PKI still mired in pilot mode

This, the year of the secu- rity breach, has brought unprecedented acceptance of security products. All but one.
Written by Scott Berinato, Contributor

This, the year of the secu- rity breach, has brought unprecedented acceptance of security products. All but one.

PKI (public-key infrastructure) two years ago held the title of most promising security technology. But in the battle to become a staple of IT security, PKI has fallen behind intrusion detection, anti-virus software and e-mail filtering and is in danger of becoming "forever pilotware," said Chris King, an analyst at Greenwich Technol ogy Partners Inc., in Stamford, Conn.

A PKI system gives users secure electronic keys, or certificates, to authenticate and encrypt transactions over the Internet. But with several pilot projects failing or stalled, the technology could become irrelevant if vendors don't create a common PKI standard while making the technology easier to use and less expensive.

The latest casualty: a multimillion-dollar, 30,000-certificate system at NASA's Ames Research Center, in Moffett Field, Calif. The project has been cut back severely and could be killed altogether, sources said.

"I think we anticipated the scope of the project but probably underestimated it; it's taking some months longer than we thought," said an engineer at Ames who requested anonymity. "The vendors need to get their acts together and get interoperability straight."

Flunking out

Another pilot program, at the university of California-Davis, is officially "on hold," said Wes Hardaker, the manager of distributed computing who worked on the 40,000-certificate project for students and faculty.

"I haven't touched the topic in a while," Hardaker said. "We did the proof of concept, but certificates in general, they're just not supported yet."

Stuart Cohen, manager of systems and security at Children's Hospital, in Boston, is running a small PKI pilot for doctors and insurance companies (see story, eWeek, May 8, Page 52).

But Cohen's experiences with that pilot persuaded him not to use PKI for another in-house project dealing with chemotherapy.

"The technology is too immature for us," he said. "We evaluated PKI systems for the project, and that evaluation helped in that it really exposed many of the holes or lack of completeness with PKI."

The holes are well-documented and not unusual. Foremost, standards are lacking. The PKI X.509 effort, which would do for PKI what the IP Security standard did for virtual private networks, is stalled, hindered by a heavier-than-normal dose of vendor politics.

"Where are standards? Far behind because of snafus, disagreements and a lot of dissension," said Frank Bernhard, an analyst at Omni Consulting Group LLP, in Davis.

Cost has been a big issue as well. The immediacy of intrusions and vi ruses make spending in those areas a priority, sapping security funds that might otherwise be used for PKI deployments. Bernhard, who is about to publish a report on the economics of security, said a typical PKI pilot program costs 30 percent to 48 percent more than what is planned for.

The biggest hurdle to PKI acceptance, however, remains application integration. Many IT managers say they'd have a much easier time justifying investments in PKI if the technology were built into major applications, such as e-mail and browsers.

Even the U.S. Patent and Trademark Office, which runs a successful PKI deployment, believes application integration needs to improve.

"We've learned PKI is not a destination, it's a process," said Arthur Purcell, senior computer scientist at the USPTO, in Arlington, Va.

The office just issued its 1,000th certificate and claims to save $200 per patent application when filers use the PKI system. "From the point of view of application integration, it was a challenge," Purcell said.

Then there's the monkey on every IT department's back: management. PKI management is so underdeveloped that it makes it hard to accept the technology, Cohen said.

PKI vendors, for their part, acknowledge the obstacles to growth but remain bullish. One of those vendors, Baltimore Technologies plc., for example, last week beat market expectations with record second- quarter earnings and a smaller-than- expected loss.

"It's still maturing, but I think we've shown it can be done," Purcell said. "It looks to me like we're right at the turning point."

Editorial standards