PKI is Dead - Long Live Certificates!
Trust has always been one of the key elements in any business relationship.
In the physical world trust is typically represented in the form of a signed contract, binding two or more parties to an agreement. The signature that each party places on the contract ensures the transaction is valid and binding.
As the medium for conducting everyday business shifts from face-to-face contract signing to electronic transactions and digital signatures, global enterprises are looking for a cost-effective and a secure means of meeting this paradigm shift.
Public key infrastructure (PKI) was introduced several years ago to address the issues of strong authentication, confidentiality, integrity and non-repudiation by introducing trusted third parties. PKI produces the means and the procedures to establish a link between certificates and identities, the management of the certificates themselves and validation of certificates. The certificates enable users to authenticate themselves and to sign transactions electronically.
So, putting a PKI in place will solve all the security problems that enterprises have been facing in their quest towards e-business? Unfortunately things are not that simple. Reality has proven over and over again that rolling out a public key infrastructure will not automatically solve all your problems; in fact it may create more problems than it actually solves.
There are a number of reasons for this:
- Rolling out a full PKI implementation is very costly both from a hardware as well as from a software point of view
Setting up a PKI environment is a very time-consuming operation
- Issuing certificates requires very strict certificate practice statements (CPS) to be put in place and requires a complete registration authority (RA)
- Certificates need to be managed (revoked, new certificates issued, etc.)
- Certificates need to be validated against different validation authorities (VA)
While digital certificates are widely accepted as the most secure way to fulfill security needs such as authentication, confidentiality, integrity and non-repudiation, investing in the technology required to create these certificates (a.k.a. public key infrastructure or PKI) has proven to be complex and expensive.
It has been well documented over the last several years how many of the PKI implementation projects, even those attempted by companies with substantial IT budgets, have ended in failure. So the question becomes "Is there a way to benefit from certificates without going through the agony of PKI?"
The answer can in part be found in recent statements from several analysts stressing that although PKI is a valuable tool, enterprises should not focus on PKI but rather on the applications that PKI supports. Indeed, the focus of enterprises should be on their applications and on how certificates can add security functionality, not on the complexities of the public key infrastructure. And the way to achieve this is to outsource PKI, to make it someone else's problem, to make it a utility you as an enterprise can tap into on demand.
In such an outsourced PKI model, customers can focus on their business use of certificates and can easily create, renew and revoke digital certificates without having to deploy their own PKI with the all the associated technical complexities, as the PKI engine resides with the managed security service provider (MSSP).
Because of the multitude of benefits, more and more businesses and institutions are opting for this model. Even large governmental bodies such as the Belgian government recently selected an outsourced solution to deliver the digital certificates for its eight million electronic identity cards. If the national government of one of the world's top 25 economies, with substantial technical resources at its disposal, decides outsourcing is the way to go for PKI, then it is time indeed for enterprises to consider this alternative.
Not surprisingly, several analysts now expect outsourced PKI to be a high growth market segment, as it provides a pragmatic solution to take advantage of the many recognized benefits of using digital certificates but without having to go through the agony of deploying it in-house.
One of the key benefits of the outsourced PKI approach is a short time-to-market, expressed in days or weeks rather than the usual PKI months, if not years. Outsourcing PKI further removes the uncertainty of cost associated with developing and delivering complex PKI infrastructures. The approach also lowers the upfront investment and allows for growing the number of certificates together with the success of the application. Finally, in-house IT personnel can focus on what is most important to the corporation, the rollout of the application and of the business functionality, with no need to get up to speed on a technology which although not new has remained in the realm of brain surgery.
As with all outsourced services it is of course important to work with a reputable vendor who is able to deliver on the service level agreement (SLA) defining the deliverables of the managed service, as well as the response times for each of them and the service credits for non-compliance.
Guy Vancollie is chief marketing officer at Ubizen (www.ubizen.com).