their business processes to take advantage of PKI. Prime candidates for PKI include:PKI's potential in securing e-mail is one use agencies find attractive. The Defense Department and the United Kingdom's Ministry of Defence already have such systems. PKI certificates encrypt e-mail on the sending end and decrypt it on the receiving end. The process is transparent to users and makes for a new level of secure communications.Encryption is an obvious application of PKI but not enough agencies appreciate what PKI-encrypted files can accomplish. An encrypted file is not only unreadable by outsiders but also essentially stamped as belonging to your agency.Establishing such ownership credentials is valuable.PKI-based agency applications will attract users and grow larger and more popular. That's why PKI solutions must scale well. If you anticipate deploying solutions at multiple locations, make sure the product can handle that.Although most agencies will begin by using managed services or an SSP, at some point, many will want to spread their wings and fly under their own power. In the PKI world, that means becoming a certificate authority with the ability to create, distribute and manage certificates. Ideally, contractors should have programs to transition agencies from managed services to in-house responsibility.The next iteration of PKI is called a public-key environment. For example, if an operating system and several software applications offer PKI-compatible capabilities already, you have a PKE. It's far simpler adding new PKI-based applications within such an environment because so much support is available.Many software vendors are quietly adding PKI support to their products. They know that PKI is only going to get bigger.