PKI: the key to e-success?

Public key infrastructure (PKI) systems have to date been pitched as vital to provide the necessary security to undertake ebusiness. But evidence is growing that early adopters are struggling to implement the technology.

The software uses digital certificates to authenticate users and transactions over the internet, but it now appears that the complexity involved in integrating such systems with other enterprise applications is confusing some users and disappointing others.

As the shortcomings of the technology become more apparent, experts are now advising customers to exercise caution when implementing the technology or to wait at least another two years for it to mature.

More than two years after the introduction of PKI, research firm Gartner has discovered that 80 per cent of available products and services are still only being used in pilot projects.

Victor Wheatman, a research director at Gartner, said that companies have been slow to deploy the technology in production environments for a number of reasons. These range from key personnel being moved around as a result of company mergers or reorganisations, to IT staff sidelining PKI projects in favour of less complicated initiatives.

He explained that the problems involved in integrating PKI technology with other applications have led some users to question whether it is worth seeing such projects through to completion.

"Getting the ebusiness system up and running is hard enough without adding the complexity of a PKI project," said Wheatman. "There is also a realisation that access to certificates falls back to user ID and password, and how much is that really worth from a risk perspective?"

Too expensive
Another factor to keep PKI and digital certificates in the test bed is cost. Gartner said that most organisations implement small pilot PKI projects for between $80,000 and $120,000, with the costs being split equally between software licences and professional services. But a full-scale rollout is likely to run to more than $1m.

IDC's latest report - PKI: Nothing But Pilots - paints a picture of users struggling to introduce such offerings into their businesses.

"PKI vendors have provided toolkits and consulting services to assist with integration efforts, but this is a steep road and leaves the customer with the primary integration responsibilities. This strategy may work for very large corporations with extensive resources, but it does not scale well into the mass market," the report said.

And the technology has also come under fierce attack from various security experts.

Bruce Schneier, chief technology officer at Counterpane Internet Security and a noted encryption expert, claimed that ecommerce was already flourishing without companies having implemented PKI systems, and that website providers were more than happy to take online orders without seeing a digital certificate.

"PKI vendors offer a minimal-impact solution: 'Buy this and we will make you secure'. Reality falls far short of this promise," he warned.

But vendors are starting to scale down the hype surrounding PKI. Instead of positioning it as a foolproof solution for ensuring that all online applications are secure, they are now starting to portray the market in slightly more realistic terms.

Malcolm Skinner, product marketing manager at Axent Technology, said: "Organisations haven't even got basic security right yet, and this is fundamental before embarking on an implementation of PKI."

Businesses should also consider which technology, be it authentication mechanisms, biometric or smart card offerings, best meets their needs for online security, he said.

But into the longer term, Skinner believes that 'alternative' technologies based on improved ID and password authorisation are more likely to enhance, rather than compete with, PKI systems.

However, Caelen King, product marketing manager at Baltimore Technologies, said that many organisations are already rolling out PKI systems to either secure their intranets or to conduct business over the internet.

"PKI is a business-enabler and a necessary prerequisite to a secure network. It is replacing technologies like EDI [electronic data interchange], which use dedicated lines and are not cost effective," he said.

Online retailers are also showing interest in the technology, he added, because they resent having to pay credit card companies a percentage of each transaction at a rate they feel is too high.

Changing attitudes
King said that criticism about the relative lack of full PKI implementations was misplaced because the technology was still young. It will take time to be accepted, he claimed, because companies need to make a fundamental shift in the way they operate.

As a result, he said that Baltimore was introducing outsourcing services to make it easier for customers to implement PKI systems, and to make them more affordable for smaller businesses.

Richard Barber, group technical advisor at systems integrator Articon Integralis, said the technology showed promise in areas such as authenticating access for remote users and enabling single sign-on. But he also pointed out that older technologies such as secure tokens could represent a better approach for many users.

"It's far more difficult to deploy PKI technology than people initially thought. People are buying into an enabling framework that doesn't yet have compatible products," he said. "Application developers need to get on board. There's relatively few products that hook into PKIs - even encrypted email is difficult."

Despite these problems, IDC predicts that the market for PKI-related services and products will grow to a cool $1.3bn by 2003. Datamonitor, on the other hand, puts the figure as high as $3.5bn.

IDC believes that the sector will be boosted by the corporate adoption of Microsoft's Windows 2000, which enables users to issue certificates. The company said this is likely to make it easier for businesses to implement PKI systems and will spur the development of PKI-enabled applications.

Price reductions of about 30 per cent per year, and an increase in staff with more experience of the technology, will likewise increase takeup, making the use of certificates in the consumer space widespread by 2001.

The UK government's pledge to ensure that 25 per cent of its services are undertaken electronically by 2002 is also likely to ensure PKI becomes a mainstream part of the business infrastructure.

The proposal means, in practice, that benefit claims and applications for driving licences will be processed online, and signed digitally using PKI technology.