Ebusinesses leave PKI on the shelf

Ebusinesses are wasting money when they buy expensive security technology that they are unable or unwilling to integrate into their systems.

Experts say businesses are being rushed by vendors into deploying public key infrastructure (PKI) technology because they are told it is vital to the future of ebusiness. However, much of the technology gets left on the shelf, because it is either a low priority or too complicated to integrate with existing systems.

PKI technology enables users of a fundamentally insecure public network, such as the internet, to securely and privately exchange data. PKIs provide for digital certificates that can identify individuals or organisations, and a means of managing the complex information associated with the certificates.

Victor Wheatman, research director at Gartner, said 80 per cent of purchased PKI products and services remain in pilot mode and do not go into production. The reasons for this range from IT staff sidelining PKI deployments to tackle less complicated projects, to company mergers or reorganisations resulting in key personnel moving, said Wheatman.

Integrating PKI technology with applications can be problematic, and users, having invested in the technology, begin to question whether the project is worth seeing through, he added.

"Looking back, Year 2000, the euro, VAT and other projects have taken primacy... and getting the darn ebusiness system up and running was hard enough without adding the complexity of a PKI project," said Wheatman. "There is also a realisation that access to certificates falls back to user ID and password, and how much is that really worth from a risk perspective?"

Simon Lofthouse, head of marketing at De La Rue InterClear, which provides outsourced PKI services, said deploying PKI is like deploying enterprise resource planning software, because both require a changes in a company's business process.

"Firms are going exactly the same route with PKI as they did with SAP, and trying to make it a technology issue," said Lofthouse. "They need to link technology to business function and put rules, regulations and processes in place."

Companies are not thinking carefully enough about how technology supports real ebusiness functions and, spurred on by the hype from PKI software vendors, are investing inappropriately, said Lofthouse.

According to analyst Datamonitor, spending on PKI products and services in Europe and the US will grow from $641m in 1999 to $3.5bn in 2003.