In June 2002 I was interviewed by Computing Magazine. This resulted in a widely quoted headline “Users must wait for PKI benefits”. Where are we today seven years later?
A cheap and easy answer would be: “Not much further actually”. In the spirit of the original article, this statement might essentially be true. PKI is not exactly a subject that you can have a cool discussion about with your friends on FaceBook, even if they consider themselves ‘computer nerds’. It is equally hard to sell to a CIO/CFO, what a fabulous Return on Investment (ROI) building your own Public Key Infrastructure now would give. Many have burned their fingers during the first wave of PKI. Heck, a PKI sales manager I know well from a competitor, confided in me only the other day: “PKI is still seems a bit like a solution waiting for a problem”.
I recently joined Verizonbusiness, one of the four leading PKI solution providers, and for the first time since leaving BT Global Solutions I work again with a service provider that has a choice of PKI solutions in its repertoire. Let’s be honest, when I was with MaXware and we didn’t have such a solution in our toolkit, we used to say: “We will work with any vendor’s PKI.” “Being based on open standards like x509v3, CRL, OCSP, etc, we will help you leverage your existing investments in this area” we used to say. We made a virtue out of proposing that you needn’t throw all your investments away and build another PKI solution that merely solved the same problem as it did before.” This is typically how any vendor will turn ‘not having a product or feature’ into an opportunity: Claim it’s a strength not a weakness!
Actually I think it is fair to say that today PKI may not be glamorous, may not have lived up to its hype, but nevertheless it is now firmly embedded in our core IT Infrastructure and giving us benefits like:
Secure communication : SSL & VPN
Secure web access via SSL : server authentication, client authentication, key exchange and encryption
Securing email : authentication, non-repudiation, encryptionand if you are a bit further advanced….
Desktop security : system logon using smartcards, file/folder encryption
Transactional security applications, log entries are digitally signed for time stamping and non-repudiation
Document security : Data leakage prevention through signing and encryption, authorization, etc.
Underpinning the security of OpenID, Cardspace etc.
Today the PKI systems sold and implemented 5-7 years ago are coming to the end of their useful technical life cycle. With hindsight many systems may have been a little over engineered and maybe not used to generate as many certificates as the systems originally were designed for. If only a few thousand certificates were generated on a platform designed for hundreds of thousands of users, it’s frankly a bit embarrassing. With hindsight this level of certificate generation should have been outsourced. But even in today’s post credit crunch economic climate, large capex expenditure by big volume PKI users like financial institutions may not be an option.
Usage of certificates is heavily based on trust. It is as crucial today as it ever was, that the chain of trust can not be broken by an unsecured piece of technology, by unsecure networks or lack of procedures and policies, by unsecure physical data centres, etc.
This is why I am excited that as an alternative to DIY PKI, Verizon business can offer completely outsourced/managed solutions for PKI as well as other aspects of Identity and Access management. A managed service which allows customers of Verizon to focus on just the benefits of using certificates. The costs can simply be expressed as an annual price per certificate without having to incur high capex and operational costs.
Another option that exists now, and that was not available during the first wave of PKI projects, is complete virtualisation of the complex PKI server infrastructure apart from maybe one or two Hardware Security Modules. This means that expensive computing hardware is better utilized than first generation implementations, through the use of server virtualisation and SANs.
In conclusion the glamour of basking in the light of enormous user benefits will probably never happen for PKI. No day at the Oscars for PKI. No more standing on podia gracefully accepting technology awards for enabling new business opportunities and eCommerce. PKI is reduced to the level of the boring core plumbing of our network infrastructures.
However advances made in plumbing techniques also means that replacing those business critical PKI applications this time around, should involve significantly less pain! PKI as a shared service also means PKI becomes affordable to that big tail of small and medium enterprises that were scared off during the first wave of PKI.